Cybersecurity in eDiscovery: Protecting Your Data from Preservation through Production

Now more than ever, data security has become priority number one, especially in the context of litigation and eDiscovery. And as the worlds of eDiscovery, information governance, and cybersecurity continue to rapidly converge, cybersecurity incidents are alarmingly on the rise, showcasing all of the weaknesses in an organization’s information governance system. Addressing cybersecurity continues to be a top challenge in eDiscovery. Many are unsure if their own internal processes are safe, not to mention those of the vendors who manage their outsourced eDiscovery.

So, how can you protect your ESI all the way from preservation and collection to review and production? In a Law and Candor podcast episode, special guest David Kessler, Head of Data and Information Risk at Norton Rose Fulbright US LLP, discussed with our hosts the diverse set of challenges that arise with data security at each stage of the EDRM. Most understand the right methods start with implementing the fundamentals of cybersecurity, but some have learned the hard way that you can’t fix a house built on a shaky foundation after a cybersecurity disaster strikes. With the protection of client ESI first and foremost top of mind, here are the some of the most pressing cybersecurity challenges in eDiscovery as well as actionable solutions.

Cybersecurity Challenges in eDiscovery

• The intersection of information governance, eDiscovery, and data security: The nature of data has evolved such that eDiscovery and information governance naturally intersect with data privacy and security. We’ve learned that issues around data access are very similar to eDiscovery issues and the next challenge is learning how to operate the areas together cohesively. In addition, with the shift to scrutiny on privacy and what can be done with personal data, now we know almost all cases that involve ESI have tremendous privacy concerns.
• The important role eDiscovery plays in cybersecurity: No longer are the days where confidential data relevant to litigation is primarily found in email and simply on computers. Now, data is created and stored across a wide variety of mediums and the amount of data continues to grow at an exponential rate. For cybersecurity criminals, this is a gold mine of confidential data available to steal and access.
• The outstanding security gaps throughout the EDRM: Historically, we’ve been focused on the responding parties’ obligations to securely undertake discovery. The business process of eDiscovery is primarily about collecting, copying, and transferring data outside of an organization, which creates concerns about securing that information at every stage of the process. Both the responding and requesting parties need to find a way to collaboratively and cooperatively work together at the beginning of a case to ensure data is protected through the entire EDRM lifecycle.
• The weakest part of the cybersecurity chain is when you hand over sensitive data: How do we help clients make sure their data isn’t accidentally or intentionally taken from them during the eDiscovery process? Everyone from eDiscovery vendors to law firms has an obligation to shore up their security and organizations have a responsibility to thoroughly vet those partners as they hand over their most sensitive data. In the EDRM, attention has shifted to making sure cybersecurity protections span the entire EDRM and the last step that hasn’t received much attention is making sure the requesting party is taking the appropriate steps to secure the data once they receive it.

Cybersecurity Solutions in eDiscovery

• Shore up cybersecurity contracts and repurpose existing security riders: When an organization engages law firms and eDiscovery vendors to handle discovery, it’s important they work closely with their data security IT team. These teams can help to repurpose some of the standard security riders from other contracts and use it to create new contracts with the appropriate protections in place.
• Establish comprehensive protective orders at the beginning of cases: With respect to the requesting party, who you will ultimately be producing the data to, ensure that early in the case you’ve negotiated a comprehensive protective order that includes reasonable and proportionate requirements for the protection of data. In that protection order (and a step that’s often forgotten), follow up and confirm the data you produced has been deleted after a case is over.
• Keep open lines of communication with law firms and eDiscovery vendors: Your discovery partners understand and have a significant stake in their security reputations. They have a strong motivation to work with you to execute risk assessments and other agreements that contain the necessary security provisions to ensure your data is safe at every step of the process. Also, include a breach notification order if data is accidentally lost or there’s an attack.
• Focus on things you can do to strengthen your productions: Think about the most efficient ways to reduce the number of copies involved in productions where appropriate. For example, use redaction as much as possible and consequently less copies of data. Don’t produce sensitive and irrelevant portions of data – redact it instead.

Ultimately, most people have become acutely aware of the vulnerabilities that exist in data security as it travels through the EDRM, and as law firms and eDiscovery vendors become accustomed to deeper vetting, it’s at the production stage where the biggest security vulnerabilities seem to remain. To get ahead of all aspects of potential cybersecurity failures, the use of well-written protective orders will get you a long way. Requirements in protective orders can ensure all parties take reasonable steps to protect data from third-party hackers and unauthorized access, as well as include protections based on encryption, access controls, passwords, etc.