Meets or exceeds industry security standards
We consider the security needs of our clients a high priority.
As the legal services industry changes to meet the requirements of the collection industry security standards…
- Your documents are secure on our closed digital transfer cloud.
- Hard copies of papers are secure in field agent vehicles following our security protocols.
- Photos with GPS data including embedded attempt dates and times are available to all clients.
What does compliance mean for the legal industry and, specifically for process servers?
The official definition is: Conformity in fulfilling official requirements. For process service companies this would translate as implementing and conforming to set of guidelines that enhance vendor management and protection of consumer personal data.
Compliance started with a series of events that happened within banks and financial institutions. These events snowballed into serious regulations put in place to protect consumers. Regulations in the form of Compliance Requirements of Financial Institutions. After regulating banks it shifted to lawyers and requires them to sign service-level requirements that include having a vendor management program in place. That’s where process servers come in. It basically comes down to protecting personal data and making sure there aren’t any security issues.
Why compliance for process servers?
Why are they being asked about what type of compliance management exists within their companies?
As the financial institutions were forced to regulate with a strict set of compliance guidelines, banks passed along compliance guidelines to law firms, which in turn forced the firms to request same from their 3rd party vendors. This trickle down effect is managed through vendor management policies and procedures. 3rd party vendors must adhere to compliance guidelines and now require some of the same compliance requirements of their vendors (4th party vendors or the companies we forward papers to). This is why it’s important to understand that the compliance vetting process is used to determine if a company has adequate policies and procedures.
When your clients ask for things, it might seem like they’re being picky, asking too much, or overly interested in your processes, but it’s really because their clients are requiring it. In reality, they’re just trying to conduct business and make sure their vendors have processes in place that protect data. Clients are asking attorneys, attorneys are asking us, and now we’re asking our vendors for that and sending compliance packets to our vendors.
We’re not talking about the nice things to have, like GPS data, timestamps, and transparency. We’re talking about having policies in place that are going to be adhered to strictly. If you look at compliance and maintaining a Compliance Management System (CMS), it’s going to affect how you train your employees and going to need constant updates.
What types of clients and jurisdictions require some level of compliance?
It’s mostly happening in areas where attorneys practice in some kind of debt collection. Those are the hot areas right now, but law firms across the board in default and mortgage and other areas are moving forward with these types of issues. It’s definitely not going away any time soon.
Part of this is because law firms are under such tremendous scrutiny, and these requests aren’t coming from them specifically. According to numbers from a recent American Bar Association event, 80% of the largest law firms have been breached or hacked since 2011. Lawyer’s don’t have the luxury of working with their favorite process servers or the person who dropped off donuts last week, not anymore. Now they’re requiring contracts, performing risk assessments, and spending an enormous amount of time and money making sure their vendors are compliant. Much like what happened with the banks, when it levels out for attorneys, the focus will turn to process servers and other 3rd and 4th party vendors.
Are there standards in compliance?
No. There is currently no set standards for compliance. Each bank has their own set of standards. This is the biggest hurdle and source of frustration for the law firms and vendors alike.
If no standards exist, where will they come from?
Ultimately the standard will be set from the financial community and not from a particular agency. Fannie/Freddie Does influence a large portion of the requirements, however 3rd and 4th party vendors will see conformity trickle down once the law firms see standard requirements from financial institutions. In the interim there is a core compliance concept emerging around security (securing personal data) and vendor management policies.
Can we start to create our own standards as an industry and self-regulate or are there too many unknowns at this points?
Yes. We can set our own core compliance standards within the industry and within our own companies. That’s why it’s important to have some core policies in place.
What is a Compliance Management System?
A Compliance Management System, or CMS, is a core group of compliance policies and the method in which those policies are implemented, reviewed and adhered to during the course of business. I created our CMS based upon a consistent series of questions that continued to emerge during the vetting process with law firms.
What elements does a Compliance Management System impact?
Your CMS will impact nearly everything, including…
- Physical Office
- Security and Access
- Records Management and Databases
- Physical Document Storage
- Training and Hiring
- 4th Party Vendor Relationships
What can I do to get started?
There are many things you can do to start building your own CMS. First and foremost, take note of the questions you are getting asked most frequently by your clients and security and IT requests. Start with a small, basic plan and move forward from there. Below is a checklist of items to consider when putting together your CMS.
- Document a protocol for securing your work space, whether it’s in your home or a commercial space.
- Make sure your office entrance is secure and access is limited
- Limit access to areas where physical records are stored
- Put together a sign in procedure that includes dates, times, and names of visitors
- Create a laptop acceptable use policy
- Make sure computers are password protected, have attempt limits, and lock after a period of idleness
- All computers should be password protected and the screen should lock after a set number of minutes of being idle.
- asswords should be changed every few months and after an employee leaves
- Create a smartphone policy
- Make sure your vendors and employees know what information they can and cannot share
- Use a secure database platform that is secure and allows you to access your information from any machine
- Choose a software that takes the IT stuff off your hands that doesn’t require you to do backups and has strong permission settings
- Have a record maintenance policy that outlines how long you keep records and how you dispose of them
- Document a protocol for document security for both physical and digital storage, including security of documents in the field and disposal
- Outline for how long you will maintain physical records, how they are stored, and how they are disposed of
- Secure legal documents within a locked file system any time you are moving them or taking them outside of the office
- Shred sensitive documents before disposing of them
- Conduct background checks, drug screening, and extensive training on all new and current employees
- Put together compliance packets to distribute to 4th party vendors and conduct audits to ensure they meet your standards
- Conduct background checks on all vendors and distribute a code of conduct for process servers
- Get Errors & Omissions Insurance
- Create contingency plans for when things go wrong (i.e. internet outtage, natural disaster, systems down)
- Document a Business Continuity Plan: what will you do in the first 24 hours of Natural Disaster? Print Employee and Client information. Plan offsite work space.
- Start to document these policies and procedures and make it part of your training process
- If you are compromised in some way, don’t hide it! Immediately contact those that need to know and have a this process documented as well.
It’s also important to train servers so that they aren’t violating rules in what they can and cannot say.
Small one and two person shops can start by analyzing their current practices and make sure they have insurance and have contact info printed out somewhere in case the internet goes down. Inability to operate without their hard drive or if the internet goes down. You need to be able to pick up on the fly and be able to stay in touch and operate if the Internet outrage or disasters happen. As you add employees make sure you have a code of conduct or a best practices.
What has being compliant done for your ability to sell new customers?
Without compliance policies and procedures in place, we would not be able to onboard any new clients in the default sector. Going through this process assisted us to implement sound sustainable business practices.