Implementing best practices can reduce your e-discovery information security-related risks.
Consider this hypothetical: it's nine thirty on a Thursday night. Your cell phone rings. On the phone is your biggest client, a chemical manufacturer, claiming their confidential data has been breached. The formula for the company's most valuable product has just been posted publicly online, along with thousands of other documents, including pricing information and employee compensation data. Even worse, the client's IT department is sure the leaked data came from your law firm.
Over the next several hours as you scramble to understand the issues, details emerge about the breach. The perpetrator is a disgruntled employee who has recently been let go. He downloaded all the “hot docs” from a recent litigation, from the firm's e-discovery hosting platform, and he posted a link to them on your file transfer protocol (FTP) site. Nobody turned off the employee's access to the review platform or the FTP site after he was terminated. And just to put a cherry on top, he also posted an internal firm memorandum describing the merits of your biggest case with the company, along with some exciting emails between your client's CFO and her husband. Just the sort of thing that makes a breach even more enticing for the blogosphere and Twitter. Your firm is now front-page news in the worst way.
What could have prevented this catastrophe? You thought you checked all the boxes that you were supposed to check. There is a security team in place and hundreds of thousands of dollars spent on firewalls and antivirus software and consultants and certifications.
Was any of that effort worth it?
The truth is, certifications and sophisticated technology are absolutely necessary, but they are not always enough. What follows here are helpful tips and best practices for securing data over the course of the e-discovery lifecycle, broken down into ten categories. These tips can help prevent a breach similar to the one described above, or via the countless other ways in which security incidents occur, such as hacking, natural disasters, or accidental disclosures. Whether you are in-house counsel or work on behalf of clients at a law firm, these steps are worth considering.
Access Control and Separation of Duties
Controlling and limiting access and separating duties are some of the most important things that you can do to secure your organization. It is tempting to let all of your e-discovery staff administer data-hosting platforms as a cohesive group. This creates efficiency, and in the case of “provisioning,” which is the process for setting up employee access to business systems such as user access to a data-hosting platform, it prevents a bottleneck and ensures that busy attorneys who need immediate access to the platform are set up quickly. Not so fast! A small team should be cordoned off to limit who can set up access for others. This is the recommended practice not only because a smaller team is easier to control and monitor, but also because it separates their duties from their colleagues, eliminating any conflicts of interest between security and the needs of the litigation. For example, if a technical project manager who is trying to get a production out the door can also add external users to your FTP site, he or she might go ahead and do it to speed up the process. But if the project manager has not received adequate training, he or she might accidentally give the new users access to another client's data.
Our guess is that if you ask your IT administrators, they are already separating user access tasks to a different role in the firm's core systems. Are you ensuring the same is true for your firm's e-discovery platforms? We recommend that you have a small team manage this role, perhaps two or three employees who are ready to handle the demands of managing user access and permissions requests on nights and weekends. This team would also configure intra-workspace permissions and assist with permissions-related setup as well as audit activities.
Human Resource Controls
Most law firms and large corporations already perform background checks. But do the agencies who hire your contract reviewers and temps on the technical team do the same? Are the employees at your data center or e-discovery processing and hosting vendors subject to the same level of scrutiny? In an era in which third-party management is increasingly important to good, overall security management, it would be prudent to ask these questions. It is a good idea to audit your vendors in this area at least once a year, requesting evidence from a random sample set of contract employees that includes background checks that are no more than six months old. Background checks should include any negative reports from state bars to ensure you do not have a contract attorney who was sanctioned for embezzling from clients performing document review on a banking client's loan files, for instance. Consider updating your third-party security questionnaires and contracts to align as closely as possible with your own Human Resource Department standards.
Management Involvement and Information Security Organization
Involving management in information security organization is an important practice to apply to your own organization as well as those with whom you partner. A good information security program starts with buy-in from the C-suite. There are other ways in addition to audits to identify companies that make this a priority. Simply speaking with executives about their information security management system and their company's overall approach to security is a great start. Additional reinforcement can come through assessing an organization's staff, with a primary focus on security and ensuring that those staff have appropriate levels of responsibility, training, and certifications. Your instincts are valuable here. If you get the feeling that your pointed questions about security are being sidestepped or met with vague answers, don't take the risk. Find a discovery provider that is confident in its information security and can back up that confidence with appropriate certifications and personnel.
Encouraging education and awareness at your own organization is a good way to demonstrate to staff that security is paramount. Have firm management actively participate in discussions about security best practices, and as part of that discussion, highlight security awareness items such as phishing and good password management. Your firm can also send regular security bulletins with helpful reminders, policy updates, and educational resources. Importantly, those bulletins should come from the management of the firm, not just the ““security team” or IT department.
You may have seen a few electronically stored information (ESI) protocols or court orders that mention encryption “at rest” and “in transit” when discussing information security. Discovery vendors also use these terms to describe how their data is stored. Answers to these questions usually speak to how a company deploys encryption in their core systems, network configurations, and storage. As you also know from past experiences, no litigation or related e-discovery is 100 percent standardized. Encryption policies become hard to enforce given the variations in e-discovery workflow, especially when it comes to the different methods used to transfer data. For example, circumstances may arise that require the use of different FTP software, or different compression software that will have its own unfamiliar encryption methods. Some clients (and some opposing counsel) may take issue with data encryption methods, claiming they do not have the ability to meet the requested standards. By training your attorneys to loop in the security team, a solution that works for all parties is generally attainable, and that protects both client data and your law firm.
Training is a great way to ensure your workforce remains aligned with your encryption policy when carrying out these nonstandard tasks. Periodically remind the team to be on the lookout for situations where data will move through a new path or land in a new location and ask for assistance and approval from the security team. Additionally, you can poll your workforce, asking them to highlight any new or nonstandard processes they have encountered in the past that occur often enough to necessitate new procedures. This survey can be incorporated into a yearly procedure review.
Backups and Business Continuity
Backups and continuity can be difficult to keep up with, partly because there are so many different solutions available. Take a results-based approach to analyzing different service providers, specifically asking about “recovery point objective” and “recovery time objective.” “Recovery point objective,” or ““RPO,” refers to how far back in time you will have to go after restoring the latest available backup, or roughly speaking, how often your data is backed up. “Recovery time objective,” or “RTO,” refers to the maximum acceptable amount of downtime after an outage. We recommend asking about each specific service and system separately, since some may be considered nonessential and, therefore, won't necessarily fall under the advertised RPO and RTO. Presenting questions in the form of hypotheticals can be helpful to flesh out the true implications of a given setup. For example: “If flooding destroys your primary data center, how long until services X, Y, and Z are completely available at the backup location?” Floods, fires, hurricanes, tornadoes, and countless other man-made or natural disasters can cause business continuity outages. If your discovery provider's server room gets flooded, you want to be sure your cases aren't affected. Deadlines still need to be met, and your California judge may not care that your servers are underwater in the Midwest. Ask these questions before the Mississippi overflows its banks, which will prevent a simultaneous rise in blood pressure at your law firm.
Physical and Environmental Security
Visiting your data center can be very informative, especially if it is not one of the major cloud providers (Amazon Web Services, Microsoft Azure, for instance). These visits shed light on the quality and seriousness of physical protections and any associated disaster recovery program. If you don't have a qualified security professional on staff, you can ask your auditor or consultants to come along to check out potential sites as part of your engagement with them.
Physical separation is important in case of natural disaster. It is always a good idea to ask the distance between the primary and backup locations. Fifty miles is generally seen as a minimum, although there are more sophisticated and useful ways to determine the right distance. Regional geographies differ and present different risks, so consulting with your security team and the provider is crucial to understanding the pros and cons of each location. In the Midwest, data centers hosting servers may have to worry about rivers rising, but the data centers there are generally safe from hurricanes. In western regions, servers may go down in the event of a wildfire, but data centers are not likely to have an EF5 tornado hit the building.
Scaling and Flexibility
If you took a course on information security, you would learn the three major areas of focus: confidentiality, availability, and integrity. Media and most clients and law firms traditionally focus on the confidentiality piece, and often do not consider the other two to be traditional “security.” But a loss of data is a loss of data, and one way to lose data is for your system to become unavailable due to a lack of resources. This can either happen due to a lack of available storage; a lack of working resources, such as data processing capacity (referred to as “data-processing throughput,” which is a measure of the information units that a system can process in a certain time frame); or a lack of worker agents or servers, to name a few.
Similar to business continuity measures, the available solutions in this area and their complexity provide an easy place for service providers to mask inadequacies. Asking hypothetical questions helps here, as well: “What's the biggest project you've had in your system to-date, in terms of hosted size and number of records?,” or “I understand our current configuration can process one terabyte per day, but what if I need to burst that to two terabytes for the next several days? How long until the system is ready with the extra capacity?”
Enlisting the experts, auditors, or in-house subject matter experts (SMEs), is always useful. In our experience, executive and legal teams are still important to this part of the process; it shouldn't be one or the other. You can ensure the tough questions get asked ahead of time and help prioritize accordingly. Your IT team can help vet potential discovery providers that have the capability to meet your firm's system demands and discuss potential expansion needs that may arise. Associates are also good at coming up with additional vetting questions. A smart associate will know that an East Coast firm will need answers before a West Coast provider may come online, which is generally around noon eastern time, and he or she would probably suggest asking a potential discovery vendor in which time zones the vendor's project managers and support staff work.
Ending a Case, Archiving, and Closing Accounts
The processes at the very end of a project or matter are somehow always among the most difficult to execute. Anyone involved in information governance can attest to this fact. It's as if the train arrives at the station (case settles), and everybody leaves their luggage (data) and jumps in an Uber. Many organizations handle their user accounts alongside the e-discovery data with which they're associated, but that may put you in a precarious position. Ensuring there is an onboarding and offboarding process for employees associated with your projects is an easy way to ensure users do not retain access to systems long after it is required, perhaps even after they have left the organization.
Generally, when multiple companies are involved, employee departures or other reasons for shutting down user accounts are not communicated well. Assuming another party will disable user accounts for those in your organization could get you in trouble; likewise, assuming other organizations will tell you when users leave can also get you in trouble. In addition to working with Human Resources to ensure your firm employees' access is removed immediately upon termination, you need to ensure that external user management also removes access as needed. Clients with access or different law firms are unlikely to let you know if one of their employees who has access to your review platform has been let go. Therefore, the best practice is to ensure that external user accounts are automatically disabled after a set amount of time. Internally, disable accounts as part of a regular process that is not tied to the associated data for a project. If a person's account is disabled, but he or she still requires access, the user management group can easily restore his or her access. Similarly, when reviews end, it is important to ensure your discovery provider is removing access for contract attorneys, in addition to having ongoing rules in place to ensure that contract attorneys are not accessing client data outside of review centers. This can be achieved by locking down contract attorney access to the review center's IP address.
When a case settles, regularly check in with the client about taking data down. Removed data is generally safer from hacking or accidental disclosure than hosted data, so removal should be considered. If the case is inactive but may become active again (perhaps after an appeal), ask your discovery provider about archiving options. Be sure to ask how long the process takes to bring data back “online” and how it is secured while archived.
Opposing Party Data
Most ESI protocols or protective orders have specific provisions requiring parties to destroy the confidential data that they received during the litigation within a specified time frame once they have resolved the case. However, most litigators know that sometimes clients want to keep their data available for a bit, for a variety of reasons. Discovery providers should be able to take down and destroy opposing party and third-party productions, while segregating out client data. When a case resolves, get in touch with the client and discovery provider immediately to ensure that user access controls are implemented, and a plan is in place for timely data deletion or removal.
Compliance with Standards and Certifications
Hopefully by now, you agree that certifications and audits will not necessarily identify all the potential pitfalls that arise throughout the complex e-discovery process. But that does not mean that certifications and audits are not necessary. There are many valuable certifications that your organization can get to demonstrate visibly that you are doing everything you can to remain secure and prove as much to your partners and clients. The ISO 27001 certification remains the gold standard, and it is the best starting point, regardless of which additional certifications you may pursue or require. ISO 27001 ensures your organization has the framework to implement controls and policies such as those suggested here. The idea is that once you have this certification, you have demonstrated the ability to manage your security operations effectively. The standard requires a topto-bottom focus, ensuring executive buy-in, as mentioned above. It also requires evaluation of a broad list of security domains for applicability to the organization and an associated risk assessment methodology. If this article has made you a little anxious about security in e-discovery, ISO 27001 is the recommended prescription.
It is possible to get an ISO 27001 certification for only certain departments, processes, or physical locations, so asking pointed questions about the scope of a potential provider's ISO 27001 is a good idea. This also speaks to why anyone involved in the e-discovery process can benefit from the certification. If you are not running a data center or making software, but you are interacting with sensitive data in some way, you can still benefit. The bottom line is that if a company has access to your data or your client's data, ask questions about security certifications.
Other security audits are usually more prescriptive; they seek to recommend certain controls based on the parameters of your organization. And they may be more rigorous, so please consider those in addition to ISO 27001, depending on your needs. Your data center provider should, for example, probably have a system and organization controls (SOC 2 Type II) report.
Information security is a persistent concern for any organization, and the challenges of the e-discovery lifecycle undoubtedly introduce additional risks. By implementing the best practices suggested in this article, you can rest easier, knowing that the next time you “catch up on emails” in the evening, you do so in peace--secure in the knowledge that your sensitive data and your client data remains protected.