Geoffrey Vance on Legal Tech and Data Security

Geoffrey Vance on Legal Tech and Data Security

We recently met with Geoffrey A. Vance, Litigation Partner at Perkins-Coie and Chair of their E-Discovery Services & Strategy Group, to discuss all things legal tech. Vance is a veteran commercial litigator who has followed the evolution of legal technology throughout his career, identifying game-changing solutions that dramatically improve efficiency and reduce the costs of legal services. What follows is a transcript of our interview, wherein we cover digital transformation in legal processes, choosing legal tech vendors, data security for law firms, the importance of user experience, and a wealth of other expert insight.

Prevail: Thanks so much for joining us today. Can you give us a quick background on who you are and what you do? 

GV: Sure. Well, I'm Geof Vance. I'm a commercial litigator. I'm a partner in my firm's Chicago office and practice litigation services both as an attorney and as a member of the firm that leads our E-Discover Services & Strategy group. That's our in-house e-discovery vendor. We provide services not only to litigators but also to attorneys across the firm and all of our offices.

GV: Yeah, wow. Let me tell you. [I]t is so cool to have been part of it. I can tell you, that legal tech, which was in its infancy when I was a baby lawyer, is now an extraordinarily important part of being a lawyer. It makes lawyers more organized. It makes lawyers much more efficient. It makes us global jet-setters.

I can travel around the world without skipping a beat, and doing the same work, and have access to the same data no matter where I am. I can be a better lawyer because of it, because it helps me deliver better legal advice and better results to the client. I just think it has massively transformed what we did before into something that's much more efficient, much more effective, and much more fun to be a lawyer now.

Prevail: Streamlining a lot of that internally, has that been a challenge for you and your team? 

GV: No, and I think that's because I work at a law firm that specializes in tech clients. I think we have always understood, as a law firm, the value of technology and actually understood that if you're not using technology, then you're kind of a step or two or three behind others who are. So, we, as a law firm, see the value of technology, so we, as a group, are obviously in the e-discovery, legal technology space, so put those two together.

We've been pretty proactive on the use of technology, and I think we've seen really great results, both in firm performance and revenue, but more importantly to our clients, we have been much more cost-effective, and our clients see it, and they hire us more because of it. 

Prevail: That's got to be great for just brand perception in general, right? You get a good name out there; everybody knows that they're going to come to you, and you're using the latest tech to win more cases, right? 

GV: Well, winning cases, however you define "winning," is what's most important. I think clients want to win cases, win their projects, be effective, and succeed while spending the least amount of money that they have to. And if you can demonstrate both, where it's subjectively, or, in our case, objectively a win – because we've defined what a win is – and demonstrate to the client that they save money using you – that's a total win-win, which usually results in them coming back for more.

GV: Yeah, and it's funny because I – remember, I see it on both sides. I'm not only a user of legal technology; in one sense, I'm a provider of legal technology, so I see it on the other end where they expect this of me. And so, I think I can whittle it down to, let's say, three or four categories: One, I think, is customer service.

I think responsiveness and customer service have to be there no matter who you are, but especially in legal tech, so that's the first thing we see. Do we like the people? Are they responsive to us? Do we feel comfortable working with them, especially when stuff hits the fan? So, that's one. Clearly, the threshold here is you have to demonstrate the actual value and ROI of the technology.

Does it work, and how will it help us? How does it provide an ability to be more cost-effective and more successful? And that's sort of the threshold. I don't think we ask enough of the vendor's vision for the future. Having a software product now is great, but what are they doing to make sure that that software product is just as effective or even more effective in the future, given all the changes in data security requirements and all the other requirements, plus, just how litigation has morphed over time?

I think that's important – to talk about the vendor's vision of the future so you're not stuck. It may be a great state-of-the-art technology now, but in five years, will you be in the old days and stuck with that technology? And then, of course, I mentioned before – I think it deserves its own category – data security. I mean, we have seen too many horror stories, and read too many articles about poor data security, and that is clearly one of the things that you have to look out for when you're selecting a legal tech vendor. 


Prevail: So a vendor that can morph and grow with the services they're giving to certain providers, and then keeping data security top of mind, which I know has been a relatively hot topic lately with all the different data breaches happening. Is there something specific you're looking for in a vendor when it comes to data security? 

GV: Well, this is the good news for me because this is terrifying. Lawyers are not technologists. We don't have a technology class in law school -- at least we didn't when I went to law school. This is something that we were told we should rely on other people to help with. I guess that's the "Debbie Downer" news.

The good news is that we do. I mean, my law firm has some of the best technology experts that can address security issues. So, I mean at the bottom, what we really care about is protecting our client data. We want to make sure that that data and our work product is kept confidential; it’s private from the rest of the world. So, when we, as a law firm, are looking at vendors, we lawyers look to our IT experts, our CISO and other people in the data protection and data security group – to tell us what we should be looking for, what we should be asking for, and then to help vet those vendors. 

So, what are we looking for? Well, one of the clear things we're looking for is security certifications: SOC 2, ISO 27001, we know that those certifications, if people meet them – and they're really tough to meet – should answer the question: Can we trust them? Can we trust our client data with them? And so, I think that's an important concern we have, is whether these companies have the certificates or are at least working toward getting them to demonstrate that that data is secure, available, there's integrity in the processes, that the information will be confidential and private.

Prevail: Yeah, because it's not just about the technology. It's about where the technology lives at the end of the day, right? If it's on an unsecured computer with somebody who's 100% remote, such as a stenographer in the courtroom using their own computer, that creates a lot of risk, right?

GV: Yeah. Well, right. You've demonstrated – you just articulated the real conundrum here. I mean, the amount of legal tech is exploding, so that's great. I mean, you just go to ILTACON, you go to Legalweek, you go to these conferences, and go to the convention centers.

You see hundreds, and then thousands, and now tens of thousands of solutions out there. And that’s great, but each one of them introduces new risks and new, especially, data security risks. And so, yeah, it's great, but let me tell you, the more technology we use, obviously, the more horror stories we're going to hear, because technology itself, while fantastic, also creates additional risks that we have to make sure we minimize or eliminate if we can.

So, yeah, and I'll give you one quick anecdote. It has nothing to do with the actual technology itself. I traveled to China a lot. I used to manage our Shanghai office. I would, of course, when I go, only use a laptop that was basically blank, that didn't have any data on it. I could have the greatest technology on that laptop, but the fact of the matter is when I landed in China, at any point in time, someone could take that laptop and mine it.

And so, having the technology was great. Having the technology also created a risk that we needed to eliminate thereby not having any of the technology on the laptop itself. 

Prevail: That's really great that you've got an IT security team there to really assist you and help you. What do smaller companies or smaller firms do when they don't have a CISO on board to look at their security stack? What would you advise for something like that?

GV: Well, I think those are two different questions: What are they doing, and what should they do? What do they do? I don't know that the smaller firms do much, if anything, at least, I would imagine a lot of them with a small budget may cut corners. But I will say this: There are lots of people out there who can help them.

So, if they can't hire a CISO in-house or have an entire team, like my law firm, of people who help with data security, there are people who will consult with them and will provide them the same amount of assistance. And I think that is a new introduction to the legal world. Our industry now requires consulting with those kinds of people. We are both ethically obligated and practically obligated to make sure our client data is secure. 

Prevail: Let's talk about the differences in modern, remote deposition processes: compared to traditional court reporting, how is the former better for data security? What are some of the levers you can pull by doing your depositions remotely? And where does data security come in? 

GV: Yeah. Well, let me start with just, sort of, let's go back and redefine what traditional court reporting is, and then we can compare it to traditional stuff, right? Traditional court reporting was traditionally an in-person process based entirely, or at least almost entirely, on printed material, and that court reporting process had lots of different people in play. You had the court reporter, a videographer, scopists helping the videographer – the court reporter. You had people who they'd give the material to scan or to make photocopies of, so you had three or four, sometimes five different groups of people carrying that – a same piece of paper or different versions of that same piece of paper around, so that, to me, now, in hindsight, sort of created big red flags, right?

Because only one of those people could make a mistake and client data is now at risk, so that's the old way – now you get to the new way, which is remote technology, and to me, the pandemic really did us a favor here. It's one of the few areas where it did. Remote technology here for depositions uses electronic data and electronic video and audio transmission, so I can answer your second question in one sentence: Remote technology allows us to keep a single copy in a protected environment, period.

And so, no longer do we carry pieces of paper around and give them to a whole bunch of different people and create different risks no matter who it is, moving documents around and leaving them in hotel rooms or leaving them in conference rooms for someone to snoop. Right now, we have a single copy in a protected cloud environment that you can give people access to, and even that access is audited and protected so that you have minimized the risk of any data breach. And so, that, to me, is the exciting part about all remote technology, and I don't know that many lawyers think about data security when they think about the court reporting process. 

And so that's also, we can now know the sort of the secret's getting out, that the court reporting process is also at risk of data breaches, that now we have this remote court reporting technology that, really, all lawyers should be very excited to use. 

GV: Well, no matter what, it doesn't look good. It keeps all lawyers up at night, I would imagine and keeps our CISOs and the people we rely on up at night. I mean, I can think of four things right offhand: One is it could – it's a violation of an attorney's ethical canons to keep client data secure and confidential. That is one of the things we must do. And if we don't, we committed an ethical violation, and that's scary. And our job is to do whatever we can to make sure that doesn't happen, to not only keep – because what we really do is what we care about our clients' – we care about our client's data. We don't want that data to be breached, but we also care about our licenses and our ability to practice law.

So that's one – you just violated an ethics canon. It could also have a negative outcome on the case. If your client's data is breached or even an opposing party's data is breached, and somehow you violated a protective order, you will get either – you could get sanctioned. This sanction could be monetary, but it could also result in something like a default judgment where your client would lose because of it, so that's pretty scary because it could really have an effect on the case that you've been hired to win. And so, lawyers want to win their cases, not lose them because of data breaches which have nothing to do with the merits, so that's number two. 

Number three is when a client is harmed like that, malpractice suits come up. So, there's a third legal implication, that the law firm could get sued by the client for that breach, and then, ultimately, that same conduct, violating or breaching, having a data breach, could violate all sorts of other data security laws, laws like HIPAA, also, that protect personal and private information, so you could violate a law and be criminally liable for that. So, scary. Civil liability, ethical liability, losing a case, or otherwise being sued by your clients, all things that we should do whatever we can do to make sure it never happens. 

Prevail: That's a lot to take into consideration for something that a lot of attorneys may overlook. When one of these data breaches happens, it seems there's a lot more behind the scenes that's going to happen as well. 

GV: Yeah. Well, that's one of the reasons I love doing stuff like this, because I do think everyone should know that this matters, that this is an issue they should be paying attention to. It's an issue we can address and make sure it doesn't happen with the right amount of resources and the right thought processes around it, so I'm happy to be an evangelist here because I want everyone to be ethical. I want everyone to do things the right way, and this is the right way to make sure data security -- our clients' data is secure and protected. 

GV: Yeah. Well, remember, I'm a litigator, so my use of legal tech is confined to the litigation process, but I can tell you legal tech has helped me throughout the entire process. So, you probably see the EDR chart, the graphic. I mean, it helps me from the very beginning when the information governance stage, when clients are keeping their data, to the time that I need to collect that data, search it, analyze it, and figure out how to use it in a lawsuit.

It helps me to the point where the lawsuit's filed, and I'm responding to the complaint or maybe I filed the complaint. It helps me through the entire discovery process, not only the exchange of data in discovery, but also the depositions we talked about today, and it helps me all through the entire trial process, even to trial and even to the appellate process.

So that is something so cool and so different now than it was, let's say, 10, 15 years ago, when legal tech really was the exchange of information in the written discovery process. Now we have it for the entire thing. And so, some of those examples, though, despite the fact that I said that it covers the entire spectrum of litigation the major examples, because they've been around for so long, are the e-discovery review solutions out there. I don't know if you want me to name names, but the names are pretty obvious in the market. Relativity and Disco and some others, they all involve really sophisticated document review platforms that allow me to identify the information that's relevant to the matter that will help me win and also that's responsive to a request. And they've included now case management platforms and other really helpful solutions that help me manage the massive amount of data that comes up.

And it's not just the client data, it's not just the data produced to us from the other side, it's all of the briefs that get filed, all of the orders that get entered, all of the transcripts of that come out of all of these depositions that we've been taking around the world, both defending and taking.

So having the case management platform has been really cool. And then, court reporting software significantly changed the pandemic. We moved this into a remote world because we had to. But now that we're going back in person, I think you are seeing a lot of people preferring the remote route or a combination of remote and in-person scenarios, and I think that's really helpful in not only depositions but hearings, so I think the same software we've been using in court reporting instances now can be used in hearings.

So, there are times when a judge can hold an in-person hearing, and he or she can also have people participate -- not just listen but participate remotely -- and that makes for a great, great litigation process. And then, all of the trial presentation software we use to help me persuade judges and juries, that all -- it kind of fits into one big litigation tech world that has drastically improved the industry.

Prevail: Some states such as Florida and Minnesota are now doing their depositions remotely, and we’re sure many states will follow suit. But like you said, this new remote world allows even the government to be more transparent. Things like town halls and council meetings can use a platform that's very much open to the public. 

GV: Well, just to riff on that, I think so many more people now listen to United States Supreme Court arguments -- it's not done by video, but it’s done by audio -- but now more than ever. And now you can start watching trials on TV much more. It's not just the exception; it's the rule.

And yeah, and government agencies can have their hearings worldwide if they want, or they can restrict access to it, but people can attend them remotely. And even on the other side, their government employees don't necessarily have to travel around the world to go to hearings and participate in things, so it’s a money saver, and yet, I don't know that we're losing much on the content.

GV: Well, I mean, I think it is even more basic than that. Transparency -- I think that's the number-one way they can demonstrate their commitment to data security. All too often, it's almost like when we ask some of the vendors about data security, they get defensive and treat it as if we're criticizing their technology before we've even seen it, and that's not what we're doing.

We owe it to our clients. We owe it to our law firms and our lawyers and our care professionals and all of the business services people throughout our firm to know all of the legal tech, the ins and outs of it before we use it, before we pay for it and use it. And so, the more transparent these vendors can be about their commitment to data security, the better.

Because the only way you can prove commitment is, truly, to be transparent about that commitment. So that is -- and it's very easy to tell -- at least in my experience, very easy to tell when people are being less than transparent in the way they frame their answers and in their communications with us when it's an in-person or remote discussion.

So, we start with what's written. That's wonderful, but dealing with them and communicating verbally back and forth often allays many of our concerns. It demonstrates they're proactive about their commitment. It's not just a one-time shop thing where they're going to do it now, but probably spend less overtime, and then, the certifications never hurt.

I mean that, to me -- and because these certifications are so hard to get and so, almost draconian in what they require, that if they meet these certifications, then it should almost be an automatic litmus test that they have a commitment to security, and that's another thing they should be transparent about.

I don't know if that answered your question, Kris, but those are some of the themes I can see. When you want to -- when you want to persuade a prospective purchaser that you are truly committed to data security, you got to communicate, you got to be transparent, and you -- and I highly recommend people get those certifications when they can.

GV: Yeah. Well, I think one -- not at the shows, but internally or when you're dealing with other lawyers and clients -- is a misconception that legal tech is expensive, right? I mean, yes, it's usually a fixed cost, sometimes a variable cost, but a cost, that it occurs early on in the litigation. But I think what we've demonstrated as an industry, as a legal industry, is that legal tech makes us more efficient and it saves the clients far more in hourly fees than the cost of the actual technology, so that's one myth that I love debunking. Another one is that it's optional. 

To me, I don't think you can be a good lawyer without using technology. I just don't. Being a Luddite is not a great thing to be. And you have to know what technology is out there, and I think you almost have to use it, at least some of it, to be a lawyer that is doing what he or she should be doing. So, again, I don't think it's an "if." I think it's a "you must" and "when you use it." Another one I see a lot is that -- and probably the scariest one -- is that legal tech can be used off the shelf.

Just use it, and using it itself is sufficient. And I think we've known through lots of disciplinary opinions, that just using it isn't sufficient. You have to know how to use it and you have to know what your obligations are when you're using it, and you actually, kind of consistent with what we said before, you have to know the cons of it, not just the pros of it so that you can personally demonstrate to the judge -- in this instance, we're talking about data security, that this software provides value in the litigation and has addressed the issue of data security both on a legal front and on a client, ethical obligation front, and that's really important.

So, I think that's the third one that, to me, is actually the most important. Yes, it costs money, but I do think it saves us money overall. I don't think it's optional, but just using it isn't enough. You have to know how to use it. You have to be skilled in using it. You have to improve over time on how you use it, and most importantly, you have to understand what risks you're creating by using it so you can address those risks too.

Prevail: We’ve heard CISOs say the best security is security you don't see or hear about. And if it doesn't cause friction in your life, but you're still securing things, that seems to be the ideal.  

Yeah. Well, I mean, I think you put it perfectly. I mean, the user experience is that I don't have to think about security for it to be secure. There's nothing I need to do affirmatively to make sure that this data is secure. Yes, I think we know -- as an aside, we know that 95% of all data breaches are human error, so we can deal with that.

But I want this software to reduce the possibility of human error. And you do that, the best way, if I don't even know that you're doing it. And it's not pop-ups or things I need to click. It just does it. And I think, to answer that question, that's as easy as it goes. I think what the user experience in adoption of legal tech is -- I don't know that you can say -- could understate how important it is.

I mean, making it intuitive, making sure there's customer service that surrounds it, making sure that we know that using it, it protects our client data. I mean, if any of those parts of the chain break, we're humans. We humans are likely to either turn to another tool or abandon it altogether, abandon legal tech.

And that we know we shouldn't do. So, I think the user experience, thank goodness, I don't see a problem with most of it. I think the user experience is almost, generally, and especially, in the software I discussed before, excellent. And what does that do? It encourages me to use it more, to learn more about it, and to be better with my use of it so that I can end up with that win-win talk I've always talked about, which is telling the client we've saved you money and we've improved your likelihood of success.

Prevail: Adoption and change management are two things that can be difficult to overcome in any industry. Getting people to change is hard. And so, if you can make that user experience seamless to where people want to come back and keep using it, we think that's very important for any kind of software out there.

GV: I mean, to that point, I still remember, as an associate moving from WordPerfect to Word, and chaos that changed, and moving from Lotus Notes to Outlook. I mean, I remember the misery it felt, through my entire law firm, how miserable we were, how scared we were, how against it we were, and now we all laugh at that – looking backwards, so, absolutely. 


GV: Yeah. Well, we talked about it already, but I think -- I really do break it up in two. And two -- I mean, they're related but they're separate: One is lawyers are obligated to know how to use the technology and be able to understand and explain the value of that technology. I think that is a legal obligation. That's an ethical obligation, where it's not just to have it, but be able to know how to use it, and in so doing, protect our client data.

And then, the other one is a follow-on from that: Lawyers are obligated to make – to maintain the confidence of our client data, to protect our client data, to keep it secure, and therefore, whatever technology we use, we are obligated to make sure that we have comfort that that technology will keep that data secure either under a protective order or other things so that we're not violating protective orders.

We are complying with our legal obligations and we're keeping our clients' data safe. It all comes down to that. Our clients are so important to us that their data is extraordinarily important to them and us, and we owe it to them to make sure that data is safe.

Sam Spaulding

Sam Spaulding

A seasoned content marketer and AI evangelist who is passionate about enhancing productivity and leveraging the power of AI across a myriad of industries, starting with legal tech.