Today is Data Privacy Day, a global event held each year on January 28 to raise awareness among businesses and users, and to promote privacy and data protection best practices. Data Privacy Day is a useful reminder to those of us who work in the legal industry that data is always both an asset and a potential liability. Sensitive data is at the core of everything we do as legal professionals, whether we are engaged in litigation and discovery, conducting internal investigations, responding to FOIA requests, or looking for efficiencies in our organization’s legal operations.
The Cost of a Data Breach
We’ve known for some time now that law firms are prime targets for hackers looking for valuable data to sell or to hold for ransom, and firms continue to be vulnerable. They handle vast stores of sensitive data, including personally identifiable information (PII), yet they tend to lag other industries when it comes to implementing security technology and protocols that conform to international standards and best practices.
Let’s be clear: Data breaches pose an existential threat to both firms and organizations, which can face severe financial, legal, and reputational risk in the event of a cyberattack. A data breach on average will cost organizations $3.86 million. In addition to costs associated with mitigating a breach, company stock is bound to plummet after the breach is disclosed. A 2017 Ponemon Institute study showed that stock prices dropped an average of 5% after a breach had been officially announced. Breaches also hurt brand reputation: based on the same study, 71% of corporate communication professionals and CMOs believe that the greatest cost of a security breach is the damage it does to brand value.
Regulations Offer Challenges and Opportunities
But even if your firm or legal department manages to avoid a serious data breach, if you manage PII you are also subject to a rapidly expanding web of complex regulations designed to protect personal information. The EU’s General Data Protection Regulation (GDPR) became enforceable on May 25, 2018, the California Consumer Privacy Act (CCPA) of 2018 went into effect at the beginning of 2020, and other states are currently in the process of developing their own privacy regulations.
As if this weren’t enough to motivate organizations to get their data security houses in order, the COVID-19 pandemic arrived last year and imposed work-at-home mandates, creating a whole new set of data management and security challenges, including the need to collect and analyze data remotely in investigations or potential breaches.
Cloud-Based Legal Tech Offers Required Control & Security
When firms and law departments engage with technology vendors to manage eDiscovery, investigations, and other data-intensive projects, the security of sensitive or private information should be top of mind. Organizations should look for solutions that not only keep data secure, but also enable a timely and effective response to any potential breach. Here are some key factors to consider:
- Solutions should be software-as-a-service (SaaS) or cloud-based. Security in the cloud has made huge strides in recent years, with excellent monitoring tools, security events logging, and intrusion detection/prevention monitoring. The cloud also gives organizations more stringent control around data access. Migration to the cloud simply forces better thought processes about security.
- Solutions should provide secure access to information by multiple users across multiple departments and geographical locations so that, in the event of a breach, organizations can coordinate a response effectively.
- Vendors should be able to demonstrate their commitment to data privacy and security by presenting a detailed list of top-notch security certifications.
Select Your Legal Tech Vendors Based on Their Commitment to Data Hygiene
So, what does good data hygiene look like at a reputable SaaS provider? For starters, your vendor should be fully committed to the principles of data privacy for individuals and to full compliance with all applicable privacy regulations. Vendors should also be committed to helping clients understand and mitigate the risk of exposing PII.
At Casepoint, for example, we have developed a detailed formal data security program that encompasses people, process, and technology. We have made huge efforts and significant investments to earn some of the most rigorous data security credentials in the industry, including FedRAMP authorization for cloud-based eDiscovery, SOC 2 Type II attestation, and ISO 27001:2013 certification. See our full list of security measures taken at the company, application, and server-level here.
Any provider you work with should require multi-factor authentication for all users, internal and external, and allow access to servers only via secured terminals and authorized credentials. Data storage should be compartmentalized, Internet endpoints should be minimized, and all network endpoints should be subject to data security policies, processes, and workflows.
At Casepoint, we conduct continuous monitoring of all systems and software. We have also developed a comprehensive set of business continuity, incident response, and disaster recovery policies and procedures. The advanced AI technologies in our SaaS platform helps organizations apply more proactive controls over their information governance and records management practices, and quickly identify specific vulnerabilities that could threaten PII.
Data Privacy Day is a great opportunity for law firms and other organizations that host and manage sensitive data to take a close look at their technology and security protocols. If you don’t already use a SaaS platform for litigation, eDiscovery, investigations, and other data-intensive work, look for reputable vendors who can offer a secure, end-to-end solution that offers the kind of flexibility, extensibility, and scalability that only the cloud can provide—and look for companies where data privacy and security are an integral part of their culture and their identity.