What do you know about your eDiscovery providers’ information security practices? I’m not usually a betting man, but I’d feel secure in my wager that you don’t know a great deal about how information is transmitted, stored and secured in preparation for a matter. While that’s been an acceptable position for many years, it’s time for law firms, legal service providers and their clients to get serious about how they handle sensitive and proprietary information.
For many years, those of us responsible for data security were only concerned with a direct cyberattack on our own networks. But as cyberattackers get more sophisticated and better funded, we need to be conscious of our role in a far more complex information ecosystem. A good example of this is the Target breach in late 2013. As more information has come to light, we’ve learned that the cyberattackers found a weak link via Target’s HVAC contractor and used its network as the staging site for the attack. If you think about the structure of how eDiscovery work is done, it could have just as easily been a law firm or a legal services provider that provided the entry point.
With major domestic and multinational corporations typically having retained the services of around half a dozen law firms, and with each of those law firms working with multiple legal services providers, you can see how quickly the number of vulnerability points increase. When you then introduce the complexity of multiple data transfers, data storage sites and data destruction protocols, you can begin to see how critical it is to understand what information security and governance procedures are being used.
Right now, most organizations’ security checklists consist of little more than a checkbox centered on ISO certifications and standards. Do these certifications really indicate that the provider maintains a culture of security with ongoing diligence? While ISO certifications provide some reassurance, they can also serve merely as a snapshot showing that on this day at this time, certain safeguards were in place. When looking at potential providers, I recommend organizations:
1) Make sure they have the appropriate ISO certifications. This should serve as a baseline.
2) Ask if there are regular internal audits or evaluations of the security controls the potential partner has in place.
3) Note if the business has a formalized governance council that meets regularly to discuss information security issues and supply recommendations.
The financial services sector has recently taken a big step toward creating a culture of security by convening an Information Sharing and Analysis Center (ISAC). Not only do this team and its subgroups meet regularly to share cyber threats, they also share best practices and develop standard contract language that codifies these best practices. The big disappointment for me, as CISO of a legal services provider, is that while law firms are included as a subgroup in the ISAC, legal services providers are not. And this is despite the fact that client data is transmitted on our networks and stored on our servers.
Rather than lament our lack of inclusion, I’d prefer it if legal services providers unite to establish a framework for client data transfer, storage and disposal. The framework wouldn’t be didactic; rather, it would consist of prescriptive best practices. For example, we might agree that 256-bit encryption would be required, but we wouldn’t mandate the use of particular software. In creating standards, we would contribute to the development of a layered information security defense that provides the best protection against data being stolen directly from our networks and prevent our organizations from becoming the attack vector.
Most CISOs, CIOs and CSOs—including myself—view cyber-attacks as inevitable: our job is to have the security in place to rebuff them. To that end, it would strengthen our individual defenses if legal services providers could develop a shared framework for client data protection. The top five things I would want included in this framework are:
1. encryption standards,
2. authentication standards,
3. remote access controls,
4. standards for access to Web-based services, and
5. data transfer and storage standards.
Until that time comes, I recommend that you ask a few more questions about security protocols and go beyond ISO standards when speaking with prospective eDiscovery and legal service providers. The more the provider can demonstrate its approach to data and information security and speak to the five topics above, the more confidence you should have that your organization’s information, reputation and even viability are in good hands.