Due Diligence When Selecting a Vendor

April 11, 2018

When faced with the task of collecting, processing, reviewing and producing digital data, law firms (and clients) often retain outside vendors to assist.  Depending on the vendor, and the circumstances of the retention, there may be a single vendor retained to handle the entire spectrum of client needs (i.e., from collection to production).  Or, there may be a series of vendors retained (i.e., one to perform a forensic collection, another to handle document review).   Before retaining any vendor(s), however, it is advisable to perform some minimal due diligence on the vendor in an effort to minimize the potential that client data could be compromised.    Indeed, in today’s age of digital data and increased efforts to ensure data privacy and protection, it is critically important that any vendor that will have access to a client’s data be obligated to keep the data in an environment equally as secure as the environment in which the organization and/or law firm maintained the data.

Below is a suggested list of questions /topics to discuss with vendors before retaining them.  The list is by no means exhaustive.

• Does the vendor have an incident response plan?
• Does the vendor have any security certifications?  For example, the International Standards Organization (“ISO”) 27001 — the international standard for information security.
• Does the vendor have cyber liability insurance? If so, is the insurance adequate?
• Will the vendor permit security audits or provide a copy of the most recent security audit report?
• Has the vendor suffered data security breaches/events?
• What are the vendor’s encryption practices?  And, do these practices apply only to data it houses, or also to data in transit?

It is also advisable to include in the vendor agreement that the vendor must notify you/client of any data incidents within a set time frame.