The implications of data breach or theft are particularly high for legal and IP (patent) translations: from breaking strict protocol for confidentiality in legal transactions or ongoing litigation, to potentially entering trade secrets into the public domain before patents can be secured. From a law firm’s perspective, there is the added cost of damage to reputation, loss of clients, and even financial penalties to consider.
The majority of law firms follow robust security protocols when sharing sensitive data internally or between partner firms, but the same does not always apply when it comes to choosing vendors for outsourced work, such as legal translations. The rush to facilitate remote working, as a response to the global COVID-19 pandemic, has put an additional layer of pressure onto internal IT and security teams in an industry that has traditionally eschewed remote working. Little wonder that the number of phishing, hacking, ransomware, and spyware attacks on law firms is on the rise.
Safe in the cloud?
The shift to cloud-based and remote working means that law firms are becoming increasingly reliant on technology and more aware of its inherent risks. In turn, this has turned the spotlight onto the security posture and governance of vendors, including language service providers (LSPs).
This is for good reason. In many respects, LSPs aren’t simply providing translation services, they’re providing translation services that run on technology. As such, they need to meet and uphold a specific standard of security when it comes to controlling how sensitive information is accessed, shared, and processed.
For example, any document provided to an external vendor for translation will inevitably pass through numerous hands. This could include the project or account manager, the lead and/or secondary translator(s), plus editors, proofreaders, subject matter experts, and quality assurance teams, as required. Some of these will work within the LSP but, depending on the language or legal field, many will be freelancers or contractors based in the relevant jurisdictions. Each link in that document chain provides a potential new risk of breach.
A question of control
With the law firm potentially held liable for any damages or stolen information, protecting access is critical to ensuring security for all types of translation, but particularly so for legal documents, contracts, sensitive client information, financial records, and so on.
In our view, the following should be provided as standard by LSPs:
- High security as a minimum
A client’s priority is generally quality, so not every LSP takes security seriously. With the risk of a data breach of theft, including high-profile ransomware attacks, on the rise, that complacency comes with its own set of added costs and should be properly addressed now.
- Compliance with global standards
Security protocols require both physical and virtual measures, from office infrastructure to authenticated log-in credentials. Find an LSP that invests in modern cybersecurity tools and provides a layered security front to keep your business safe; for example, by checking for ISO 27001 compliance or SOC 2 Type 2 auditing.
- Disaster recovery
If the worst does happen, you want to be sure that you’re covered from damage to your finances and/or reputation. From errors and omissions insurance to disaster recovery protocols, make sure your chosen vendor has you covered.
- A secure client portal
Watch out for any LSP requesting sensitive documents to be sent by email. If you forward an email, you have no control over who it is forwarded and, therefore, who can see it. A secure client portal, by contrast, not only streamlines communication and collaboration but should also help to ensure privacy, confidentiality, and security through regular software updates, data back-ups, and user access settings.
- Employee training
With 75% of data breaches said to take place internally, employee education is crucial to minimizing the threat. For LSPs that should start with controlling where and how employees and contractors work – and educating them on how to recognize and report phishing, hacking, and theft.