In this edition of the legal news round-up, we focus on cloud security, with a nod to National Cyber Security Awareness Month.
The cloud has brought with it many advantages for end-users. Yet, with the overwhelming number of applications available, the cloud has also raised serious security concerns. For eDiscovery, where collecting and storing electronically stored information (ESI) is critical to compliance in legal matters, these security risks are even more pressing.
Keep reading for tips on how to leverage the power of the cloud for eDiscovery while protecting sensitive data.
Bring Your Own Cloud Concerns
Cloud technology enables quick, easy migration of data from one device to another. While this is convenient, it can also create vulnerabilities, as revealed in “Avoiding the Dangers of Bring Your Own Cloud in E-Discovery.”
Cloud services are interconnected, giving users ubiquitous access to their documents through connected devices. But uploading documents to a cloud service creates “numerous copies of potentially confidential data or documents across multiple dubiously secured devices,” as servers replicate files before uploading them to other connected devices.
In eDiscovery, having multiple copies of sensitive data in the cloud is especially problematic because they contribute to poor security and increase the need for stringent protection mechanisms for data at rest and in motion. Additionally, the open access that the cloud facilitates means data is stored “outside the control of corporate security.” Add the risk of “dark data”– such as workplace data stored by employees in their personal cloud applications outside of corporate control—and you have a recipe for the perfect storm. However, “if companies proactively attempt to prevent employees from using personal clouds or utilize processes to track cloud data usage, then they may be off the hook for dark data e-discovery searches.”
Best Practices for eDiscovery in the Cloud
In “Handling Cloud-Based ESI in E-Discovery: Best Practices for Corporate Counsel,” the authors note the “mind numbing” pace of cloud computing growth. Citing the usual advantages to the cloud—speed, agility and cost—the authors observe that the cloud has transformed data storage, requiring organizations to revisit how they identify, preserve and collect ESI and to contemplate the risks that can result from the number of places that sensitive legal data can live in the cloud.
The authors suggest that “interviewing and documenting is the best way to avoid finding yourself in stormy weather” when it comes to knowing where your data resides in the cloud. You can limit the risks of the cloud by conducting interviews following these best practices:
• “It starts with IT.” IT should know how employees use the cloud. Request a list of sanctioned and unsanctioned cloud-based resources in use.
• “Be open and fully include the IT department in the process.” Explain what data you are looking for and why. The more the IT team understands, the better they can answer your questions.
• “Next, go to the end user employees.” As the authors say, “trust, but verify.” IT may not be aware of how individual employees are using the cloud, so be “open and transparent” in asking employees about their use of the cloud for document storage and collaboration.
• “[A]lways document the interview and dig for detailed answers.” You’ll get the most comprehensive information if you rely on face-to-face interviews (whether in person or virtual) rather than e-mail.
To learn more about eDiscovery best practices from The Chronicle’s contributors, click here.