Video depositions are not new. Attorneys have been using them for years to conduct discovery for court cases. They have proven useful when witnesses are unable to appear in court or to pinpoint inconsistencies in testimonies. They also offer lawyers a more impactful way of presenting a deposition to juries. Normally, these video depositions happen on-site in legal offices, with the presence of a court reporter to transcribe the deposition, a legal videographer, and the lawyers of both parties.
However, during the COVID-19 pandemic, with stay-at-home orders in place, video depositions began being conducted and recorded remotely. As a consequence, a wealth of highly sensitive data was suddenly created. In the aftermath of the pandemic, remote video depositions are here to stay, but law firms now face the difficult task of securing these files against potential data breaches.
Law firms and data breaches
According to the American Bar Association (ABA), 29% of law firms experienced a data breach in 2020. Furthermore, 75% of all security incidents in the legal sector reported to regulators were caused by negligent and malicious employees, according to new Freedom of Information (FOI) data. Remote video depositions increase the risks associated with employee negligence as it implies individuals working outside the security of offices, sometimes on personal devices whose cybersecurity cannot be managed or verified remotely.
Should video depositions be stolen or made public, attorneys risk not only breaking attorney-client privilege but also causing a mistrial that might considerably delay legal proceedings and cause clients to seek a different law firm to move forward with their case. Such incidents can also severely undermine the public image of a law firm, making clients distrustful that the confidential information they provided the company with will not be leaked publicly.
Data protection is not only crucial from a reputational point of view but can also lead to legal liabilities in case of data breaches. Data protection regulations such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) apply not only to specialized fields but to most organizations collecting and processing sensitive information such as personally identifiable information (PII), which all video depositions contain as witnesses must identify themselves as part of the process. Companies that fail to protect this data face steep fines.
Data security risks associated with video depositions
Video depositions are large media files that need to be shared with various parties and are usually edited for trials as some questions or information provided during the deposition may not be admissible in court. Due to their size, video depositions cannot be easily shared via simple emails. They need to either be transferred over the internet using cloud or file sharing services or copied onto removable devices, which are then physically transferred to other employees or relevant court officials. Both of these methods come with associated risks.
When it comes to removable devices such as USBs, due to their size, they can be easily lost or stolen. Transfers over the internet can be risky if employees use their personal accounts or services whose security has not been verified by a company’s IT department. Using insecure cloud or file sharing services can easily lead to data leaks.
Ideally, law firms should provide employees with their own approved services to facilitate such data transfers. However, at the same time, they must ensure that employees use only these trusted services. This can be done through Data Loss Prevention (DLP) solutions which allow companies to identify, monitor, and control sensitive data transfers. By using DLP, companies can ensure that employees use only approved services for video deposition transfers. They can also block video depositions from being uploaded on video streaming websites, sent through popular messaging apps, or shared on social media.
DLP solutions like Endpoint Protector also offer device control features that address the issue of removable devices. Law firms have the option of blocking or limiting the use of USB and peripheral ports as well as Bluetooth connections. There is also the option of USB enforced encryption which ensures that any files transferred onto a USB are automatically encrypted with government-approved 256bit AES CBC-mode encryption.
By monitoring the use of ports, companies can also keep track of which employees have copied which video depositions on removable devices and at what time. In this way, law firms can monitor the movements of video depositions at all times, avoiding potential leaks and data loss.
Frequently Asked Questions
Due to the nature of their work, law firms collect vast amounts of highly sensitive data. Not only personal information relating to their clients but also confidential corporate information, trade secrets, intellectual property, and more. As a consequence, they have become very attractive targets for both cybercriminals and malicious insiders. Data Loss Prevention (DLP) solutions are designed to protect sensitive data directly rather than the systems storing them. DLP technology ensures that companies know where sensitive data is stored, who is using it at what time, and controls its transfer and use.
DLP is well-known as a tool for compliance with regulations that usually protect personally identifiable information (PII), often providing predefined profiles that support compliance with regulations such as GDPR, PCI DSS, GLBA, etc. Some solutions offer profiles for intellectual property as well. However, these definitions are also customizable, meaning that law firms can choose what sensitive data means to them, based on their needs and field of expertise.
Once sensitive data is defined, policies are applied that monitor and control files containing information deemed sensitive. Using content inspection and contextual scanning, DLP solutions can search hundreds of file types for sensitive data and prevent it from being transferred through insecure channels such as file sharing and cloud services, messaging apps, personal email addresses and from being printed or copy-pasted.
The EU’s General Data Protection Regulation (GDPR) protects the personal data of all EU data subjects. Any law firm offering their services to EU data subjects fall under the incidence of GDPR, whether they have offices in the EU or not. They are expected to comply with all the requirements of the regulation and guarantee the security of any personal data they may collect from EU data subjects, abide to storage limitation rules and be prepared to deal with requests from EU data subjects exercising their GDPR rights such as the right to be forgotten or the right to data portability.
Read more about GDPR.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.