Have you ever thought to yourself “How can our eDiscovery practice tie in with our company’s cybersecurity goals?”
Chances are, that thought hasn’t occurred to you. Even if it has, there are likely people on both sides—eDiscovery and cybersecurity—who don’t even know the other side exists, which complicates any effort you make in that direction. That perception doesn’t make any sense; after all, both sides deal with data, huge amounts of it, and are both unavoidably critical business functions in today’s corporate environment.
Very often, this schism is a product of politics and outdated modes of thinking. Legal professionals (eDiscovery) and techies (cybersecurity) draw lines of demarcation around their respective goals and responsibilities, and they defend them more vigorously than common sense would dictate.
Some companies are coming around to a more holistic and strategic approach, bringing these two and other business units to the table to answer the organization’s business problems, but progress takes time.
For now, let’s focus on one piece of the puzzle—exporting data to third parties.
Standard eDiscovery Practice
Many organizations are guided by the eDiscovery Reference Model (EDRM), and for good reason—it formalizes the process of managing data from proactive governance through to legal presentation. Very often, responsibility for each of those stages is handed over to specialist vendors; companies that do a very good job at one or two areas of the EDRM and, when viewed as groups, are considered industry standards.
That sounds good, right? After all, there shouldn’t be anything intrinsically wrong about handing relevant information—whatever the legal need is—to a trusted vendor (or vendors) to meet your legal obligations. Everyone else is doing it, why shouldn’t you?
Limiting your Attack Vectors
In cybersecurity, you’ll often hear the phrase ‘attack vectors’ muttered, often preceded by ‘too many’ or ‘unexpected.’ Attack vectors are the number of ways an enemy can gain access to, exploit, and/or destroy your information.
The villainous character Vizzini summed it up best in the classic movie The Princess Bride:
“You fool! You fell victim to one of the classic blunders – the most famous of which is ‘never get involved in a land war in Asia.’"
Why is that? Asia constitutes a huge landmass and contains so many ‘attack vectors’ for an opposing army to conduct operations against you. Think about limiting attack vectors against your organization as a way of fighting with a mountain to your back and an impassable river on your flank—if the enemy only has two ways to reach you, you don’t need to pay attention to what’s behind or off to one side.
Shrinking the eDiscovery Attack Vector
Going back to our eDiscovery focus, think about how you’re treating your data in response to a legal matter. You’re gathering up a tidy package of bits and bytes, many of which contain customer information, sensitive communications, intellectual property, financial records, and more, and you’re sending it off to at least one third party vendor.
At this point, can you confidently say your data is safe? Are you certain it wasn’t intercepted in transit, despite all your precautions? What about the platform or storage service it’s being placed in? Is that locked up nice and tight, or is there a vulnerability just waiting for the right attacker to exploit?
The fact is, anytime you send data outside of your environment, you can’t say for sure that it’s protected from misuse. All you can do is request assurances from your vendor(s) that everything is protected the way it should be. And, chances are, if you’re using a reputable service or solution, there’s nothing to worry about.
But there are no guarantees, and you might not find out about a breach for weeks or months after the fact.
By comparison, you can significantly reduce the amount of information you send to third parties by conducting thorough early case assessment of the data set before it goes out the door. Instead of depending on external parties or services to work through massive case volumes, you can subject those initial collections of evidence to review by your internal teams using Nuix to deduplicate, cull, and limit the information you export—and ultimately lose control of—collaboratively and securely, all within your own infrastructure.