Peer to Peer: ILTA's Quarterly Magazine
Issue link: https://epubs.iltanet.org/i/1542659
P E E R T O P E E R M A G A Z I N E · W I N T E R 2 0 2 5 31 PROACTIVELY VET AND MONITOR EVERY THIRD-PARTY VENDOR Breaches rarely start at home. More than half originate in the extensive web of litigation support providers, software vendors, contract staffing agencies, and, sometimes, expert witnesses. Both in-house and law firm legal teams must scrutinize every vendor as a source of risk. Action Steps Adopt a standardized risk-vetting tool (such as Shared Assessments' SIG questionnaire) to screen all vendors. Require multitiered evidence: Ask for independent audits (SOC 2, ISO 27001), vendor supply chain risk questionnaires, and regular IT/infosec reviews. Insist on regulatory attestation: Obtain written, renewed sign-offs from both vendors and their critical subcontractors confirming compliance with every relevant statute (HIPAA, GDPR, CCPA, etc.). Consider legal industry specialists: Firms like Prevalent focus on legal technology supply chains and can streamline complex vendor reviews. 4 5 MAKE ENCRYPTION A NONNEGOTIABLE, VISIBLE STANDARD Encryption must be used everywhere: for files at rest, for data in transit, and for backups. Encryption not only protects sensitive data (by making it unreadable) but it also helps minimize risk if any information is ever exposed in a data breach (since it is unreadable if encrypted using strong protocols). Law Firms Document your encryption policy in your client security briefing. Make clear that encryption is not just "enabled": it's enforced, monitored, and routinely audited. Using a cloud service does not guarantee encryption, and vendor claims should be scrutinized and independently verified. Legal Departments Don't just rely on generic IT statements. Request and periodically review encryption documentation and processes, especially when onboarding or updating tools and vendors. Action Steps Mandate encryption for all client and company data—from emails and files to backups and endpoints. Demand encryption transparency from every vendor. Require written confirmation in RFPs and ongoing contracts. Keep it clear and straightforward. Non-tech stakeholders should always know which files are encrypted, when, and by whom.