Solving the Problem of Information Security in Court Reporting
[ This article originally appeared on Complex Discovery. It has been republished here with permission. ]
By Rob Feigenbaum, Geoffrey Vance and Patrick Zeller[1]
Corporate legal departments and law firms often must use court reporters to transcribe depositions, court hearings, and arbitration proceedings, and government agencies often must use court reporters not just in these situations, but also for witness interviews and public meetings. These very court reporters record and see extraordinarily confidential information, including sensitive corporate information and documents containing trade secrets, Personal Health Information (“PHI”), Personal Identifying Information (“PII”), unpublished financial information, strategic plans and forecasts, proprietary research, and pre-patent data which the attorneys who hire and use the court reporters are ethically bound to protect from disclosure. In addition, this information is often being disclosed under a protective order placing even further responsibility on the parties to prevent its improper disclosure. Yet, the vast majority of court reporting firms employ outdated, sometimes decades-old technology that does not come close to meeting today’s data security requirements. Our goal of this article is to better explain the data-security-related problems attorneys routinely face, as well as some available solutions.
The Problem
Court reporters, even those employed by large court reporting agencies, are almost exclusively independent contractors who use their own personal laptop computers to store client data and prepare testimony. Court reporters typically work with additional independent subcontractors such as videographers who videotape the person or people giving the testimony, and scopists and proofreaders who assist in finalizing the transcripts. This entire team of independent contractors access client data while working from home using their own personal laptop computers. In most cases, neither the court reporters nor the videographers, scopists and proofreaders utilize any of the data security safeguards that clients have expected of their law firms and other legal support companies, such as electronic discovery firms, for many years. These standard data security safeguards include Service Organization Control (“SOC-2 – Type 2”) and International Organization for Standardization (“ISO 27001”) standards for data security, that are more fully explained below.
It appears to us that, before 2020, lawyers and law firm information security professionals did not usually focus on whether client information provided to court reporters, including sensitive corporate documents, and the testimony later recorded and transcribed, met appropriate information security standards. Things have changed. Attorneys and their firms must now focus on this issue for at least two very important reasons:
First, it is now clear that the trend toward remote legal proceedings which began in the Covid pandemic is here to stay, because remote proceedings generally reduce the costs and burdens on parties and witnesses and increase litigation efficiency[2]; and
Second, the recent upsurge in data breaches at law firms and other legal services providers has shown that hackers have targeted legal service providers, which often possess large volumes of incredibly sensitive client information, rather than the clients themselves.[3]
Ethical Requirements
Under ABA Model Rule of Professional Conduct 1.6(c), lawyers who utilize court reporters, videographers, proofreaders and scopists must “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to representation of the client.”[4] Comment 18 to Rule 1.6 clarifies that “[f]actors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).” In addition, ABA Model Rule 5.3 (Nonlawyer Assistance), Comment 3, requires that a lawyer who is using non-lawyer services (such as those of court reporters, videographers, proofreaders and scopists) make “reasonable efforts to insure that [non-lawyer] services are provided in a manner that is compatible with the lawyer’s professional obligations.” Under Formal Opinion 498 of the ABA Standing Committee on Ethics and Professional Responsibility, “lawyers practicing virtually need to assess whether their technology, other assistance, and work environment are consistent with their ethical obligations.” Finally, and more generally, ABA Model Rule 1.1 (Competence), Comment 8, provides that a lawyer should “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”
Lawyers’ Obligations
It seems clear to us that the combined effect of ABA Model Rules 1.6 (c), 5.3 and 1.1, and Formal Opinion 498, is to impose multiple requirements on lawyers utilizing court reporters, videographers, proofreaders and scopists. Lawyers must understand (Model Rule 1.1) and “assess” (Formal Opinion 498) whether the contractors they hire to assist in legal projects are making reasonable efforts to maintain the security of client information and testimony. Lawyers must also make “reasonable efforts to insure” (see Model Rule 5.3) that those court-reporting-related contractors are making reasonable efforts to maintain the security of the client information and testimony to which they have access.
The Solution
Since the beginning of the pandemic (which effectively required all legal proceedings to be held remotely), new technology platforms became available in the legal industry that allowed for depositions, court hearings, arbitration hearings, witness interviews and public meetings to be transcribed without having court reporters, videographers, proofreaders and scopists store and manage client data and testimony on their personal devices. [5] The new technology platforms are structured so that client data and testimony are always stored in, and never leave, a secure cloud-based environment. Data on these platforms can be encrypted for use in transmission and storage, and third-party security audits, including penetration testing, regularly occur. In recognition of the heightened data security requirements that the new technology platforms have achieved, we know of at least one of these platforms that has been certified as compliant with SOC 2 – Type 2 and ISO 27001:2022 standards for data security.
The arrival of these new technology platforms means that court reporters, videographers, proofreaders and scopists no longer need to store and manage client data and testimony on their personal devices when preparing transcripts, and clients (along with their law firms) need no longer to bear the data security risk of the old way of preparing transcripts, with numerous people with different roles passing along confidential information without much security. These new platforms can be used for both in-person and hybrid proceedings (where some people are remote and some live) to ensure the highest level of data security and privacy. Indeed, in-person depositions, arbitration hearings, etc. present the same data security risks as it relates to court reporting.
Based on the factors outlined in Comment 18 to Rule 1.6, it is difficult in 2024 for a lawyer’s duty of reasonable effort to be satisfied if one or more of the court reporting team use (or uses) personal devices to store and manage client data and prepare testimony transcripts. After all, the client information that is used in depositions and hearings is often the most sensitive information that is adduced in each case.
This presents a good news-bad news scenario. The bad news is that the recent focus of hackers on law firms and other legal support companies makes it likely that further data breaches in the legal support industry will occur. The good news is that the cost of maintaining a SOC-2 and ISO compliant platform to house client data and testimony is a relatively small amount compared to the cost of preparing the transcript, and a SOC-2 and ISO compliant platform is now fairly easy to find, implement and use. See ABA Model Rule 1.6, Comment 18.
The take-away is simple. It’s more good news. Before utilizing a court reporting team to transcribe depositions, court hearings, and arbitration hearings, witness interviews or public meetings, a lawyer should ensure that a SOC-2 and ISO compliant platform will be used from the recording of the testimony through the preparation and management of the proceeding’s transcript. That would have been a tall task before COVID. Thankfully, that is no longer the case. Secure, state-of-the-art court reporting solutions now exist to provide attorneys comfort that they are complying with their ethical obligations to ensure they maintain client confidences.
End Notes
[1] Rob Feigenbaum is the Co-Founder and CEO of Prevail Legal. Geoffrey Vance is Partner at Perkins Coie LLP. Patrick Zeller is Chief Privacy Officer and Senior Cybersecurity Counsel at Amgen. The views expressed herein are those of the authors, not their employers. The authors would like to thank Ashish Prasad, Vice President and General Counsel of HaystackID, for his valuable assistance in preparing this article.
[2] See, e.g., Remote Court Technology is “Here to Stay,” Judge Says, The Legal Intelligencer, Aleeza Furman (Oct. 5, 2021); Court Efficiency – Using Legal Technology to Alleviate Delays, Thomson Reuters (Feb. 3, 2023).
[3] Law Firm Data Breaches Continue to Rise, Law360, Xiumei Dong (Feb. 6, 2023); Massive Cybersecurity Breach Hits Biggest U.S. Law Firms, New York Post, Isabel Vincent (July 8, 2023).
[4] In addition to ethical requirements, there are many federal and state statutes and regulations that require that corporations and government agencies, and the law firms and legal support companies that possess client data, to maintain the security of personal information relating to customers, patients and others. The Health Insurance and Portability and Accountability Act (“HIPAA”) is a prominent example of a statute containing such requirements, but there are many others.
[5] See, e.g., www.prevail.ai.