The CISO’s role in eDiscovery includes a duty to protect legal data security.
2020’s explosion of cybercrime, data breaches and resulting litigation is shining a new light on the CISO’s role in eDiscovery. Cybercriminal activity is up 330% over 2019, as bad actors prey on businesses and individuals coping with the coronavirus pandemic (source: Crowdstrike). As company executives search for better ways to protect and strengthen legal data security standards within the enterprise, protecting confidential electronically stored information (ESI) shared with outside counsel is at the top of their priority list.
Law firms have become a significant target for cyber attackers as well. A recent survey by cybersecurity firm BlueVoyant revealed that 100% of the law firms surveyed fell victim to cybercriminal attempts, and 15% of firms surveyed showed signs of compromised networks. In litigation and regulatory matters, corporations regularly put company data at potential risk by sharing sensitive documents with their law firms, subject matter experts, service providers, and other outside resources. One click of a malicious link can result in a data breach or other security incident that has the potential to ruin a law firm’s or company’s reputation.
To combat this rising trend, forward-thinking executives, CEOs and corporate boards are pushing their CISOs to take a greater role in eDiscovery. They are enlisting the CISO to help vet their law firms and other legal service providers to increase security of their ESI tied to legal matters.
CISOs should familiarize themselves with the legal landscape and discovery processes. By focusing on the following four areas, CISOs can gain a better foothold into ensuring heightened legal data security.
1) Selecting eDiscovery Vendors
Choosing an eDiscovery vendor, or reviewing the performance of a current vendor, involves much more than working through a security checklist and observing the typical hands-off vetting process. The CISO’s role in eDiscovery vendor selection should be front and center. Input from a CISO or the CISO’s staff is needed early in the process to assess the quality of an eDiscovery vendor’s technology, the level of legal data security, and the methods for gathering, transferring, storing and processing ESI. A proper analysis is not possible through mere checklists or standard vendor interviews; a thorough vetting requires the CISO and their staff to delve deep into the way eDiscovery vendors handle data and secure their own networks, systems and staff.
It is imperative that the CISO join the discussion at the beginning of the eDiscovery partner selection process. They should collect input from other C-Suite executives, create a comprehensive security risk profile for the business, and determine the vendor’s level of compliance with records retention policies and procedures. The CISO also should analyze workflows, technology, and other aspects to decide if the eDiscovery vendor can meet the company’s current and future needs. For example, when moving around client data, the vendor should have modern secure transfer mechanisms in place (both internally and externally), and it should demonstrate proof of role-based security usage and access controls when handling client data.
2) Managing Multiple Relationships
Shouldered with the responsibility of securing company data-sharing and communications systems, CISOs already excel at understanding how systems communicate and where security vulnerabilities lie. The CISO understands the nuances of what is required to protect ESI across multiple departments – accounting, human resources, legal, production and sales, to name a few. The CISO already knows how to work in partnership with others at the company (and with various outside vendors) to ensure data security. That combination of knowledge and skills carries over perfectly to eDiscovery and makes the CISO’s role in eDiscovery a unique and valuable one.
Similar multi-faceted interactions should occur with the company’s outside law firms and eDiscovery vendors. To fully understand how data is stored, secured and managed, the CISO and their staff should conduct a deep-dive analysis into the data sharing, transfer and storage processes and policies between the company, the law firm and any eDiscovery partners. The CISO can use the knowledge gained from this deep-dive to enforce consistency in managing the legal data security protocols. Merely forcing the company’s own policies on the law firm and eDiscovery vendor misses the target on ensuring legal data security is intact. Even though eDiscovery has become a standard business process in some companies, it’s still a process that requires extra focus on standard areas of breach prevention, such as:
- perimeter security controls;
- HR policies with respect to data access and use;
- confidentiality agreements;
- security incident detection; and
- notice and response.
3) Knowing Where All Company Data Resides
When it comes to data security, what you don’t know will hurt you. These days, data is scattered and stored on endless devices: in the cloud, on mobile phones, on personal devices and wearable technology, and on desktop and laptop computers, not all of which are company provided or controlled.
Security protocols and data retention policies are effective only when the company’s security team, usually led by the CISO, knows where company data should (or may) reside and who has access to it. A Varonis report estimates that 53% of companies have more than 1,000 sensitive files that can be accessed by every employee. During eDiscovery, many of those files also may be shared with the company’s law firm and eDiscovery partners.
When a data breach occurs at a corporation’s law firm, it’s highly likely that someone within the firm was holding onto company sensitive information such as database files or sensitive emails that should have been deleted years ago in accordance with the company’s defensible deletion policy. That sensitive corporate information is now compromised. Had the location and ownership of those files been addressed early on, those database files and email messages would not have been at risk in the first place. If the law firm had gone a step further and stored the corporation’s data in a secure and centralized platform (as does BIA and other top-tier eDiscovery vendors), that sensitive company information would have been protected in the correct manner, and with very little effort and cost.
The CISO should use situations like this to guide discussions with company vendors. Reviewing potential security incidents and providing controls to guard against them are key steps to preventing data breaches and enforcing legal data security. CISOs and their teams should work closely with company vendors and outside counsel to gain control of ESI that resides outside the company domain. At the end of the day, the CISO’s role in eDiscovery is not that different from their role in other areas of the company; they are responsible for protecting company data and making sure that all necessary safeguards are in place to do so.
4) Meeting Regularly with Other Senior Stakeholders
Creating, implementing and managing effective data security initiatives cannot be done in a vacuum. To secure eDiscovery practices and procedures the CISO should meet regularly with other C-Suite executives and the company’s internal information security staff. This will put the CISO in a better position to guarantee that the vision, strategy, tactics, and policies are working together to protect ESI and prevent legal data security breaches.
The CISO’s role in eDiscovery should involve regularly scheduled meetings with the company’s general counsel and legal department as well. These meetings should include a review of how ESI is managed at a policy level and a discussion of any changes necessary to maintain the highest level of legal data security.
The CISO can be a company’s secret weapon in managing and protecting ESI involved in legal action. Working closely with legal counsel and fellow senior stakeholders (such as other C-suite executives), the CISO can play a vital part in selecting the right eDiscovery partner and even law firms for the company.
Ultimately, the CISO’s role in eDiscovery is one part of the broader plan any company should follow to create a legally defensible posture across the company’s litigation portfolio. The more prepared a company is with respect to its eDiscovery strategy, the stronger position it maintains during litigation, which also helps shorten timeframes and lower costs.
The Power of a Partner
To build a bulletproof eDiscovery strategy, consider partnering with an eDiscovery vendor that will help you create an eDiscovery playbook—one that is tailored to your company and specifically addresses data security. For nearly two decades, BIA has been that partner to corporations. We’ll help you develop, amend, and improve your e-Discovery processes, protocols, procedures, and instructions, for both internal staff and outside counsel. To learn more about empowering the CISO’s role in eDiscovery to keep company data safe and secure, reach out today.