How to Make Your eDiscovery Process More Secure
For those engaged in eDiscovery, protecting companies’ sensitive data is only increasing in importance.
Each year, the odds that a company or its law firm will experience a data breach grow. According to the Identity Theft Resource Center, the number of reported data breaches increased 68 percent from 2020 to 2021, with 1,862 reported data breaches in 2021.
The number of data breaches is expected to increase in 2022, requiring companies to be increasingly vigilant about their sensitive information.
Companies and their outside counsel regularly quiz their eDiscovery services providers on the measures taken to secure their sensitive data. Despite these efforts, security gaps can, and frequently do, remain outside of services providers’ secure platforms. Those gaps can undermine audits and other efforts service providers undertake to ensure sensitive information is protected against disclosure.
Here are some ways both outside counsel and in-house counsel can enhance their safety protocols to ensure that their data and their clients’ data are better protected.
Only Send Documents Through Encrypted Means
When transmitting discovery documents outside of an eDiscovery platform, make sure to always use an encrypted delivery method.
Sometimes, we’ll receive data from outside counsel that’s sent via email, which we do not recommend, as it is not as secure. Instead, we recommend using a secure file transfer solution such as SFTP to transfer data.
Encryption is widely available, effective and easy to use. There’s no reason to send data through less secure channels, especially when doing so can put client data at risk of disclosure.
Consider Multi-Factor Authentication
Another option for added security is the use of multi-factor authentication, or MFA. You’re likely already familiar with this, even if you don’t know the name for it. When you log into a site or an eDiscovery platform, you may be required to supply your log-in and password, and then a second means to confirm you are who you say you are.
Frequently, this can come in the form of a code sent to your email or cell phone. Some programs offer their own authenticator apps, like Microsoft Authenticator.
Many eDiscovery platforms offer MFA for users as an option. If this is a feature that interests you, when you are setting up your discovery project, let your eDiscovery services provider know of your preference.
In addition to eDiscovery platforms, MFA is also frequently an option for FTP sites, giving users an added layer of security for transmitting documents.
Limit Access on a Need-To-Know Basis
Another security shortcoming we sometimes see is outside counsel making discovery data in an eDiscovery database available to everyone from their firm.
Easy access for outside counsel and their teams comes with a tradeoff in the form of less security, and more eyes on potentially sensitive records.
Not every company is going to be concerned about restricting access to their data, but for companies that are especially focused on security, we recommend creating security groups within their eDiscovery platform, giving individuals on their projects varying levels of access to the data.
For example, if some data is especially sensitive, you can limit access to it to just a high-level partner, as opposed to an associate who is only handling the review project.
When we start projects with our clients, we discuss access and other permissions to ensure everyone is on the same page in terms of their security requirements.
Review Your Export Settings
In addition to viewing and accessing sensitive data, another permission that is helpful to restrict is export settings. If you’re part of a company’s legal team and having a high level of security is important to your company, this is especially important to consider.
eDiscovery platforms give users the option to not only review data, but also export or download it for use outside of the database. If a company is not directly involved in eDiscovery, they might not realize that their outside counsel has selected more permissive options to enable greater ease of access within the firm.
Companies frequently audit their services providers to ensure they’re storing data securely and completing audits. They often fail, however, to audit their outside counsel’s handling of the same data, which can defeat the purpose of questioning their services provider.
If anyone from an outside law firm can export data from the database and share it internally or externally, that may be concerning for some companies. We recommend that in-house teams discuss their security preferences and expectations with their outside counsel.
Beyond the risk of sensitive data being downloaded and shared externally, another reason why it’s valuable to restrict who can export data is that frequently we see users remove data from the database but fail to backload it into the system.
This can create several headaches down the line, including missing items in productions. Restricting export settings can ultimately help keep a project on track and ensure that the review database has a complete set of records for the case.
With multiple outside counsel working on a case, it may be tempting for attorneys to share passwords for easier to access the review platform. We strongly advise against doing this.
Sharing passwords is a recipe for disaster. Not only can it make the holder of the original account vulnerable to having their other accounts compromised, sharing passwords also increases the chances sensitive information will end up in the hands of a bad actor.
If someone who has the password has malware on their computer or falls victim to a phishing scheme, a bad actor can use the password to gain access to eDiscovery data, for example.
At Array, we work to ensure that each person accessing the data has their own log-in and password and is using it. All activity in our review platform is audited, which means we can track who is carrying out various actions within the database, whether it’s coding data or downloading data. For auditing purposes, it is important that individuals are using their own log-in information rather than sharing accounts.
In addition to not sharing passwords, there are other successful practices to keep in mind in regards to your password protocols. When crafting a password to eDiscovery data it should be unique to your eDiscovery platform, not used on any other platform or personal accounts. Another recommended protection is to set up password expirations, so that users are prompted to change their passwords after a set time period.
Address Security Preferences Up Front
Whether you’re an in-house team engaging outside counsel, or an outside law firm working directly with an eDiscovery services provider, early conversations about security expectations are key.
If you’re an in-house attorney, be sure to not only discuss with your services provider what they do to keep your information secure, also check in with your outside counsel to make sure their practices are in line with your expectations.
If you’re outside counsel, make sure you’re engaging with your clients early on to determine that the appropriate controls are present for eDiscovery. Also, consider what steps you can take to make your processes more secure.
eDiscovery services providers are used to having conversations about data security with their clients. If you have any questions or concerns about your eDiscovery process, reach out to a trusted eDiscovery services provider for help.