With the launch of Bento Security we have been moving our IT/IS clients to an organized and proactive effort to manage cybersecurity risks. Vendor Supply Chain Risk Management was one key area of focus with the introduction of Bento Trust Rating as a guide for helping our clients understand their own suppliers. While the rating system is covered elsewhere (Part 1, Part 2, Part 3), this post is about the application of that process. Two years ago we published a deep dive into Filevine legal case management software and their security posture. Today, we are updating that assessment because Filevine has become a leader in security posture in the legal case management software and legal technology space.
As law firms continue rapid adoption of software-as-a-service offerings, they are struggling with information security. According to the Information Security Management Approaching Singularity, various companies are on a collision course with rapid rise in technology costs, decimation of IT services by Big Tech, and cost and availability of cybersecurity insurance. Leaders in this space include vendors that encourage their clients to adopt better practices and modernize their information technology.
The previous examination of Filevine was through a narrow scope: we had clients starting data conversions from on-premise software. The resulting assessment offered a surface view of the company, the product, and the process. Today we have multiple customers as data points and a methodical process within the Bento Cyber Security Framework that directs how to conduct assessments and standardizes the outcomes.
Company Profile
Founded in 2014, Filevine is a private American company based out of Salt Lake City, Utah. Filevine’s team has grown rapidly over the past several months as they have attempted to work through an onboarding and development backlog. This has created a fast-paced environment which attracts engineering talent. Private funding, now exceeding $226 million dollars has offered a space for high employee satisfaction and a modern work culture.
Filevine’s last two years, from our perspective, are marked by optimization and a commitment to redefine their cybersecurity posture and develop a strong security culture. The first piece of evidence to support that came form a conversation we had with Dean Sapp, the VP, Information Security and Data Protection Officer (DPO), at Filevine responsible for internal IT functions, compliance, and privacy. Dean offered an unguarded and candid look at Filevine operations, security, and product. In our view, this is a significant paradigm shift as we witnessed Filevine open doors to scrutiny and demonstrate their security assurance efforts.
Filevine is built on Amazon Web Services and completed an AWS Well-Architected review in 2020. Coupled with hiring certified AWS Solutions Architects, the company has been able to leverage AWS resources well and implement secure design into their software. This enables Filevine to offer solutions at a competitive price-point, with rapid development, and predictable resiliency.
Perhaps one of the most significant advances is the formation of a DevSecOps team dedicated to finding, fixing, and rapidly resolving vulnerabilities and issues. Combined with exhaustive penetration testing, Filevine is capable of making serious claims about their application’s design and capabilities and support them with findings from qualified third-parties.
Ultimately, third-party attestation and examination is the crux of any security assurance initiative, and Filevine has risen to the mark by successfully completing SOC 2 Type 2 examinations and +HIPAA in five domains: Security, Confidentiality, Availability, Privacy, and Process Integrity. While this is the key ingredient we look for from any service provider, Filevine exceeded our expectations by also offering evidence of successful Criminal Justice Information Services audits (CJIS) designed to ensure data security for law enforcement and conducted by the FBI.
In other words, from leadership through third-party attestation, Filevine has demonstrated security-at-the-core culture. While Dean’s disclosure was prefaced by saying their attack surface is broad and Filevine attempts to balance shared public disclosure with internal interests, we think that he may have downplayed the willingness to open Filevine to criticism. We see a clear and traceable commitment to operational excellence.
Digital Footprint
The digital media has grown substantially since the last review, but more important to us is the support for continuous improvement. The Filevine Security Disclosure is clear, concise, and verifiable. Filevine has removed references to things we historically referred to as “puffery” and replaced them with meaningful content that defines the security approach. In our previous review we used PaperCut as a model for excellent security disclosures, today we use Filevine.
Filevine’s support resources maintain the same voice and tone. Information is direct, easy to find, and covers many subjects. Part of our review is a focus on system status and incident disclosures, and this is the only place our research team found a misconfiguration: an orphaned status page powered by GitLab. While it may represent a lapse in change management process, it ultimately only goes to show that Filevine was experimenting with better ways to communicate status information with their clients. We reached out to Filevine and advised them of the issue before this piece was published. Overall, the support documentation was better than before, leaves room for improvement, and shows progress in a positive direction.
We were most interested in support resources related to security within the product. The first result was “How Filevine Approaches Security” whitepaper. Security whitepapers are something our research team takes extra measures to review and scrutinize and this area was perhaps something that we had minor issue with. Specifically, the whitepaper page did not list this paper and the Support Portal linked to a 2020 copy. We had acquired a revised 2021 edition from Filevine, so ultimately this was an inconvenience, but not a concern.
It was refreshing to see references in the revised whitepaper to ABA Model Rule 1.6, which we use repeatedly to describe responsibility of lawyers for cybersecurity management, and perhaps more refreshing was the alignment of the whitepaper, the support documents, the practices, and ultimately the third-party examination with these principles.
ABA Model Rule 1.6 charges all lawyers with the responsibility to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” The ABA Standing Committee on Ethics and Professional Responsibility has further stated that lawyers must “understand technologies that are being used to deliver legal services to their clients [and] use and maintain those technologies in a manner that will reasonably safeguard property and information that has been entrusted to the lawyer.”
Overall, whitepapers are partly informational and partly designed to promulgate a product or service, so this document was met with the same expectations, criticisms, and praise as before. Despite the dual purpose, content is verifiable and seems genuine to our research team.
The more important document to our vendor review process is the FileVine SOC 2 Type 2 Report which we requested, signed an NDA, and acquired in a simple and efficient process. Our NDA precludes us form discussing it further, but we encourage every law firm looking to transition to SaaS based case management software to request it from their team. Suffice to say that Filevine has made a concerted effort to prioritize information security, data privacy and compliance initiatives across their product portfolio.
Major differences from our review two years ago included a clear and decisive emphasis on two-factor authentication and availability of audit reporting with the help of existing capabilities, paid add-ons, and a powerful API.
Service Level Agreement
The Filevine Subscription Agreement sets an impressive 99.5% uptime guarantee measured over the course of each calendar month during the “term”, except for: (a) scheduled maintenance; (b) unplanned downtime or (c) any unavailability caused by circumstances beyond Filevine’s reasonable control, including without limitation, acts of God, acts of government, floods, fires, earthquakes, pandemics, civil unrest, acts of terror, strikes or other labor problems, Internet or other cloud service provider failures or delays, or denial of service attacks. While ambitious, the exclusion of “unplanned downtime” is somewhat of quagmire which our research team noted, but did not follow up on. The internal remark was that if the SLA excludes planned (maintenance) and unplanned downtime, what else is there? Realistically, downtime is unavailable and ultimately planning for it is the responsibility of the customer. If Filevine is a materially significant asset to production, then it is up to the the individual firm to design a mitigation strategy based on the 99.5% promise.
Warranties are within industry standards and state that “Filevine warrants that the Filevine Service will function in substantial accordance with its written specifications and Documentation. In addition, Filevine warrants that any data migration services will be provided in a professional and workmanlike manner. In the event of a breach of Filevine’s warranty of this Section 8.1, Filevine agrees to use commercially reasonable efforts to cause the Filevine Service to function in substantial accordance with its specifications and Documentation and/or to re-perform the data migration services, as applicable.” Ultimately, the warranty boils down to trust and resources, and we see no reason in which either should be a concern.
Product Design
At this stage of the vendor review our team focuses on the functional and practical aspects of product design. For the most part, Filevine has all the capabilities we would expect out of a SaaS application, such as:
- Authentication: Filevine supports internal authentication and offers limited SAML capabilities with roadmap suggesting future expansion.
- Access Control: Filevine uses role based authentication and enables custom group assignment.
- Backup/Export: Filevine’s data structure is unique to each firm, making portability a disclosed challenge. However, exports are possible and Filevine offers a paid Bulk Export add-on to further enable firms to backup and maintain offsite data to firm-owned Amazon S3 storage.
- Security Configuration: Filevine’s audit trail logs changes to configuration.
- Audit Trail, Activity Logging, and Activity Monitoring: Filevine logs over 300 unique events for review by system and security admins.
Data import (migration) and export remains a challenge. Each tenant is configured for the unique needs of a firm, and thus the data structure design is unique. This means there is no straight-forward capability to bring data in, or send it out to another product. Increasingly, however, Filevine has put resources and innovation into this effort by offering additional services including express migrations for certain smaller firms, third-party migration support, and expedited processing.
Risk Assessment
At this stage our team established that Filevine’s operations reduce risks to firms running on-premise case management software. The information we gathered in our research suggests that Filevine has ample data protections to safeguard the confidentiality of information from unauthorized access, sufficient auditing and logging trail to forensically review and respond to integrity issues, and sufficiently designed infrastructure to support a 99.5% availability promise. While each firm must make their own decision, we it is our belief that Filevine purports to be a “leader in legal technology” and acts in a way that supports this claim.
Based on our five-point review, the only recommendation we can make to Filevine indirectly is to continue applying pressure to develop technical documentation. Having worked with exceptional technical writers and seeing the product that such efforts yield, we believe that there is more to be done on that front.
When law firms ask our team “is Filevine secure?” we will answer it with confidence, in the same manner we would about any other SaaS solution. First, we will recoil at the question. Second, we will attempt to explain the impossibility of that question and the frustration that comes with it being asked. Finally, we will point them to Bento Assurance HQ and show them the vendor assessment and this blog as a justification.