Since Covid 19 has hit, security around Remote Review has been a major topic of discussion. Mostly, this discussion has centered around the technology we are able to employ to secure our clients’ data. There is a lot of technology out there that can help with this – from locked-down virtual machines to virtual classrooms, watermarks, biometric identifications and facial recognition software. There are plenty of technology solutions available for document review companies to choose from when it comes to data security and protection.
And it’s right that technology solutions have been a major focus because prior to March of 2020, most document review companies were not remote and instead provided services within a locked-down review center where expected physical security measures (like key cards, passwords, terminal lockdown and onsite Project Managers) were able to maintain data security. To most companies offering document review, Remote Review was off-limits and something they told horror stories about to their clients.
So, when Covid came, and these same companies had no choice but to go remote, I’m sure they did their research, but it seems that many of them have simply thrown technology at the problem of remote security and not considered a lot of the other factors. Since TCDI has been offering Remote Review since 2017, we worked out these growing pains back in 2017 and 2018. There is a lot more to security than technology and considering those factors plays almost as big of a part in data security as choosing which technology to employ.
In addition, just because there is technology that exists to secure data, it doesn’t mean that it works or does what it says it does. That’s been a real eye opener for us since March now that our competitors have been promoting all the technology solutions they are using to secure remote review.
All the Factors that Contribute to Securing Remote Review
At TCDI, we have built our Virtual Review Center (VRC) with contributions from our Compliance, Data and Information Security, Systems Operations, Cyber Security, Technical Operations and Review teams. TCDI’s VRC is a single point of entry and operations for our team of Attorney Review Professionals (ARPs) that we spent a lot of time designing to ensure client data is secure, real-time monitoring and tracking is available and ARPs can access the areas and tools they need to in order to deliver a good outcome in document review. To get a total overview of this technical infrastructure, please check out our MSMR Review Brochure.
What I will say is that our ARPs, both military spouse and non-military, access all client data through our secure VRC, which has multi-factor access to get to their desktop and that once on their VRC desktop, they have limited capabilities. These limitations include: only TCDI email (to tcdi.com addresses only); no printing or exporting; no clicking on hyperlinks; no screen share, screen capture or copy/paste capabilities outside the VRC; downloads for native file viewing live in our VRC terminal (not on their personal computers); restricted instant messaging; restricted web access (only review platform URL); restricted network access; and restricted IP address. Additionally, we have virtual classroom monitoring and screen watermarks on all pages (with 1st initial last name, date and TCDI displaying everywhere).
We have the security you need in place to ensure data security is maintained, but, as security professionals, that’s the easy part. Where it gets difficult is with implementation and maintenance of these tools – education, awareness, usability and compliance.
Then People & Process
Data security is complex and it’s definitely not just about the technology we put in place, it’s about how we manage that technology, how we deploy it, how we train on it and most importantly, it’s about all the people who touch data every single day. As any security professional will tell you, people are the weakest link in any security profile.
Education is the first building block on top of a great technology infrastructure. We went through all the trouble of designing and implementing the VRC, but what good is it if nobody knows what it is, why we did it that way and how it impacts them each day.
Interview and Onboarding
From the first interview we have with prospective ARPs, we discuss with them the complexity of our data security. We do this because we know ARPs have a choice in what companies they work with and we want them to understand, right from the get-go, that our platform is harder to access than most of our competitors and it’s all for data security purposes. Going in with this knowledge sets them up for all the additional education and training we ask them to participate in for client data security purposes.
Once ARPs join our team, they are trained on TCDI’s general information security policies, our remote review policies and they sign several documents acknowledging that they understand our high demands for data security, privacy and confidentiality. Additionally, they affirm that they understand our expectations for behavior in a remote environment and will follow our policies for how best to work on a remote team.
When an ARP is first assigned to a matter with us, their first time logging in is…. an experience. Everyone accessing the VRC has to fill out a user ID form with our Technical Operations team which asks for answers to specific security questions prior to receiving access to login. Users then enter a unique PIN, enter an expiring token, enter a unique UserID and Password and then enter their specific VRC desktop. Once in their desktop, there are then various steps for them to take to access the review materials, review platform and our chat, email and timekeeping systems.
Since this process is unique and contains many steps, we have training and corresponding materials dedicated to helping first time ARPs through the process. We also have a dedicated support team available to help with this process. We know it’s a lot of detailed steps, so we offer training and support all along the way.
We do all of this training because we know we are asking more of them than other companies do and we want to make sure they understand the how of it all, but also the why. Once ARPs understand the importance of data security, they are very committed to doing their part. Our military spouse ARPs are accustomed to handling these security protocols as the military expects a higher level of information security in every aspect of military life, but this is all new to our non-military team members (our team supporting the MSMR ARPs).
Monitoring, Biometrics, Face Recognition, etc.
Reviewers are smart, reliable, and trustworthy people – that is our philosophy on the ARPs who work with us and for our clients. We go through an extensive screening and onboarding process to ensure that we engage great people to fill the various roles in document review. Having said that, we do offer additional protections in our remote workspace to ensure client data security and TCDI policy compliance.
Virtual classrooms have been employed by schools for decades with the goal of better access to, and for, the student body. We took this same model, with the same goal, and employed it to the Document Review team.
Every ARP is on a team, every team is in a classroom and every classroom affords the Team Leads and Review Managers greater access to their team. In these classrooms, we can virtually look lover ARPs shoulders and provide guidance, spot-checks and feedback in real time. We can chat 1:1 in the classroom, we can push out training to everyone in the classroom and we can end sessions immediately if we think it’s necessary. This added layer of monitoring also adds another layer of security and does not interfere with the ARP’s ability to get work done.
Some of our competitors at LegalWeek discussed the various technologies they were employing for security reasons and much of it, we have found, has a very real and often negative, impact on the day-to-day experience of the ARP.
Face recognition and phone identification technology is a prime example of that. We have tested many of the same tools our competitors are touting as ‘game changers’ and we have been very disappointed with most of them, for various reasons.
Companies are advertising that they employ a tool that recognizes the ARP’s face and will blur if another face is recognized, either as the primary face or in addition to the ARP’s face. This same tool will blur if eyes are not looking directly at the screen or if no movement is detected for a certain period of time. In our testing, and in feedback from our team, we have found that this technology didn’t work consistently or as advertised. At times, it either didn’t blur when it should have or it blurred too often. The blurring too often caused aggravation, and headaches, for the ARPs and impacted their throughput and overall productivity.
The time-out for non-detection of movement was also problematic, especially with contracts, where reviewers actually had to take their time to read a document completely, rather than the 40-50 seconds they usually spend on a document to code it. Our team says after 60, 90 or 120 seconds, when you’re invested in a document, to have it blur all of a sudden (or to kick you out), is groan-worthy. I know we all are concerned with pace and throughput, but timed lockouts on ‘review’ time is taking it too far. We have pace reports and other means by which to judge an ARP’s throughput, do we really need to blur their screens (or worse, end their VRC session) too?
The blurring is an example of where technology sounds nice to clients, but in reality, it doesn’t actually work the way we need it to work. The user experience (UX) is definitely something that has to be considered when implementing security and there are times when TCDI has decided that as long as everything else is in place to keep data secure, additional layers that impact the user experience, are just not worth it to the clients or our team members. If ARPs work 7 hours instead of 8 hours because this feature gives them headaches or if they get locked out 15 times in an hour, our turn-over rate of ARPs will increase and pace will slow down – both of which add unnecessary and extra cost for the clients.
We invest a lot of time in training our MSMR team on the importance of data security and they commit to following our rules, policies and processes. The least we can do is commit to them as pleasant a review experience as possible. Too many hoops impact pace, throughput and morale. Security layers which deliver less than promised safety features are dangerous, giving a false sense of security and can lead to people ignoring policies and procedures which provide true protection.
TCDI can provide secure laptops for our team members on specific client matters if required. We are often asked if this is a possibility, rather than ARP’s using their personal computers. We have this option available, but in our 3+ years of providing remote review services, only one client has asked us to go this route. We feel this is because our onboarding, training, VRC infrastructure, monitoring and security layers, in addition to our team management processes, combine to make our remote program one of the most secure available today, without the added inconvenience of TCDI laptop distribution.
A prime tenant of Remote Review, and TCDI’s MSMR program specifically, is flexibility and scalability and adding the limitation of distributed laptops impedes our ability to scale up quickly and easily. In our traditional VRC model (software installed on home computers) often we can add additional ARPs the same day on projects. The distributed laptop model requires a time delay for laptops to reach new team members and for them to get setup.
Data security is an evolving discipline. Our Information Security team is constantly on the lookout for trends and incidents in the cyber-universe that could impact the work that we do or compromise our client’s data. Every few weeks our ARPs are testing new security features that we may want to add to our VRC to further protect client materials.
Most recently we added screen watermarks to all screen displays that shows an ARP’s fist initial, last name, date and TCDI’s company name. This feature was added to further protect against photos of data being taken, which is a common concern our clients have in remote review. As mentioned previously, there is technology in play today that says it can help here, but we found it did not always detect the photo being taken, and even then, some of the tools only identified that a camera had been pointed at the screen, but it didn’t protect the screen itself. We decided since the blurring and lockout was too cumbersome to an ARP’s ability to work, and detrimental to their physical and mental health, that we would instead do the screen watermark as a deterrent, solving for the same concern. Would you really want to share breached data if your name was identified all across the page? We found this fulfilled our need to protect data from cell phone data theft while not impacting negatively on the smart, reliable and trustworthy members of the MSMR team that are dedicated to doing this very tough job.
To put it into better perspective for those who do not do Document Review for a living:
Imagine yourself sitting in front of 2 screens, every day, for 8 hours, basically taking a timed reading comprehension test each day. Read this document, quickly categorize it into one of these 4 categories, then sub-categorize into one of these 10 other categories, then categorize for Priv and Confidentiality and do it all, and do it correctly, in less than 60 seconds. At the end of an hour, we expect you to have categorized 50-70 documents an hour, and if you don’t, or if your categorization is off, we’re going to talk to you about why you struggled to reach this goal consistently.
That is the reality of document review. That is why it is a difficult and important role, and that is why the people performing that role are called Attorney Review Professionals. Contrary to popular thought, not everyone can do document review and so we take our time to bring on new team members and make sure that they understand the importance of the role and the part they play in information security.
At TCDI, as a company offering document review services, we consider security as more than just the technology we implement. We also consider the people who are working within that infrastructure and create a balance between impacting reviewer experience and protecting client data. We feel this is a key differentiator in how we offer document review services to our clients.
TCDI will continue to evaluate new technology to deploy, create new processes to implement and provide on-going training for our team. Our experience with data security, and remote document review specifically, is just one of the reasons our MSMR program is as successful as it is and why our clients rely on us to protect their data.