The CJK Group announces CJK Secure Remote Review (“CJK-SRR”) to expand its global multi-lingual contract attorney review workforce for Am Law 100 firms.
In a world where a cybersecurity incident occurs every 39 seconds, document review models need to adapt. They are not secure and the more you scale review operations into a remote or telework environment, the greater the risks associated.
The CJK Group deploys a project-specific infrastructure, also known as a secure matter infrastructure, that empowers our review teams with locked-down virtual workspaces that are scalable. This ensures that endpoints (i.e. contract review teams) can work securely in their home office when reviewing sensitive client information.
A perennial challenge with document review, in broad strokes, is two-fold: the human factor and the technical infrastructure that keeps it secure.
Law firms entrust an eDiscovery services provider or a temporary staffing agency with sourcing attorneys to augment the legal team’s efforts in reviewing ESI (electronically stored information). There are varying models in how contract review teams operate vis-à-vis the law firm. Irrespective of form, the risks are generally the same: managing work ethic & professionalism; the evaluation/quality control of individual reviewer decision-making; and maintaining situational review team awareness to identify a rogue reviewer who may divulge client information inadvertently or intentionally to a third party (extremely rare).
While we’ve covered some of this in the context of navigating bilingual document review on previous published pieces here, here, & here, the key takeaway is that you need strong project management leadership. In sum, a dynamic and passionate Review Manager is experienced in optimizing different levels of linguistic fluency, can effectively correct varying notions of document-level decision making by reviewers and finally command superb communication skills in English and the underlying language of the non-English dataset.
The human factor in document review is more art than science. You can streamline processes and quality control every decision with a high degree of confidence, but all this breaks down if the workstation that supports the review is insecure.
Let’s assume most eDiscovery service providers or temp staffing agencies can figure out the human factor. Enter cybersecurity, human error and bad actors.
Technical Infrastructure for Remote Review: Security in the Age of Dispersed Teams
This brings us to the crux of securing remote review. The human factor, while important, needs to be in alignment with the infrastructure that has been designed to minimize the inherent risks in operating a connected device, that is, the reviewer’s workstation.
It is within the context of the reviewer’s workstation that the technical issues of security arise. For these reasons, we leverage the SecureReview platform to power our remote teams. Evaluating its robust security features, we’ve deployed CJK-Secure Remote Review (“SRR”) with one of the largest global law firms this past week. It required educational awareness and careful explanation, but with any new model that’s being introduced into the marketplace, that is expected. We hope other law firms will do the same. The gains are not only in pricing but also in security, scalability and geographically expansive talent sourcing.
How Does CJK’s Bilingual Secure Remote Review Work?
There are many pull and push factors that contribute to the need to have a remote team. While we will not go over these factors here, it is safe to say, regardless of the driver, remote working is not going to decrease anytime soon. The discussions here relate to securing the execution of document review within a containerized environment that isolates the access of review-related assets in a virtualized workstation irrespective of device. There are many other important elements in securing a remote work environment such as setting up a firewall, VPN, evaluating unsecure conference lines, physical document management and destruction, turning on encryption WPA2 or WPA3 on your router, etc. This article concerns securing remote reviewers as the primary order of topic.
In practical terms, a reviewer who works from home typically gains access to the document repository from within a review platform that hosts the law firm client’s sensitive documents. When review is set to begin, an email is initially sent to the reviewer and he/she then go through a series of prompts to gain access. Again, there might be differences in how this is set up, but the point is clear on remote arrangements: access to the data repository occurs from the workstation of the reviewer working out of their home office. Certain firms/clients might have a Citrix workspace or a Virtual Private Network (VPN), or at least they do for their firm attorneys.
Let me dive a bit deeper. In most instances, however, a link to the review platform is sent to the reviewer’s company-issued email. To retrieve this email, the reviewer logs onto the email system where in their inbox there’s an email inviting the reviewer to log onto a given review platform. He/she then clicks the link, changes the password and then gains access to the review platform where the data repository resides. This sounds simple enough. The problem on most remote arrangements is in plain view and is probably the reason why most law firms (especially major Am Law 100 firms) have rightfully resisted in permitting their service providers to staff a team of remote reviewers for document review. Unless the service provider or law firm has a virtual workstation implemented that extends to every endpoint, including temp contract reviewers on short-term assignments, the risks that data could be compromised is high.
My conjecture is that most remote reviews, as with any document review these days, ramp-up in the fog of a fast-moving case. Teams need to be ready on a moment’s notice and when remote teams are deployed, it’s happening so quickly without the security infrastructure in place. In other words, reviewers are likely accessing that link I discussed above from their company-issued email. Once credentialed, the reviewer logs onto the review platform from their company-issued device or PC from their home network. While we discourage PC use, cost and practicality might prohibit shipping a company-issued device to every temp contract reviewer. In whatever scenario, there are major security gaps that should cause alarm no matter how you access the review platform. Times are changing and the technology is there. This is the basis of what we call the Secure Remote Review model and how it applies.
A Secure Matter Infrastructure (“SMI”) environment can be deployed to any device. The virtualized machine, to which the reviewer accesses the review platform, isolates any data from the reviewer’s workstation, where several rules and restrictions can be customized as per client demands. In other words, the reviewer receives log-in credentials, accesses the review platform and operates completely within the SMI. This includes communicating using an embedded email system from within SMI when communicating with the legal team or with other members of the review team. The challenge we had to overcome was to configure this cost-effectively and rapidly within the fast-paced nature of eDiscovery-related document reviews. Not only does it work as a security layer but it fits within the usual budget estimates. As a matter of fact, if done correctly, it is more cost-effective.
The beauty is the ease of implementation and how it can be customized to meet each project and/or client needs. For example, I’ve listed a few features that might be deployed to ensure endpoint protection at the user level:
- URL Whitelisting
- Project-specific Email System
- Eyes-only security using biometric AI
- Biometric authentication: facial recognition to validate while conducting review
- IP restrictions
- 3rd party security audit capability
- Copy/print/download restrictions
- Data isolation from PC
- Screenshot/Screenshare blocking
- Displaying watermarks across users’ computer screens
- Geolocation Restrictions and Phone Detection (Beta)
CJK Bilingual Review Experts + Endpoint Security Protection: Match Made in Doc Review Heaven
Our conclusion is not whether you can trust the human. Although it is true there are bad actors, there are also bad actors lurking beyond your remote teams. They gain access to files, phish your employees, inject malware into your workstation, etc. They look for misconfigurations, unpatched software and prey on human compassion. There are countless permutations where the human factor is either manipulated or compromised; however, if you isolate your virtual workstation where your reviewer’s work is completely segregated in a protected and monitored environment, this reduces the risks associated with remote working arrangements.
In the rare case where you have an insider threat situation where your own reviewer is the bad actor, an isolated workstation that contains the multiple layers of endpoint security, increasingly minimizes their ability to succeed. This does not mean it can’t happen, but greatly reduces the risk. No technical implementation eliminates risk 100%. If anybody says a technical solution is failproof, I’d run.
We are confident our technical partnership with SecureReview® and implementation will empower our clients with the best of breed infrastructure to offer a secure remote solution for all our bilingual managed reviews. Our expertise at The CJK Group has always been in the delivery of specialized expert teams professionally managed by dedicated bilingual review attorneys (the human element). Clients gain the confidence of a purpose-built technology specifically designed in securing remote review alongside our specialization in handling bilingual attorney teams. It’s simply a win-win-win for everyone! Clients get favorable pricing, high-quality expert reviews and a robust virtual workstation that can be cost-effectively deployed on any device securely. Our trained and vetted team of talented bilingual experts can work productively without geographic limits.