How do you ensure your legal and company information is kept securely, and appropriate measures are taken to protect against data loss?
This 8-point checklist will ensure you can get some immediate comfort from the LegalTech provider before making a purchasing or 'try before you buy' decision.
1. Where is the data stored? eg. onshore / offshore?
Why is this important? Some organisations have policies to maintain data - particularly data about their clients - onshore or in the same jurisdiction as their head office. By knowing where your data is stored, you will be able to give consideration to adherence to data sovereignty and privacy regulation.
2. Who is your data host? eg. AWS, Microsoft Azure
Why is this important? A reputable data host satisfies a very wide range of information security requirements, particularly around architecture, physical infrastructure, firewall and redundancy.
3. Do you undertake regular independent application penetration testing?
Why is this important? Whilst a good data host is important, the application itself should also be built to ensure high levels of security. The best way to test this security is with regular, independent penetration testing by a reputation firm specialising in this work.
4. Is our data encrypted?
Why is this important? Encryption at rest and in transit should be standard in the application. Encryption at rest protects your data in the event of a system compromise or data theft by encrypting data while stored. Encryption in transit protects your data if communications are intercepted while data moves across the internet or a network.
5. Will your staff have access to our data?
Why is this important? It is sometimes necessary for your Legal Technology provider to have access to your data to provide you with the service you require. However, you should understand how this access is gained, whether audit history is kept of access to the data and the policies and processes which govern access to your data.
6. What is the information security training schedule for staff?
Why is this important? It is useful to understand that your provider has built a culture of protecting client data and that staff have a regular and thorough training schedule to be reminded of policies and processes, and kept up to date on new developments on information security.
7. Do you have a data breach policy?
Why is this important? Even mega corporations get hacked - ensuring that your legal technology provider has given careful consideration to what it will do in such an event will mean that in the unlikely but unfortunate circumstance in which it occurs, protection of your data and communication of the risks and steps being taken, are the #1 priority.
8. Do you have a disaster recovery policy?
Why is this important? Losing data is one thing, losing access to an entire system is the next step up, and can be crippling if you have come to rely on technical tools to conduct business. If the system goes down, be sure that your provider has the right steps in place to bring it back to full operation as quickly as possible.
This checklist covers LegalTech information security questions only. A more comprehensive look at IT questions can be seen in this blog post.
If you are getting started on building a Legal Technology Roadmap for your in-house Legal Department, download the Xakia Legal Technology White Paper and template for building legal technology roadmap.