What is Data Security for eDiscovery?
Network hacks, data thefts, and other cyber threats have become quite prominent in the past few years. Companies of all sizes have finally started to take the issue of data security seriously. However, many companies still don’t prioritize data security when it has to exit their custody. One of these situations where you are required to transfer data outside of your domain is the eDiscovery process. You might have to do this when your organization is involved in internal investigations, regulatory matters, and litigation.
Every organization handles some form of sensitive data. It can be employees’ social security numbers, trade secrets, medical records, or any other form of information that could lead to disasters if it falls into the wrong hands. You might be handling the security of these records well within the organization, but what should happen when this data is transferred to an outsider?
Now that data and compliance breaches have become more common, the risk has increased as well, especially if you have to send files for legal review to a third-party provider.
During the compliance eDiscovery process, all of your data pertaining to the case, such as financial reports and emails, will be collected from your organization’s computer systems and sent to eDiscovery vendors, consultants, law firms, or regulatory authorities. Once this data is processed, cataloged, and reviewed, it might be produced to the government, third parties, or others. During this transfer, there is a potential for vulnerabilities.
Moreover, depending on the workflows of the law firm and the government, this data might be transferred multiple times to different parties. This increases the risk of data theft and the number of organizations that must be vetted. You must ensure that they have acceptable eDiscovery security practices and policies. It is recommended to have a thorough vetting process that considers data center security certifications, physical security, disaster recovery, penetration testing, and more.
eDiscovery Security Must-Haves
With the increased concern over data security, you have to deal with increased pressure to demonstrate your commitment to controls and eDiscovery security. This can include certifications, technologies, and more. However, there are certain must-have considerations for eDiscovery security:
Security shouldn’t be the sole responsibility of the compliance discovery solutions provider. You have to share it in order to promote communication and collaboration. The infrastructure providers, application providers, and end-users must work together to protect data.
The applications that you choose must allow the least privilege through granular permission. This way, access will be limited to the resources needed to finish the job. Also, they must offer holistic logging tracking of individual users. The data at rest, as well as in transit, should be encrypted.
Compliance discovery solutions must have third-party verifications that demonstrate their security commitments.
Common Mistakes While Managing Security for eDiscovery
Managing data security for eDiscovery processes comes with challenges of its own. It’s a complex process, and if you are not diligent, you might end up making mistakes along the way. To avoid this, take a look at what these common mistakes are and how you can avoid them:
Human error is still responsible for most of the eDiscovery security gaps. That is why you must provide regular training to all of your employees so that they can identify and avoid cyber attacks such as phishing.
Not Training Your Employees
Every company needs a data deletion policy that allows them to get rid of their outdated files. The data that has to be retained must be stored in a central, secure location instead of across multiple facilities or in legacy systems. Moreover, you must get the eDiscovery data back after the matter has been closed. Sometimes, law firms, third-party vendors, expert witnesses, and opposing parties retain sensitive data unintentionally even after the matter has ended. This can create a huge security risk for you. Anyone with your data should be followed up with to ensure that they either destroy or return the data after the case has been resolved.
Keeping Data in Multiple Locations
In many cases, data and compliance breaches have gone undetected until after a long time. Consider the example of Yale University and its data breach that occurred in 2008. It wasn’t until 2018 that the breach was detected. If you are unable to identify the breach in a timely manner, it will be impossible for you to implement corrective measures and take steps to avoid future breaches.
Ineffective Monitoring of Data Breaches
Different vendors follow different standards. It is important that you ask all your current as well as potential vendors about the eDiscovery security protocols they have in place. You can also ask if they have any relevant certifications, such as SOC 2 Type II. You can click this link to check Casepoint’s certifications and third-party audits.
Not Verifying the Security Protocols of Your Vendors
eDiscovery and Compliance
Countries have their own regulatory obligations for retaining data. Any data subject to these requirements must be handled with care, especially the ones subject to compliance eDiscovery. If you fail to follow the laws, you might end up facing fines and penalties. Moreover, failure to adhere to compliance requirements can lead to government information requests, which can quickly transform into fines, expensive legal battles, and even jail time.
In the United States, different industries have different regulations and depending on the industry you are in, it is imperative that you meet these requirements:
Protected health information is information about the health of an employee that can be potentially linked to their identity. The Health Insurance Portability and Accountability Act (HIPAA), established in 1996, created regulations for protected health information. When you have to store or transmit this information, there are certain procedural and policy requirements that you must implement to safeguard it.
The Financial Industry Regulatory Authority (FINRA), Securities and Exchange Commission (SEC), PATRIOT Act, Gramm-Leach Bliley Act (GLBA), and Dodd-Frank Act impose obligations on organizations in the financial sector. For example, FINRA has established requirements for capturing, archiving, and monitoring trader/broker communications. As per these requirements, you must have a supervisory review process in place.
According to the PATRIOT Act, there must be an identity trail for customers who are opening new accounts. The GLBA has created rules for the privacy of customers’ financial information and has laid down standards for protecting this information. The Dodd-Frank Act created the Financial Stability Oversight Council which supervises controls on financial institutions.
As per the Sarbanes–Oxley Act of 2002, publicly traded companies are required to retain their financial records for up to seven years. If SEC conducts a review, this information must be made available.
Publicly Traded Organizations
According to the Federal Acquisitions Regulations (FAR), all the contractors working for the US federal government must retain hard copies and electronic records for 2 to 4 years. This is applicable to organizations offering services as well as goods.
Organizations Serving the Federal Government
The Freedom of Information Act (FOIA) gives all US citizens the right to request full or partial disclosure of information and records controlled by the US government. This covers any federal entity other than Congress and the Judicial branch. Federal agencies have been directed to cooperate with the requesters. Agencies can respond to these requests on a first-come-first-basis. However, eDiscovery can help expedite this process.
Local, State, and Federal Governments
The Homeland Security Act has established energy distribution, chemical manufacturing, and transportation facilities as high-risk operations. These organizations have strict recordkeeping and security requirements that they must adhere to.
Different nations have their own sets of regulations. The most common example of this is the EU Data Protection Directive for data privacy in the European Union. The United Kingdom has similar regulators for its financial institutions. Such organizations have critical compliance obligations that must be adhered to.
How to Ensure Compliance With eDiscovery Requirements
- Figure out the compliance eDiscovery requirements applicable to your business. Depending on the industry you work in, you might have different compliance and eDiscovery requirements.
- Go through each rule thoroughly multiple times.
- Determine if the rules are applicable to specific use cases of your businesses. If they are, you must either comply with it or change your practice to avoid adhering to the rule.
- Create processes and employ tools to ensure that you can comply with all the applicable rules.
- Document the policy that formalizes this approach.
- Train your employees to comply with the laws and provide them with the necessary software or technical support.
About a decade ago, eDiscovery was conducted manually. Fortunately, there are tools available online that can provide you with automated compliance discovery solutions. Some of these solutions like Casepoint use Artificial Intelligence (AI) to help with data collection and review stages. Make sure that the compliance discovery solutions integrate with your system and are easy to use. If you are opting for cloud-based compliance discovery solutions, they should have the right security controls. The solution provider should have experience with eDiscovery and digital analysis so that they know the security controls that must be put in place to preserve your data.