[co-authors: John Wilson*, Jordan Ellington**, Todd Mattson***, Michael Sarlo****]
Editor’s Note: On March 17, 2021, HaystackID shared an educational webcast designed to inform and update legal and data discovery professionals on how organizations are preparing and responding to increasing security and privacy challenges that are demanding sophisticated security capabilities. While the full recorded presentation is available for on-demand viewing, provided for your convenience is a transcript of the presentation as well as a copy (PDF) of the presentation slides.
[Webcast Transcript] Remote Security for Distributed Workforces: Review Challenges and Considerations
In today’s COVID-constrained world, it is estimated by industry analysts that now that more than 90% of all legal reviews are done remotely. This new remote world and its highly decentralized review landscape have introduced more complex security challenges demanding sophisticated security capabilities, all without changing the demanding efficiency and efficacy requirements of audit, investigation, and litigation-driven reviews.
In this expert presentation, enterprise security experts, data and legal document review authorities, and industry-leading technology innovators shared how organizations are preparing and responding to increasing security and privacy challenges in today’s remote world where distributed workforces are now the rule, not the exception.
+ What is Different About Remote Security? Considerations and Challenges
+ What is the Difference Between Nice to Have and Need to Have? Three Generations of Remote Security
+ Do Layers Matter? Layered Security Approach Examples and Considerations
+ From Concept to Execution: A Practical Roadmap for Secure Remote Review
+ John Wilson, ACE, AME, CBE – As CISO and President of Forensics at HaystackID, John is a certified forensic examiner, licensed private investigator, and IT veteran with more than two decades of experience.
+ Jordan Ellington – Founder and CEO of SecureReview
+ Todd L. Mattson, Chief, Practice Systems & Services, Covington & Burling LLP
+ Michael Sarlo, EnCE, CBE, CCLO, RCA, CCPA – Michael is the Chief Innovation Officer and President of Global Investigation Services for HaystackID
Hello, and I hope you’re having a great day. My name is Rob Robinson, and on behalf of the entire team at HaystackID, I would like to thank you for attending today’s presentation and discussion titled Remote Security for Distributed Workforces: Challenges and Considerations for Data and Legal Discovery Review Projects.
Today’s webcast is part of HaystackID’s monthly series of educational presentations conducted on the BrightTALK network and designed to ensure listeners are proactively prepared to achieve their cybersecurity, computer forensic, eDiscovery, and legal review objectives.
Our expert presenters for today’s webcast include four of the foremost eDiscovery, security, and legal review experts in the legal tech field.
The first introduction I would like to make is that of John Wilson. John serves as the Chief Information Security Officer and President of Forensics at HaystackID focused on privacy, security, and computer forensics in the United States and throughout the world. He is also a certified forensics examiner, licensed private investigator, and information technology veteran with more than two decades of experience working with the US Government and both public and private companies.
Next, I would like to introduce Jordan Ellington. Jordan is the CEO of SecureReview and has more than 25 years of application development experience, focusing on document collaboration
systems for major corporations, financial services, law firms, and life science companies. In 2017, Jordan founded SecureReview, which is a leading company that provides ground-breaking technology to secure remote access to highly confidential information.
Also, I would like to introduce Todd Mattson. Todd has been with Covington & Burling since September 2005 and leads the firm’s practice technology and paraprofessional support functions. After practicing law in Texas, Mr. Mattson has held leadership positions at several AmLaw 100 firms. He has over 20 years of experience in practice support and technology management.
Last, but certainly not least, I would like to introduce Michael Sarlo. Michael is the Chief Innovation Officer and President of Global Investigations for HaystackID. And in this role, Michael facilitates innovation and operations for privacy, cybersecurity, digital forensics, and eDiscovery both in the US and abroad.
Today’s presentation will be recorded for future viewing and a copy of the presentation materials will be available for all attendees, and you can access these materials directly beneath the presentation viewing window on your screen by selecting the “attachments” tab in the far left of the toolbar beneath the viewing window.
And at this time, I would like to turn the mic over to our expert presenters led by John Wilson for their comments and considerations on remote security in the world of electronic discovery and legal review.
Thanks so much, Rob, we appreciate it.
So, today, we’re just going to talk through the remote review and the evolving nature of it, where it’s at today, what made it be where it’s at today, provide that background and understanding of where we’re at, how we got to where we’re at, and why we’re there. We’re going to talk about some of the new normal, the new standards, practices that are going to help guide this world for us, and then start moving into what’s the future going to hold, where do we head next.
So, secure remote review is the review of legal documents – a legal document review project but it’s being done by a virtual team, and that virtual team is having the people dispersed across large regions, sometimes those regions are still geo-specific, because you have geo-specific constraints around some cases, sometimes they’re global, sometimes they’re just within a small region where you have people that would normally be all sitting in the same office and doing that review together, but because of COVID and all of the factors related to that in today’s world, that’s no longer a possibility. You can’t do the work that way anymore.
When properly implemented by a proven and experienced provider, this approach to review increases the quality and the speed of the reviews, and this whole remote review concept – something that HaystackID has been doing for many years, it well predates the COVID era, although it has certainly become more prevalent in the COVID era – it can actually provide several benefits in various different areas of a review process, and it can be quite intriguing and beneficial to organizations that have these sorts of reviews going on, and we’ll talk about some newer use cases in certain areas as well towards the end of the presentation today. Probably one of the largest benefits and the reason we started doing it before COVID even hit was that, most of the time, it can be delivered at a lower cost than a traditional on-premise review with a higher quality pool of talent.
So, let’s start with framing how we got to where we are. So, what factors led us to this service change? Jordan, I think you’re probably in the best position to start talking about that.
Sure, absolutely. Thank you. One of the prime concerns with reviewers working from home and the questions raised is really working with individuals that have, if you will, uncontrolled – from an IT corporate perspective – uncontrolled PCs, so you want to make sure that they’re logging in from an appropriately protected PC, but also thinking about working at home and wondering who else is looking at the screen or is someone logging on and sharing the screen.
So, the challenge was when the COVID incident occurred last year in March, was suddenly, how do we protect that endpoint? How do we find out and certify who is looking at, what we called, the last 18 inches of the internet? Who is behind that computer screen? And using the SecureReview technology and partnering with companies such as HaystackID, we were able to have a level of security that the providers were able to assure their clients that we had positive control over the endpoint. So, this was really the leading factor to service change is securing the endpoint in a distributed environment.
Absolutely. I think that is a large challenge that people are starting to realize. I think it was something that went unnoticed before the COVID event because the COVID event drove it to, all of a sudden, 95%, 99% of my workforce is doing this instead of 5% or 10%, or a much lower percentage, so it was getting much less visibility and attention.
Mike, can you jump in there?
Yes, certainly. COVID-19 and really just clients, in general, HaystackID has been a leader in remote review for many years, so we were very much well prepared when COVID hit to move, not only our review staff but also our entire workforce insomuch where we still had people going to sites offsite. And there are different situations beyond just review where we want to have certain levels of controls baked into our process, be it if we’re looking at ultra-secure like source code, the source code that is usually kept more in ultra-secure networking environments, or in the case of a review, usually where that would be conducted offline on secure laptops with experts. Being able to fulfill those needs, that’s been important as well.
And really having an audit log, we can still see somebody in person. Some of these things that you feel safe in a review center because you can see people, granted, truth be told, you probably actually, in some cases, are more secure in the SecureReview remote world with people on camera all the time, but these are all various factors as to why we’ve moved in that direction.
Absolutely, and there is a big impact there, making sure that the privacy and security factors of all of this get addressed and taken into account, preventing the ability for the data to leak from the environment or leak from the organization that you’re doing the work for.
Todd, do you want to talk a little bit about the InfoSec and data loss prevention side of all of this?
Todd L. Mattson
Sure. I guess I will take a little bit of a contrarian view in that I think that the reasons to look at tools like SecureReview and SessionGuardian and the notion of creating a matter specific or a project-specific infrastructure pre-dated COVID by several years. we started working on this with SecureReview more than three years ago, and the driver for us was to make sure that we create a bubble around our matters when 60 or 80 contracted attorneys are working on some of our clients’ most sensitive documents. However capable the managed review companies are, and however capable their infrastructure is, we don’t want our clients’ data ending up on personal computers or the agency’s infrastructure.
So, the idea was to create a way to keep every informational artifact about the project on a system that we can audit and control and archive and/or destroy as the case warrants. The data loss prevention driver for us was significant, and that can be an intentional actor or, more likely, just accidents and even routine if the contract document reviewers are asked by the associates to PDF and mail them the hot documents, that all of a sudden, those hot discovery materials end up in the email systems and the backup systems of all manner of different companies.
The move to work from home or work from anywhere only exacerbated this problem and accelerated this problem as far as I’m concerned, and the use of hundreds of contract review attorneys using their own computers with their own – filled with viruses and access to Gmail and Yahoo… we needed some mechanism and it’s good that there are a number of providers like HaystackID that were keen to this idea early, and we were very reliant on the SecureReview technology.
I think you probably said it best in that this isn’t new, it just became much more visible and much more exacerbated by the global shift due to the COVID pandemic. And so, having the security concerns, the privacy concerns, they were already there, they just became much more prominent, and people really started recognizing, hey, this is something we really have to address, who has a solution, how do we work around this. And that’s where – there are some key strengths to working with people that have been doing this for a long period of time versus somebody that just started doing it in response to COVID-19, because it becomes important… there’s a lot of workflows, inherent-learned knowledge through the experience of doing it for a longer period of time, certainly provides its benefits.
Let me just jump in there for a second. Being in the remote review sphere for many years, there are many other platforms that we’ve leveraged, as far as the overall project management experience, to deliver clients, successful outcomes on remote reviews. So, it’s not necessarily just being on camera and having a secure terminal and being able to audit those endpoints, you also need to be able to audit and be aware of everything else that’s used as you’re aiming to get a review complete, be it chat systems that reviewers are on, be it any type of time management systems. Having a good audit trail there, those are very important when you’re trying to track productivity or to confirm that people are doing exactly what you think you’re doing when they’re doing it, and also all the audit logging and any project management platforms.
Many, many years ago, we used things like Basecamp and things like that. These days everything is pretty self-contained, 365 or G Suite, and from kind of an overall fencing standpoint, everything is controlled to be accessed through these secure remote terminals. And also, being able to confirm the endpoints that reviewers or just anybody is logging in from, I think that’s certainly something that most organizations, including well-developed organizations with good IT budget may not have integrated into their RDP solutions, so these are just some other considerations as far as tying it all together, which is a major piece of the puzzle here, as far as delivering a security apparatus that works in legal.
Absolutely. And so, we now understand kind of how we got to where we are and it has been around for a while, but it has evolved, and then been driven into much more popularity through recent events. So, let’s talk a little bit about, so you have a new project, what happens? How does that work? How do you deal with your vendor, deal with the onboarding logistics, team assembly? Todd, do you want to start us off?
Todd L. Mattson
Sure. I think we… it’s no secret that we work with dozens of eDiscovery providers, managed review providers and staffing agencies, and so the process of reviewing the résumés of contract attorneys, selecting the team, matching their capabilities to the needs of the particular document review project, it really hasn’t changed that much. We might ask questions like, where are they, and what kind of computer they have, that maybe weren’t as important when we expected everybody to come into a brick and mortar – into a big room and work together.
But those key points about selecting the right people, I would argue, aren’t really changed that much. Now, we use email and chat and collaboration tools and screen sharing for education, for getting the team assembled correctly, and making sure that everybody has the right document review instructions, manuals, outlines, the background materials. Again, I think it’s really important to recognize that – at least our approach to this is to keep all of this information within a matter-specific infrastructure so that we can control what happens to it. Once that’s going, the team management… I think we can probably all agree that if you’ve got 12 or 20 contract reviewers in a big room and your team leads, whether they be associates from the law firm or staff attorneys from the law firm, or team leads from the managed review provider if they’re there walking amongst the group answering questions and getting to know people and getting to know who is a strong reviewer and in what aspect of the review are they strong, that’s great. In fact, I would argue that in the remote world and the work from home, work from anywhere model that we’re now living in, that attention to supervision and coaching and coordination actually goes up. It’s actually more of a job. It’s a bigger job, it takes more time. Computer-mediated, as it is, rather than just sort of the simple face-to-face.
Do you want me to stop there?
If you have more to say, feel free. Of course, I think we probably all have plenty to say.
I think from there, so we’ve talked about the vendor management, the onboarding, the team assembly, and the training. Maybe, Jordan, you can talk us through some of the technology considerations as you have that software layer, the glue in the middle, and talk about how you deal with validation of endpoints, and least privilege access, and disposition of data and those sorts of important areas.
Todd L. Mattson
Jordan, I’m sorry to interrupt. One thing to touch on, I think is important is making sure that after we’ve selected the team, and everybody has started working, that we actually know that those folks that we selected are the ones sitting in front of the screen reviewing the documents.
Absolutely. We found a strong difference between reviewers that set themselves up working at home versus reviewers that go into a review center where the PC is already set up and they just sit down and start working. And the level of support even with a very confident reviewer could be very different, especially if they might be technically challenged achieving the same setup at home. So, this is something just from a team recruiting and organization perspective we found is important.
So, certainly, also, understanding the types of PCs, if the users are using their own PC versus a corporate laptop, we want to make sure that they have certain baseline requirements, and this is where it becomes useful to have an endpoint security solution that ascertains the version of Windows, makes sure that the antivirus is installed and running, for example, and that, in fact, the user is using the authorized PC and not, perhaps, logging on to a different PC than was originally intended.
Once the user’s endpoint is secure, the next step is the user will then log in to, typically, a virtualized space that is designed to ensure that as the user is reviewing data, documents cannot be downloaded or data cannot be transferred from the review database to the local PC. On top of that, we can also make sure that while the secure session is running, that only the authorized user is actually present in front of the PC, that there are no other unauthorized users in front of the PC, and if the user needs to take a break, for example, and walk away from the PC, that the screen is protected. And that will provide surety at the endpoint that a non-protected screen is not left open with privileged or confidential information and someone else in the household could look at that screen.
And so, between the endpoint, confirming that the user is the correct user and logging in from the correct PC and then the virtualized environment, these two tools help ensure that we don’t have any data loss between the user’s PC and the review database, and of course, that the PC itself is operating in a mode that’s as close as possible to an on-prem review scenario.
Yes, I think the ultimate goal is you want to be running the review as close as possible to that on-prem scenario while gaining the benefits of the remote solution. So, you want to be able to make sure that you have a dynamic project that can evolve as the project needs to evolve, you can do the things you need to do for a project and continue down that line without having to worry about those underlying technology considerations, and the security concerns, and the privacy concerns of making sure that the data is staying controlled, that somebody is not using a rogue endpoint to connect to the system, or somebody doesn’t have somebody standing over their shoulder observing everything they’re doing.
And then you have the post-review considerations. Todd, I think you’re probably a great person to talk about that, inasmuch of talking about what happens. OK, now the case is completed, do I need to keep this data? Do I need to get rid of this data? Do we have it all controlled? Do we all have it in a centralized repository?
Todd L. Mattson
Yes, all important questions, and as you all know, probably the number of projects, sensitive internal investigations, and litigation matters is only – highly sensitive and subject to some external security regime – those numbers are only going up. So, we’re increasingly being asked, directed by courts, or asked by clients, to make sure that all of the information, all of the data, all of the informational artifacts associated with a particular matter are – that we know where they are and that we can either archive them for a prescribed period of time or destroy them and prove that that destruction happened.
I want to go back a little bit in the timeline of a matter here to make two points that are related. One of them is the feature that we’ve come to rely on in the SecureReview setup is that email system that is unique to the matter. So, the document review attorneys can use an email system and it’s a complete server and client, everything is in the SecureReview workspace, that allows them to get a matter-specific email address, and so the correspondents that they might initiate or receive from experts or lawyers working at the firm is contained in that repository.
The other point that I’ll make about this that goes back to the earlier phase of this is we found early on that in order to get the best contract document review attorneys to work on our projects, we had to build these systems with them in mind. These systems cannot be invasive of their privacy, we can’t lock down their computers. Back in the day when folks were working in offices, there was a time when we took away people’s cellphones and sat them at big, long tables filled with monitors, and I don’t think that’s the right thing to do for those folks, and we don’t get the best results that way.
So, with the SecureReview model, the individuals can use their computers, they can have Gmail open on their computer, they can have Spotify open on their computer, they can keep track of their kids of whatnot, and still have a portion, if you will, of their computer that is part of a secure bubble that’s for that matter, and information can’t flow back and forth. That, ultimately, ends up providing the contract review attorney with flexibility that they would otherwise not have.
So, I like to spin this the best possible way in favor of getting the best folks to work on our projects.
Absolutely. I think that getting a high-quality pool of talent is definitely a critical success factor to these projects. Leading into that, Mike Sarlo, do you want to speak about the overall project management and project flow from your perspective?
Thanks. Certainly, in the review sphere, we want to be recruiting and retaining top talent. Attorneys, sometimes, as you may expect, all of them aren’t always super technical, so having an easy mechanism that’s repeatable for them to log in to a secure environment to do their work is a good thing, actually, especially where other organizations may be piecing together many different systems to authenticate a user and then to get them into a work site remotely. So, having a single point that’s well packaged and repeatable is great.
Certainly, as far as recruiting the best talent, you have to know, out the gate, what their strengths and weaknesses are. At HaystackID, we actually do – any time we have any new reviewer coming into our network, they go through a simulated test. They look at a review protocol, they log in to its system, call it ReviewRight, where they’re then presented with 15 randomly selected documents, and they have 50 minutes to code those documents, as many documents as they can in that time. And that gives us a read on their precision and recall and their accuracy, as far as their capability to be a good reviewer, who is sometimes different from being a good attorney.
So, certainly, outside of the tech stack, just the concept of being a good reviewer doesn’t necessarily always comport with being a good attorney. So, being able to measure individuals as far as their ability to do things quickly and accurately is very important. Certainly, we are taking metrics and statistics about their use of the remote environment, be it in Relativity, on their terminal itself, what were they doing, and we’re rolling that back into the testing system to make sure we’re getting a consistent read on their performance.
Yes, perfect, thank you. I think along with managing and collaborating with the teams and evaluating their productivity, and scaling – evaluating the team members, it also comes a lot into that collaboration with all the parties involved. So, you have the legal team, the corporate team, whoever may be working on that project, whatever those different groups may be, and being able to have that collaborative environment, whether it’s internal to the project, or external to the project, and being able to bring all of that together can become very important while still keeping into consideration all of the security concerns that you’ve got, that fits around the systems, whether it’s geofence or the biometrics and all of those security considerations.
I know, Todd, you really talking about matter-specific infrastructure, and we kind of started delving into that already, but anything that you wanted to add there, share with us?
Todd L. Mattson
Well, I guess, I’ll touch on two things. One is… I mentioned the value that we see in the constrained email system, an email system that’s within that bubble. The same goes for telepresence and chat and screen sharing. I think Jordan may be able to speak to when those features are coming in the roadmap on SecureReview, but we are keenly anticipating the ability to, essentially, do webinars within the matter-specific bubble. I think it will add a lot in terms of – as you mentioned before that collaboration and management of the group, given that I don’t think that we’re going to see an end to the remote view any time soon, I think it’s an important point.
And another point on this matter-specific infrastructure, we found it really – a sort of heightened use case, a very intense use case for this, and maybe it was John or Mike that mentioned it a few minutes ago is the source code review use case, and we’ve done half a dozen of these now in the last year for global technology companies with patents at issue. In the beginning, people couldn’t fly and then people wouldn’t fly, and getting a much sought-after expert, of which there may only be a few in the world to get on a plane, is not likely to happen, and cost, frankly, is not really a consideration either, given the values that are stake in some of the patent litigation.
So, the ability to take the client’s extremely valuable IP and make it available for expert review, in this context, was an important use case for us, and I think demonstrates the trust that we’ve put into that approach.
And just talking about source code review, in years past, that was giving the source code in the locked briefcase on a hard drive, and then you load it onto a laptop with no network connectivity, and then you allow somebody to sit in the seat with three other people observing to make sure that they’re not copying down any of that code. I remember those days.
Todd L. Mattson
It is definitely a great leap forward for that type of work, and it’s a great vehicle and platform for doing that sort of work.
Stemming from that, Mike, do you want to talk about the privacy concerns and dealing with the privacy nature of the data?
Sure, definitely data privacy is so important. As a data processor in different capacities, just using a broad definition, in the EU, the UK, and in the US, there are different things we need to be compliant with and different workflows we take very seriously. A large portion of HaystackID’s practice has very much solely evolved into being a data protection organization. At our core, we always tell our clients we’re a data security company, but also using technology to help us in that mission as well, and also advising many clients on best practices to manage their privacy obligations, which certainly, from a confidentiality standpoint, we need to make sure we’re doing the best job. That’s where, again, many of the features of the SecureReview and our remote review environment allow us to work in that vein.
Yes, and so, I think the key thing here is we’re talking about privacy by design, we’re talking about integrated security. From there, I will leverage Jordan to talk about the human factor of all of this, the human endpoint security, the biometrics, and getting into that end of it.
Yes, absolutely. Thanks, John. So, these are just layers of security that increase the overall security posture of the distributed environment, in this case, it’s being used for remote review. So, at the endpoint, when we enable biometric security, we are ensuring that the likeness of the person registered to use the PC is in front of the PC for the duration of the secure session, and the parameters of what in front of the PC means can be configured. You may want to allow the user to be in front of the PC, or perhaps move around for a period of 15 seconds or 30 seconds, 60 seconds, etc., so you can change the boundary of that, as well as perhaps determine how far from the PC in relative terms you would need the user to be. Maybe you want them to be directly in front of the PC rather than standing across the room, for example, and unlocking the screen. So, we have full control over how we want to unlock the PC.
But again, it’s not the only way for the user… in fact, this is not used for the user to actually authenticate to the underlying systems in the review, it’s just to control the endpoint.
And I also want to mention one point that been raised often by the reviewers themselves in terms of privacy and the privacy of the reviewers is that this is done without sending any information, there’s no video streaming captured, it doesn’t go out to the internet. The identification of the user is happening only between the user’s PC, the webcam, and the SessionGuardian endpoint software running on their PC. So, we never capture or take pictures of anything for the privacy concerns of the users.
I think that’s a great segue into the current slide that’s up, which is actually, what are the different layers of how this works. And so, we have that terminal security layer, then you have the platform security layer and the actual session layer, and then your kind of support layer. Can you just talk a little bit about the multiple layers?
Yes, absolutely. If we take a look at the layers, so we have – we want to ensure that the PC is the authorized PC that the user needs to log in from. We can ensure that the user is logging in from the appropriate IP address, so that’s the second layer of security. We can ensure, of course, that the user is the correct user in front of the PC, and that’s already a third layer of security. We can do environmental checks on the PC to make sure that it’s safe at that point in time to log in, so that’s the fourth layer of security. And all of this happens before the user has even logged in to their virtual review environment to start the review. So, they log in to that virtual environment, and that’s the fifth layer of security. Maybe there’s multi-factor authentication turned on, and that’s already a sixth layer of security. And finally, by the time they log in to the review database, all of these layers of security, stacked together, provide an extremely robust security posture in a remote environment.
Yes, I agree with you completely. That is a major concern for me here at HaystackID as providing these services to our clients. Todd, do you want to speak a little bit about the benefits or the values of the security layers from a consumer perspective?
Todd L. Mattson
Sure, rather than go through it all, it allows me and my team here to sleep better knowing that the multilayer approach has been adopted by a number of leading document review shops. And the one point that I’ll – I guess I’ll amplify this last element on the slide, the review support security… this goes back to my pitch for heavy use of email as a collaborative tool and the other in-the-project infrastructure tools.
And a quick point about this surveillance question, and I think it’s an important one, but I think that… we make a big deal out of making sure that our document review attorneys, whether they’re on staff or contractors understand that the camera on the monitor is not all on, it’s not recording any video, it’s there… a digital map of your face is taken, kind of like the way an iPhone works and then that’s compared. So, your computer is not spying on you and… except in the context of the source code review application use case, where I’ll point out that we were able to integrate secondary cameras into the system, and actually, with WebEx or Zoom running in parallel integrated into the review stuff, we were able to do proctoring, bringing back this… getting us as close as we can get to the old-style source code review. But, by and large, we’re kind of anti-surveillance about this stuff.
Yes, and I think Jordan summed it best in that the biometrics, the camera looking at you and identifying you, those elements are staying on the local endpoint, they’re not getting pushed out to the internet, which I think is a key factor for the confidence of the contractors that you’re pulling in to these reviews, because you’re going to have challenges if you start telling the contractors, ‘yes, so we’re doing 24/7 video recording of you an audio recording of you and that’s all getting streamed out to our server and our security team at the company is sitting there scanning through all that, those sorts of things get kind of scary. It’s really important to understand that those layers are very specific to the needs and the scenario, again, that matter-specific profile that’s required based on each individual case.
I think that gets us through our primary content here, but what’s on the horizon, what’s next, where do we go from 2021 and COVID hopefully starting to wind down. Where do we go next? I’ll just kind of go around the horn for that. Jordan, do you want to jump in first?
Yes, certainly. So, the feedback that we’ve gotten from the industry is there will be a mix of distributed workforce and on-prem workforce for the foreseeable future, and so from a SecureReview perspective, we will continue evolving the product and integrating with processes to help support businesses in this distributed environment. And now that we all, in the industry, have demonstrated that we can provide a secure solution, what was once taboo on sensitive projects, I think, has really opened up a lot of opportunity in terms of being able to source the right talents in the right geography, or perhaps for the right cost and staff projects quickly. So, we’re very excited for the future and would like to say that COVID, in some way, has just accelerated what was going to happen, accelerated the future.
I definitely would agree with the acceleration. Todd, do you want to jump in?
Todd L. Mattson
Well, sure, I’m not sure my crystal ball is any better than anybody else’s here. Look, I think, we’re in this mode for a while yet until everybody is vaccinated around the world, I think. But you made a point, John, about the economics that start to come into play as we move forward. I think we will definitely have projects where we want to get all the folks working on the documents together in one room. That’s going to happen. And yet, I think that because we can now draw from a broader pool of candidates, a broader pool of talent, ignoring geography, essentially, I think it will ultimately affect the economics of this and document reviews… so often, the price of a contract review vacillates widely within small geographic areas. Washington DC gets hot, and the prices go through the roof. I think that going forward as we allow for projects to continue to have remote reviewers, remote work, some of that will have a mitigating effect on the swings in the market and the number of contract attorneys we can pull into projects, high-quality folks who, frankly, don’t want to commute. They don’t want to commute and sit in a big room with a bunch of other people.
And so, I’m optimistic that this is going to provide some good operational benefits for both consumers of these services and the individual lawyers that are providing these services.
Yes, most definitely. Mike.
Yes, I would completely agree with what Todd just said. I do think that – and something that we’re really championing with our clients prior to COVID is the price fluctuations going market to market, especially in Washington DC where you start to see C-level folks from other vendors posting ads on LinkedIn trying to get first level reviewers could be extreme, and the quality issues in a constrained market as far as really being only able to staff sometimes bottom barrel people, I don’t see that ever coming back to the industry. I think that certainly there will be those projects where it’s great to have everybody in the same room, but I also think technology will continue to evolve to facilitate getting people, figuratively, in the same room through more tactile video conferencing, larger screens, better ways to drop in and drop out, like collaborations as far as groups working in an office or in a review facility with other players who might be remote, working from home. I think the connection points, as far as the ability to be seen and be heard and to drop in and out of those, I think are going to continue to become better. Teams, the video conferencing platform suite has come a long way in a few months, I don’t think any of these platforms are that great. I think there’s a long way to go, as far as virtual whiteboards and things like that and better ways to build a presence in a room to facilitate that collaboration. So, I think we’re going to see more there as well, and I can tell you that in the legal industry too, clients typically want their best people to work longer and harder hours, and I don’t think that’s going away. Having a mechanism, I think, as a remote reviewer, just anybody doing work on secure projects where you can do some of that work from home, those levels of productivity that we’ve all come to expect probably isn’t going to go away.
So, I think remote is definitely here to stay.
Yes, I definitely agree, and I think that it’s a risk-based assessment situation. Now, that this technology has continued to evolve and deliver further advances, you’re really allowed to assess and defray what my risk is in this matter. Is there a risk that I have confidential information that might get leaked, or is there a risk that we have source code that could cause intellectual harm to an organization if someone were to get segments of it, whether through acquisition in use or through reverse engineering to target a platform? As we all know, cybersecurity incidents are growing rapidly and they’re becoming much more targeted, and organizations that are perpetrating these attacks are getting much more focused and specific and looking into getting as much information about an organization as they can to take their attack approach.
But I appreciate everybody here on the panel today, thank you so much for sharing all your thoughts. From there, I’ll turn it back over to Rob.
Thank you very much, John, and thanks to the entire team for the excellent and relevant information and insight. And additionally, we want to thank all of you who took time out of your schedule to attend today’s webcast. We know how valuable your time is and we always appreciate you sharing it with us.
Again, thank you so much for attending today. And this formally concludes today’s webcast.
***Covington & Burling LLP
CLICK HERE TO DOWNLOAD THE PRESENTATION SLIDES