The data breaches dominating headlines this summer serve as a good opportunity to remind ourselves and our eDiscovery peers that our industry is not immune to hacktivists and cyber criminals. In fact, given the highly sensitive nature of financial services’ matters, our (collective) networks and matter data are some of the most prized targets.
Keep reading below to understand how hackers have been able to thwart cybersecurity systems in the most notorious breaches and what it means for our industry. From a state of the union on the vulnerability of eDiscovery evidence to cyber-attack, to ideas for creating a secure eDiscovery process—we’ve got you covered.
Cybersecurity Infiltrates E-Discovery Managed Services
Using the most recent data breach at the Office of Personnel Management (OPM) as an example, Monica Bay explains that “[l]aw firms are especially vulnerable to breaches, because lawyers (especially those in litigation, property or mergers and acquisitions) process highly sensitive information.”
Bay explains the primary concerns surrounding data breaches in legal engagements in her article “Cybersecurity Infiltrates eDiscovery Managed Services.” She notes that lawyers have additional ethical obligations to protect data, citing The American Bar Association’s “Model Rules of Professional Conduct,” where Rule 1.6(c) states that, “a lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
She closes by sharing how firms Vedder Price and Seyfarth Shaw are working to tighten data protection measures by incorporating cybersecurity considerations into their vendor selection processes.
3 Lessons for a Proactive Approach to Cybersecurity
While Bay focuses on the responsibility of lawyers to protect the data they steward, Jason Straight offers potential solutions to the problem, offering tips in “3 Lessons for a Proactive Approach to Cybersecurity” in Corporate Counsel.
Straight asserts that there are three things legal professionals can do to alleviate cyber threats:
- Pay Close Attention to Service Providers (and Know your Liability):
You are ultimately responsible, so it is important to understand your third-party vendors’ and service providers’ security measures. At the end of the day, Straight emphasizes that “Target’s CEO was the one who was called to testify before a congressional committee…(and) Target was compelled to provide detailed documentation of the steps it had taken to protect sensitive data prior to and immediately following the attack.” Despite having a third-party vendor in charge of their data security, Target was liable for the breach.
- Throwing Money at the Problem Isn’t Enough:
Straight also asserts that taking on costly prevention measures is not always enough. For example, Target “purchased a $1.6 million malware-detection tool and had a team of security professionals continually monitoring its systems around the clock.” And yet, it still experienced a breach. According to Straight, this happens because nearly 80% of major data breaches are the result of weak or stolen login information.
- A Quick Response Is Key:
Lastly, Straight stresses that time is of the essence when an organization thinks it may have been the victim of a breach. He suggests that ignoring the first inklings of a breach gives a leak the opportunity to grow and contribute to “interrupting everyday business activities, increasing costs, causing brand damage and customer churn, increasing the scrutiny of regulators, and increasing the potential for major legal problems down the road.”
Unfortunately, the rules of professional conduct that require law firms to safeguard data do not make them any less susceptible to cyber-attacks. As more law firms adopt stricter security measures, it is critical that their third-party vendors and service providers do the same.
Working on a complex eDiscovery matter? Click here for further insight from the Chronicle’s experts.