This article is the first of a four-part series exploring data security and e-discovery. In the next installment, we will look at security best practices.
In-house counsel have heard the horror stories about security breaches and the expenses and reputational damage those breaches can lead to. Hackers have gained access to the personal data of 70 million Sony PlayStation users. A security breach cost Bank of America $10 million. Two men have been charged with electronically breaking into AT&T’s servers and stealing the e-mail addresses of about 120,000 iPad users, among a host of other examples.
Cybersecurity threats and data breaches cost companies millions of dollars in lost intellectual property, trade secrets and mishandled privacy information. The average organizational cost of a data breach in 2010 was $7.2 million, up 7 percent from 2009, according to The Ponemon Institute’s “2010 U.S. Cost of a Data Breach.”
While in-house counsel may be sensitive to the data security of their clients, customers and partners, they may not think about how secure their data is during discovery and litigation. But there have been plenty of horror stories there, too. In February, hackers reportedly stole 2.6 gigabytes of email from Puckett Faraj, a law firm representing Staff Sgt. Frank Wuterich, who is accused of leading a group of Marines in Haditha that allegedly resulted in the deaths of 24 unarmed Iraqi civilians. The emails are said to include detailed records, testimony and trial evidence.
In November 2011, Bloomberg reported that the New York office of the FBI called a meeting with the city’s top 200 law firms to warn them that hackers increasingly see law firms as an easy target to acquire valuable data on clients.
It’s little wonder that as banks and other institutions beef up their cybersecurity, hackers are increasingly eyeing law firms. Vast amounts of electronically stored information (ESI), some of it highly sensitive and confidential, can be involved with identification, collection, processing, review, analysis, production and preservation.
Legal departments need to carefully consider how secure their data is when it leaves the company or is being handled by outside help, including law firms, contract attorneys and third-party litigation support vendors.
To minimize exposure to e-discovery data security breaches, legal departments must understand different security standards, develop best practices, strengthen working relationships with those inside and outside the company who handle data and carefully review e-discovery security policies and protocols to ensure information will not be lost or subject to spoliation claims during the litigation process.
In order to protect their data during litigation, in-house counsel must understand their own risks and the security standards that their partners and vendors use. The Federal Information Security Management Act of 2002 defines three security objectives for information and information systems:
1. Confidentiality: “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information”
2. Integrity: “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity”
3. Availability: “Ensuring timely and reliable access to and use of information”
As many companies have learned, it’s difficult enough to prevent loss and theft with data that is handled internally. When that data is sent outside the company to law firms, third-party litigation support vendors and others, it can become even more difficult to ensure that it remains secure and confidential.
Unfortunately, the Federal Rules of Civil Procedure have not recognized a gold standard for data security systems, and legal departments can no longer simply push the risk off onto their law firms.
Several law firms and vendors have taken steps to become certified or compliant with different standards. Some of those standards include ISO 27001, which is the Information Security Management Standard of the International Organization for Standards (IOS). ISO 27001 specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information security management system within the context of the organization’s overall business risk. According to the IOS, it specifies requirements for implementing security controls customized to the needs of individual organizations or parts of organizations.
Another common standard is SAS 70, which is an auditing standard developed by the American Institute of Certified Public Accountants. The SAS 70 audit includes an in-depth review of an organization’s control over information technology and related processes.
While standards can be a useful roadmap for in-house counsel, not many vendors or law firms have become certified. That leaves in-house counsel to do their homework and be sure that security standards are explicitly built into contracts and service level agreements.
The U.S. General Services Administration has created extensive documentation about information security risks, laws that govern privacy and what information should be included in contracts, which can be found at. While the information is specifically created for government contracts, it can be a useful starting point for in-house counsel looking to develop their own agreements.