A version of this eDiscovery security article was first published by Cyber Defense Magazine (September 2019)
eDiscovery Security should be a priority.
In today’s world of ever-increasing data theft, network hacks and other cyber threats, companies of all sizes are finally taking data security seriously. Even so, many overlook how their data can be compromised when situations require that data to exit the company’s custody. One such common situation where significant amounts of often-sensitive data must be sent outside the corporate domain is the eDiscovery process, which takes place when a company is involved in litigation, regulatory matters, and internal investigations.
During the eDiscovery process, your data — ranging from emails to financial reports and much more — is collected from your company’s various computer systems. It is then sent out to eDiscovery vendors, law firms, related consultants and potentially several subcontractors for all sorts of tasks. The data gets processed and cataloged, reviewed for legal needs, and produced to third parties, the government and others. All of that data movement has the potential for vulnerabilities in your eDiscovery security. What’s more, depending on your law firm and vendor’s workflows, throughout that process your data can be transferred multiple times between the various parties.
Moving your data among and between so many parties outside your company’s firewalls substantially increases risk. It also increases the number of organizations you must vet to ensure that their security policies and practices are acceptable. While we encourage you to develop a full vendor vetting process that looks at things like data center security certifications (like SOC2 or ISO 27001), penetration testing, disaster recovery, physical security and more, here are six essential questions you must ask anyone or anything that touches, transfers or stores your data.
Q1: Are systems and data encrypted at all times, both at-rest and in transit?
All computer systems and mobile devices should be protected by device-level encryption. All data transferred using physical media (i.e.., disc media, external drives) or digital online data transfer solutions (i.e., SFTP, cloud transfer/storage systems) should be likewise protected by an encrypting system, which can be as simple as using a strong password-protected ZIP file, for example.
Today’s constant stream of stories about law enforcement’s ongoing difficulties in accessing various mobile devices clearly illustrates how effective device encryption can be at keeping prying eyes from accessing your data. Simply put, encryption turns your data into a garbled pile of useless gibberish that can’t be used absent proper credentials or digital tokens. Thus, even if someone physically steals your device, the data is protected.
Encryption is now available on nearly all modern computers, smartphones, and other devices, and is so effective and easy to deploy that there’s simply no reason any vendor shouldn’t be encrypting them all. That’s especially true for mobile devices like laptops, tablets, smartphones, smart-watches and the like that are even more vulnerable because they routinely travel outside the corporate firewall.
While the other items below are very important, device and data encryption are two of the most important security steps any company can and must take. These steps are simple, cheap and effective. So, if your eDiscovery vendor isn’t doing those simple things to protect your data, it’s likely that they’re not doing much else, either.
Q2: Is multi-factor authentication in use?
Multi-factor authentication, commonly called MFA, is another extremely effective tool in the fight to protect your data from malicious actors. As such, it should be a central part of your law firm and vendor’s security profiles and a requirement for strong eDiscovery security.
With MFA in place, not only is a username and password required to access secure systems, but an additional step is required where a code is sent to a separate device, usually your cellphone, which then must be entered along with your username and password to complete the login or access process. Such solutions are becoming increasingly common even in our daily lives; your bank may encourage or even require MFA (sometimes called one-time codes), especially with more sensitive items like wire transfers.
For example, here at BIA, we utilize MFA any time an employee logs on to nearly any company computer or system, especially if they are not physically in one of our offices and connected to our corporate network. If one of our employees works remotely from their home or the neighborhood Starbucks, they must always use MFA, which admittedly can be inconvenient at times, but undoubtedly worth it for the protection it affords. Encryption and MFA working together ensures that if a device or data is lost or stolen, the data will remain safe and secure, regardless of the thief’s skills.
Q3: Are role-based access controls configured in place?
Lately, we see almost weekly news reports of data breaches occurring not because of hackers, but because of employees stealing something they shouldn’t have had access to in the first place. This is especially common in departing employees. Indeed, the recent Capital One data breach that impacted over 100 million customers came from an employee’s internal system hack.
Law firms and eDiscovery vendors should address this problem by adopting strong policies regarding role-based access using the concept of least-privilege to drive those policies. That means an individual’s access to various data stores and computer systems is limited based on their role and function within the company and gives them privileges to the minimum set of actions needed. For example, a vendor’s project managers may need access to key data shares, but only to read and edit files, not to delete them. Those same project managers, like most employees, may never need access to the accounting or HR department’s records. While many companies have put such controls in place for their own data, they often fail to do so when it comes to the data they hold for others, including their customers.
Here at BIA, as part of our standard security practices, we use least-privilege role-based access across the organization, and we have systems and procedures in place to narrow that access even further on especially sensitive matters. The logic is simple: By limiting the number of eyes that can even see your data, we automatically reduce the possibility of an internal data breach.
Q4: Are there written data security, acceptable use, and other critical policies in place? Do employees know about those policies and where to find them?
To paraphrase a certain web-shooting superhero, with great data comes great responsibility, and it’s critical that not just your vendor, but its employees as well, truly understand their responsibilities. Even with all the data security measures discussed here, those with proper credentials and sufficient need will have access to even the most sensitive of data. Thus, an essential piece of the data security puzzle is making sure that every person who legitimately has access to your confidential data clearly understands their responsibilities and is committed to protecting that data.
Your law firm and eDiscovery vendor should have clear, written policies on data security and acceptable system use policies, and those policies must be accessible by all. Other information security policies, including data handling, employee conduct, confidentiality, disaster recovery, business continuity, and crisis management, if available, should also be reviewed. But written policies alone, without action, are meaningless — management must show that employees know and follow those policies.
Employees should be required to sign strong confidentiality and nondisclosure agreements as part of their initial hire onboarding, as well as whenever company policies are updated. Security review meetings and presentations, held at least annually, can also be helpful for providing continuing education and reminding employees of their data security responsibilities and how to be vigilant for the latest trends in hacking, phishing, and other such security attacks. Policies are great, but your vendor should be able to prove that their employees know, accept and put those policies into practice.
Q5: Is there a secure and tested business continuity and data backup plan?
Good eDiscovery security plans also include data backup and business continuity (the ability to continue or quickly recover essential services after a natural disaster, for example) plans. Both are critically important topics to ask of any vendor, in doing so, people often overlook the security aspect of those solutions, which must be at least as secure as the primary, live systems.
Most backup and business continuity plans call for multiple physical locations for both data storage and critical systems, which means data is stored both in the vendor’s primary location(s) and copied offsite location(s). When asking your vendor about its data security policies and practices, make sure to include questions about any such secondary locations — and about how securely the data is transferred between those locations.
Q6: How is data handled once a case is closed?
Clients often ask about security before a new project starts or a new master services agreement is signed, but what happens to your data after a given eDiscovery project concludes? You might be surprised to learn that the case shutdown process at eDiscovery vendors varies widely, and it might not be as comprehensive as you’d assume. Many of the vendors you have used in the past for projects that closed long ago may still be storing copies of your data, which could expose you to further completely unnecessary risk and violate your data retention policies.
Your vendor’s project shutdown process is also a critical part of maintaining strong eDiscovery security and that project shutdown process deserves as much focus as the kickoff process, if not more. Your eDiscovery vendor’s project manager should present you with a summary of all the data the vendor has — including not just the original data, but also copies stored in their data processing systems, review tools, analytics platforms, productions and the like. Only then can you decide whether you want the data returned, destroyed or stored for possible use later.
If your decision is to destroy the data, your eDiscovery vendor must be able to certify the destruction of that data to industry acceptable standards. Hard drives should be fully overwritten so that the data is truly irretrievable. And once hard drives reach the end of their useful life, vendors should physically destroy them. The cost to do all of that is small and any credible vendor should have no problem providing those services.
Data security is a job that never ends. If you’re serious about protecting your data while it’s on your servers, you should be equally serious about keeping it safe when it travels outside your protected space.
You can start by making sure you ask the right security related questions throughout the eDiscovery process.