As a recent article on Attorney at Work points out, the Panama Papers scandal has been a game changer for law firms in terms of data security. For many years law firms seemed immune from the data security problems that have plagued financial services institutions, government agencies, and healthcare providers. But the Panama Papers have brought to light that staying out of the headlines has been more about good luck than good planning.
The survey revealed that while there is some awareness and confidence, there are notable areas of weakness including, incident response planning, password security, and security of mobile devices. These three areas are particularly important since they are the most likely vectors for attack when transferring large amounts of client data for cross-border matters, and because they create both vulnerabilities from external malicious attacks as well as accidental exposure from employees.
Source: Attorney at Work
But why are we talking about data security practices on an eDiscovery site?
The simple reason is that all major domestic and multinational corporations typically retain the services of at least one, and often several law firms. Then, each of those law firms works with multiple legal services providers in order to provide the type of support that is required in the preparation of matters. Moreover, for those companies engaged in international data transfers, the level of scrutiny being meted out by EU member states while new privacy protocols are solidified under Privacy Shield is at an all time high. As you can see, even for the most simple of data transfers there are multiple points of vulnerability and this is why it is critical to understand what information security and governance procedures are in place.
So, how do you figure out which organizations are thinking about data security and the privacy of your information in the right way? These four pointers will provide you with a baseline for the types of conversation you should have with any provider, whether you’re considering working with them, or if you’re in a long-standing engagement.
- Use certifications, like ISO, as a conversation starter.
- Continue the conversation into specific internal audit practices and ask to review the results.
- Ask what data security and information governance standards they require of their providers and partners.
- Meet with the C-level executive responsible for information security. The more granular a firm’s organization is in terms of responsibility and the more authority invested in that role – like a seat at the boardroom table – the more resources they’re likely to be investing in data security.