Image: Clipart.com
Data breaches are on the rise, with more than 300 identified breaches this year, according to the Privacy Rights Clearinghouse. The breaches are evenly split between hackers and malware, experts say; 90 percent are targeted at databases that may contain caches of valuable data, reports USA Today's Technology Live. The good news: Most breaches could have been avoided with good security practices.
But these breaches raise issues for electronic data discovery, particularly for practitioners who use web-based ("cloud") review services. Care must be taken when evaluating and choosing vendors to be sure data is protected throughout the EDD process. When sensitive intellectual property leaves the firewall of an organization, corporate legal has both an ethical and legal obligation to zealously protect client confidences and secrets. This can be a daunting task -- security risk points include the cloud storage server, review workstations, the pipeline between the review workstation, and the servers -- and access control and security credentials of employees and reviewers.
For starters, thoroughly review the security protocols that are used to determine access rights and the credentials of all personnel who will be exposed to sensitive data. Many recent security incidences involved use of weak or stolen credentials or passwords, so require that systems have limited logon attempts, and that they hide access credentials. Consider also requiring two-factor authentication.
Documents stored on a server should always be encrypted, and protected by layers of both perimeter and "end-point" security. Discuss with the vendor what will happen to the electronically stored information once the case is over and how it will be deleted from the server. Undetected malware is the most common way to extract information from servers, and it can lay dormant for months, or even years. Absent contractual restrictions, once you load ESI onto a third party's server you essentially lose the ability to monitor who has access to the data. Risks increase when your data is processed outside the United States.
Workstations used for document review are often one of the most vulnerable components of the EDD process -- and can be easy pickings for hackers. Workstations should be continually inspected and certified "clean" of security vulnerabilities such as key logging devices. Require vendors to document what software is loaded on each workstation. The more software, the higher the risk.
It's also crucial to document what devices can be used for review. For example, if an attorney or other professional uses his or her own computer to access review software, that device can be at high risk because it has probably not been inspected and certified "clean." This is especially important when using cloud-based review programs.
Another risk scenario might be called "man in the middle attack" in which the attacker makes independent connections with the server and the workstation and intercepts transmitted data between them. When ESI is being reviewed remotely, the potential for data becoming compromised during transmission increases. These are just two examples of why it's crucial to use proper encryption, such as SSL (Secure Sockets Layer).
Most data breaches today are not sophisticated. They are usually targeted and focused using social engineering or a variety of hacking tools easily found on the internet. Nonetheless, companies should always assume worst-case scenario and then "work backwards" when evaluating data security. Cybersecurity standards such as those promulgated by the Federal Information Security Management Act and the National Institute of Standards and Technology should be used as models when evaluating vendors.
Here are issues to discuss with the potential vendor (and to address in contracts).
• How will the information be secured?
• When were the security protocols last audited?
• Is the ESI a high-valued target that requires additional security?
• Ask for details about vulnerability management, security testing, and intrusion protection protocols
• How is the review workstation secured and how often is it audited?
Always involve a security expert when dealing with highly sensitive information to make sure the ESI will be handled correctly from collection through production.
Unfortunately, most breaches are either never discovered or discovered long after the damage has been done. The best advice: Assume that if the information is of high enough value to hackers, they almost always will find a way to get it!
ADDITIONAL RESOURCES
Verizon Breach Report -- published annually.
IBM x-force Report -- published quarterly.
Mitre/SANS top 25 Most Dangerous Software Errors -- published annually.
Stephen M. Kramarsky, a member of Dewey Pegno & Kramarsky, focuses on complex intellectual property litigation.
Subscribe to Law Technology News
