By Jerry Colasurdo

A common buzzword in the last few years, compliance is a top priority for many law firms.  In the process service industry, we’ve seen a significant increase in compliance requirements, especially in the financial sector.  Whether mandated by federal or state rules and laws or put in place due to increasing pressure from clients, securing confidential information is critical for law firms of every size.  Being compliant requires a proactive approach that covers all the bases. 

This responsibility extends to your vendors.  With so much data being shared back and forth, it’s no longer enough to make sure your law firm is taking the proper steps to protect and store information.  If a leak occurs from a vendor’s employee who shouldn’t have had access to certain information or from a vendor’s hacked infrastructure, the end result of having your client data exposed is still the same as if it happened through your law firm. 

Ask the right questions of your vendors to make sure they’re doing everything necessary to stay compliant and protect the data they receive from your law firm.

What to Ask Your Vendors

1. Who has access to data?

Investing in data security and encryption only goes so far.  While these methods offer protection from the outside, and in the event of issues such as a cyber-attack, they offer little defense to the employees who have access to unencrypted information. 

Also ask your vendors if they conduct background checks of employees, especially of those who will be handling personally identifiable information (PII).  If not, your data could be in the hands of someone whose history and criminal records say they should not be given access.  Even for process service companies, where much of the data is court documents which are served and public information, PII such as addresses and social security numbers are frequently involved when locating individuals. 

Check to see if each of your vendors has an access policy in place that specifies management of users and permission settings.  There should also be an active password policy in place to make sure that those who do have access have secure and frequently changed passwords. 

2. How is data backed up?

Clients have expectations, and one of them is that a case will move forward in a timely manner.  If data is lost, it can cause a significant impact on workflow.  Do your vendors have a plan in place to ensure that their data is backed up on a regular basis? 

Fire, human error, viruses and floods can all cause data to be lost.  How long would it take your vendors to be operational again should something happen to their primary data source?  Many of the top tier data backups now have triple redundancy, with backups stored at three locations across the country to ensure continuity even in the event of a natural disaster that impacts an entire region. 

3. Do you use independent contractors or employees?

Having control over who handles work product is extremely important.  Similar to knowing who has access to your data, when information is handed over to a third-party independent contractor there are a large number of unknowns.  Companies who only use employees will be able to dictate exactly how data is handled, stored and backed up. 

4. What type of insurance do you have?

Even though a company may have a certificate of good standing or have been in business for a number of years doesn’t necessarily mean they have insurance coverage that would protect your law firm should something go wrong.  With the high stakes involved in legal cases, most law firms have significant levels of coverage.  Given the role the services of vendors can play in the outcome of a case, it makes sense that they should also carry extensive insurance, including errors and omissions coverage. 

In the event your law firm needs to recover losses due to a mistake made by a vendor, without insurance, there could be little hope of regaining the full amount.  Making sure that your vendors have insurance coverage will provide a layer of protection if needed. 

5. What is a basic overview of your business continuity plan?

Business continuity plans (BCPs) ensure that there is a written and known plan to follow to make sure down time is limited should a natural disaster or other significant event occur.  Each vendor you use should have a BCP in place.  Even more importantly, they should understand what it involves and how to execute the plan.  Companies who have BCPs, but don’t regularly review, modify and improve the same will still encounter difficulty in regaining normal operations.  The management team should be familiar with the steps that will need to be taken and what to expect in the event the BCP is activated.  Even the best vendor will prove to be a liability if they can’t continue to provide the necessary functions and services your law firm needs under all circumstances. 

Law Firms and Vendor Compliance

Checking in with your vendors can be as simple as a questionnaire or as extensive as in-person audits.  However you choose to verify vendor compliance, this proactive measure saves time and headaches down the road.  It is much easier to be able to address potential concerns than to try to fix the damages from a lost case or data breach. 

Jerry Colasurdo is Founder and President of DGR.  Jerry has established his respected reputation with over thirty years of experience.  He is the founder, as well as the past and current president, of the New Jersey Professional Process Servers Association, a Certified Process Server and a member of the National Association of Professional Process Servers.  Originally a chemical engineer, Jerry first got his start in the industry when helping out a friend who was an attorney.  Without anyone to serve the document, he asked for Jerry’s help, which eventually turned into a full-time business.  Jerry may be reached at [email protected].