Are Your Court Reporters Vulnerable - A Cyber Security Checklist

The numbers are alarming: At least six AmLaw 100 firms have been the targets of cyberattacks so far in 2023, according to the American Lawyer. 

Cybersecurity challenges aren't limited to the legal industry, of course. Bud data breaches at law firms present special challenges. After all, the rules of professional conduct impose upon lawyers and their employees a duty to preserve and protect confidential client information. On top of these obligations, many firm clients require that their data be protected and treated in a secure manner. These obligations extend throughout the course of the representation, which includes the discovery process in litigation, where court reporters and court reporting firms play a critical role and frequently receive confidential information in, or convert such data to, electronic form during depositions, arbitrations and court appearances.

While lawyers are—or should be—keenly aware of the risk of direct cyberattacks, many are less familiar with the risks posed by many court reporters. It’s important to remember that many (if not most) court-reporting companies rely on independent contractors. This means that their court reporters, scopists and proofreaders are typically outside the scope of their cyber security protocols and therefore vulnerable to breaches.

Because the court reporting industry routinely relies on an independent contractor model to staff jobs, and because cyber criminals have set their sights on law firms, law firms must understand the security protocols and procedures used by all of their contractors and vendors, including court reporting agencies. To minimize the vulnerabilities of court reporters, scopists, proofreaders, transcript producers, and any personnel involved in transcript preparation, both employees and freelancers, it’s important to ask the right questions.

To accomplish that, here is a checklist for legal operations personnel, law firms, attorneys, and decisionmakers to use when selecting court reporters and agencies. Since so many depositions are taking place virtually, this list is specifically tailored for anyone considering a court reporting agency for a virtual proceeding.

• Human Resource Policy
  • Does the agency conduct criminal background screening on everyone, especially contractors and subcontractors?
  • Is everyone required to attend security awareness training annually?

• Business Ethics And Corporate Compliance
  • Are they required to participate in an annual training which reinforces company expectations regarding security compliance and ethics responsibilities, non-disclosure of insider information, code of conduct and conflicts of interest?

•  Authentication
  • Do they enforce their password, update and lock screen policies for everyone?
    
    
• End User Device Security and Personal Computer Policy and Procedures
  • Do they ensure everyone regularly updates the operating systems on their desktops, laptops or tablets to patch vulnerabilities?
  • Do they ensure everyone has current anti-virus and anti-malware software operating on desktops and laptops?
    
    
• Remote Network Access
  • Do they ensure that everyone who performs transcript preparation utilizes encrypted communications for all remote network connections from external networks to networks containing scoped systems and data?
  • Do they mandate encrypted communications for all those who access remote systems, including the use of full disk encryption on computers and restrictions against the use of unencrypted email to exchange exhibits and transcripts?
    
    
• Vulnerability Management
  • Do they have a vulnerability management policy or program, including vulnerability scans?
  • Does that policy or program extend to everyone who performs transcript preparation functions?
  • Does their delivery of software, firmware and/or BIOS updates to clients through automatic downloads such as Windows Update and LiveUpdate extend to everyone?
    
    
• Cybersecurity Regulatory Compliance
  • Do their documented policies and procedures to enforce applicable legal, regulatory or contractual cybersecurity obligations apply to everyone who performs work that is related to transcript preparation?
    
    
• Information Management
  • Do their policies and procedures for information handling apply to everyone who performs transcript preparation functions?
  • If so, do such policies:
    • Require everyone to encrypt data on any desktops, laptops or tablets that they use to do their job?
    • Restrict people from the use of unauthorized cloud storage to hold or transmit transcripts and exhibits?
    • Proscribe proper protocols for using email, web and file transfer services to hold or transmit transcripts and exhibits?
    • Provide guidance on the use of removeable media such as thumb drives to hold or transmit transcripts and exhibits?
  • Cybersecurity Incident Management
    • Does their Incident Management Program (“IMP”) require everyone to identify a point person to notify in the event of a cyber security incident?
    • Does the IMP require everyone to immediately notify that person of a potential data breach or cybersecurity incident?
    • Does their IMP include escalation procedures and client notification in the event of a data breach or cybersecurity incident involving anyone engaged in transcript preparation?
  • Independent Oversight
    • Does their independent audit, such as SOC (System and Organization Controls), treat everyone as being “in scope” for purposes of the audit?

The threat of a data breach is enough to keep attorneys up at night. However, there are steps that law firms can take to minimize their risks. That includes ensuring that all participants in the litigation process are maintaining the same high standards of security, including court reporters. By asking the right questions, attorneys can help ensure that they maintain their professional responsibilities, keep their clients happy and avoid the same types of attacks that are making headlines across the legal industry.