The global pandemic-driven Work from Home (WFH) transformation has completely changed the way legal document review is managed. Due to teleworking conditions created by COVID-19, legal service providers obtained rapid client approvals within short timeframes to enable their teams to review documents from home. Despite the pandemic, document review has steadily continued, though in a much more decentralized and starkly different way.
Before COVID-19, many companies had been reluctant or unwilling to allow document review to take place outside of a dedicated facility, and certainly not from a reviewer’s home. With no other option available during the pandemic, the facility-driven, delivery model had to shift for many.
With this change of circumstance from office to home reviewing, in-house counsel rightfully still expects their outsourced providers to ensure that strict confidentiality and data security requirements are upheld. The seemingly many variables presented by at-home work mean corporate counsel need to ask their law firms and legal service providers “who is doing my document review — and where?”
Reconfirming the “who” of document review
Considering both the “who?” and “where?” of document review today, the “who” question is easier to answer because that has not changed dramatically. Document review is still typically performed by lawyers, law school graduates, paralegals, and even law students in certain situations. The decision on which resource pool is to be used depends on the situation, the review protocol, and the subject matter at issue.
Before COVID-19, law departments and document review providers already had mechanisms in place to verify reviewers’ credentials and run background checks. Presumably, these companies have continued these processes, albeit substituting virtual vetting for in-person screening when that became impossible.
However, presumptions only go so far. It behooves corporate counsel to check in with document review providers to ensure their quality control measures governing the “who” are still firmly in place.
Locking down the “where”
Though the “who” may be reassuringly similar to what existed before the pandemic, the “where” variable of WFH document review could be cause for concern. The clear reality is that document review shops are not likely to reopen for the foreseeable future, except in very sparsely populated spaces, and even then, the days of large review teams sitting shoulder-to-shoulder are likely a thing of the past.
Clients have every right to question where their documents are being physically reviewed, and whether those environments pose reassurances or threats to the review process and their data security.
Home environments, including physical location and computer/digital infrastructure, present infinite variables that immediately raise risk management concerns. This set of challenges is the document review provider’s job to address.
Clients must be confident that their data will be safe in the hands of an outside services provider and their at-home document reviewer. Protecting all client data is equally important, including employees’ personal data and intellectual property (e.g., patents and trade secrets.)
How to ensure data protection in WFH
Upon request, the law department or document review service provider should be able to furnish their companies with detailed information about where their document reviewers are conducting work. Law departments and document review companies are duty-bound to examine their reviewers’ physical environment on a highly individualized level.
Does the reviewer have a separate, dedicated office with minimal impact from family members, visitors, and household employees (e.g., cleaners, babysitters, gardeners)? Or rather is the reviewer sitting at the kitchen, dining room, or patio table working on a computer that is routinely used for other “work” and by other family members?
To reduce risk, ideally the reviewer is the only person with access to the review computer. Best efforts must be made to eliminate any chance of data exposure when documents are reviewed, whether inadvertent or intentional.
Leveraging new technologies to reduce risk
Technology solutions can be useful to help manage risk. Review teams can leverage new data protection software for a wide range of functions to protect clients’ documents more effectively. These solutions can encrypt content, block potentially nefarious IP addresses and viruses, prevent reviewers from taking screengrabs, and disallow unauthorized transmission of documents between machines.
The right data protection platform can effectively create a bubble or “cone of silence” around the reviewer to minimize potential of the data beyond what is permitted. Security platforms assure that informational artifacts such as cached documents, metadata, search terms, and other personal information are never downloaded to local computers.
Finally, when the review project is completed, the data should be archived, moved, or properly disposed of so there are no lingering security risks caused by leftover data.
Identity verification is a must
When managers and their reviewer teams were all in the same office or area, it was easier to keep track of activities, enforce rules, and verify identities. Now that everyone works from home, that ease of monitoring has become more challenging. Reviewers work invisibly unless their identities are confirmed from a digital standpoint.
Law departments and document review companies can readily add layers of identity verification to far exceed basic requirements. To securely log into the document review platform, having a unique username and strong password is the beginning.
Multi-factor verification has become the new normal and is highly recommended. Also, reviewers can be prompted to enter a code periodically to make sure they are in front of their screens, though this can be irritating and distracting if the time divisions are too short.
If the reviewer walks away from the computer, what will stop others from viewing or printing sensitive data? New tools are emerging to help verify users’ identity continuously and lock down review tools and documents if the authorized reviewer has walked away.
For example, biometric solutions for facial recognition are currently being used for identity verification on select review projects, though the technology has limitations and is still being enhanced. Biometric developers are also attempting to tailor their solutions to detect when a person is holding up an object — such as a cell phone or tablet — close to the screen to photograph a document.
Reviewers are never allowed to photograph the documents they are reviewing, but with no one supervising them in-person, technology solutions may provide the best path to preventing violations.
Facing the long-term reality of virtual document review
No one knows how much longer the pandemic will last, and when organizations will begin asking employees to return on more than a partial or voluntary basis. Until then, it is likely that WFH document review will be the new normal.
Regardless of the “who” and “where,” a client still has its same consistent priorities of having outsourced document review done securely and efficiently. Therefore, its law department and document review providers must marshal their best people, workflow, and technology resources to ensure they meet and exceed what their clients require.