As any lawyer knows, data security is a huge concern to clients, and it is an area that all Litigation Support vendors should have resources dedicated to. As, in order to ensure that the most robust data protection and information processes are in place, this must be underpinned by a rigorous physical security process.

Due to the confidential nature of work that any eDiscovery vendor undertakes, they should hold a number of certifications regarding Data Security which are complemented by comprehensive internal company policies.

Certifications regarding data security

One of the most important is the internationally recognised ISO 27001 certificate, which encompasses company security policy, asset management, physical and environmental security, access control, security incident management and compliance. The ISO 9001 certificate in Management Systems is also extremely important certification and ensures that companies are complying with industry standards regarding internal policies, records, auditing and have sufficient business continuity systems in place. Each member of the delivery team should work within the ISO 9001 recognised standards to ensure continuity of service and to ensure that clients data remains secure.

Fines of data breaches

It is important to understand the consequences that may be applied by the various regulatory bodies if there is a breach of these and other standards. For example, under the UK’s Data Protection Act, the maximum fine for companies for data breaches was £500.000. Since the EU’s GDPR came in to force on 25 May 2018, companies can now be fined a penalty of up to 4 per cent turnover. In July 2019, the ICO flexed its GDPR enforcement muscles for the first time. British Airways is facing a record fine of £183m for last year’s data leakage (1.5 per cent of its turnover), and it was revealed that hotel chain Marriott would be fined £99m (3 per cent).

Other large fines included a £385,000 against Uber, relating to a security incident affecting the personal data of 2.7 million users and 82,000 drivers, and a £325,000 fine against the Crown Prosecution Service for losing unencrypted DVDs containing recordings of police interviews. Yahoo! UK Services Ltd were also fined a £250,000 penalty relating to a breach affecting the data of approximately 500 million users worldwide.

How secure is Array?

Aside from the ISO certifications, Array also holds a certificate in Cyber Essentials, a Government-backed, industry-supported scheme to help organisations protect themselves against common online threats. In holding this certificate, we demonstrate to our customers and supply chain that Array have considered security controls and are working in a safe and secure environment.

We would also recommend that as a custodian of client data a UK based eDiscovery vendor should also be a member of the Information Commissioner’s Office. This enables companies, such as Array, to keep up to date with changes in legislation and other industry news/best practice which affects this vital part of our business.