Keeping data safe used to be the sole job of dedicated departments within companies – typically not something lawyers were trained on. The largest companies would have specialized teams focused on the task of securing confidential information – while smaller organizations and even law firms might not have any certified security officers on staff at all.
Data breaches on the rise
In recent years, however, we’ve seen a significant shift as high-profile data breaches have hit prominent companies and law firms. Smart legal teams are taking a more active role in protecting their data, ensuring compliance with stringent security standards, and vetting any vendor they hire that handles their data.
Naturally, eDiscovery vendors handle some of the most sensitive data – whether it contains potentially litigious information, confidential intellectual property, or data restricted by international jurisdictional requirements. In parallel to the increasing awareness of the importance of data security, firms’ questions to their eDiscovery providers have evolved.
Cyber-attack threats loom large – so it’s important for legal teams to understand data sensitivity levels, segment it as necessary, and ensure that the controls and technology in place are sufficient to protect whatever type of data it is.
Data security in eDiscovery: An evolving awareness
As recently as ten years ago, it was thought to be sufficient to simply ask whether data would be protected – legal teams (or their contractual representatives) rarely investigated more deeply.
But as news of data breaches spread and security and privacy regulations increased in the US, Europe, and Asia, legal teams became more aware of the fragile position much of their data was in – and thus increased their focus on protecting it both within their organizations, and especially outside of it.
In the early days of mounting data breaches, legal or procurement teams might ask eDiscovery vendors to fill out a detailed questionnaire about data protection.
Now, legal teams take a more thorough approach as security has become a primary consideration in eDiscovery vendor selection. Onsite, multi-day security audits – conducted by in-house client security teams, or third-party audit organizations – have more and more become the norm.
This shift in security awareness has been incredibly beneficial to law firms and corporate legal teams – the more legal teams know about data security, the better able they are to prevent and respond to data breaches.
It only takes one weak link in the chain to exploit data, so legal practitioners must understand where their data is, who has rightful access to it, and how it will be handled by anyone who touches it – including and especially eDiscovery service and technology providers.
Understanding legal data at risk: Electronic discovery & beyond
Practitioners must also understand the wide range of data in need of protection. In eDiscovery, data can mean anything: intellectual property or trade secrets, product design specifications and algorithms, formularies, and emails, text messages, voicemails, and chat logs of employees. The role of security in eDiscovery is to make sure that, whatever and wherever the data is, it is protected according to its unique characteristics. Technologies and methodologies such as encryption, encryption at rest, access controls, the need to know, role-based access controls must be employed adequately to protect the data no matter where it is.
In today’s environment – where cyber-attack threats loom large for nearly every industry – it’s important for not just law firm clients, but law firms themselves, to understand the data itself, understand the levels of sensitivity it has, segment it as necessary, and ensure that the controls and technology in place are sufficient to protect whatever type of data it is. The alternative is to protect everything at the highest possible standard, which is exceedingly expensive for both the customer and the provider.
Additionally, in-house legal teams must work with the compliance and security functions inside their organizations to understand the corporate guidelines for what is required. A good eDiscovery provider will partner with an organization to help these leaders understand the rules of engagement, what's necessary, and how to proceed in a safe and effective manner.