LegalTech - information security checklist

Ensuring legal technology software meet appropriate information security standards is critical to any procurement decision, and this checklist will help you to move through the Q&A stage as quickly as possible.


How do you ensure your legal and company information is kept securely, and appropriate measures are taken to protect against data loss?

This 8-point checklist will ensure you can get some immediate comfort from your cloud based legal software provider before making a purchasing or 'try before you buy' decision.

1. Where is the data stored? eg. onshore / offshore?

Why is this important? Some organisations have policies to maintain data - particularly data about their clients - onshore, or in the same jurisdiction as their head office. By knowing where your data is stored, you will be able to give consideration to adherence to data sovereignty and privacy regulation.

2. Who is your data host? eg. AWS, Microsoft Azure

Why is this important?  A reputable data host satisfies a very wide range of information security requirements, particularly around architecture, physical infrastructure, firewall and redundancy.

3. Do you undertake regular independent application penetration testing?

Why is this important?  Whilst a good data host is important, the application itself should also be built to ensure high levels of security.  The best way to test this security is with regular, independent penetration testing by a reputation firm specialising in this work. 

information security

4. Is our data encrypted?

Why is this important? Encryption at rest and in transit should be standard in the application. Encryption at rest protects your data in the event of a system compromise or data theft by encrypting data while stored. Encryption in transit protects your data if communications are intercepted while data moves across the internet or a network.

5. Will your staff have access to our data?

Why is this important? It's sometimes necessary for your legal matter management software provider to have access to your data, to provide you with the service you require. However, you should understand how this access is gained, whether audit history is kept of access to the data and the policies and processes which govern access to your data. 

6. What is the information security training schedule for staff?

Why is this important?  It's useful to understand that your legal technology provider has built a culture of protecting client data and that staff have a regular and thorough training schedule to be reminded of policies and processes, and kept up to date on new developments on information security. 

7. Do you have a data breach policy?

Why is this important?  Even mega corporations get hacked - ensuring that your legal technology vendor has given careful consideration to what it will do in such an event will mean that in the unlikely but unfortunate circumstance in which it occurs, protection of your data and communication of the risks and steps being taken, are the #1 priority. 

8. Do you have a disaster recovery policy?

Why is this important?  Losing data is one thing, losing access to an entire system is the next step up, and can be crippling if you have come to rely on technical tools to conduct business. If the system goes down, be sure that your provider has the right steps in place to bring it back to full operation as quickly as possible.

This checklist covers LegalTech information security questions only. A more comprehensive look at IT questions can be seen in this blog post - 10 questions to ask before you go to your CIO.

If you are getting started on building a legal technology roadmap for your in-house legal department, download the white paper and template to help you get started.

Other posts you might like

Ready to take Xakia for a test drive?