Unless data security is a fundamental concern that is considered and communicated at the start of each e-Discovery project, any small gap can quickly become a serious information management risk.
A loss of control can have profound consequences, not only because of the virtual impossibility of closing such gaps retroactively, but also for the defensibility of that data.
Reliable security should be an umbrella overarching the entire e-Discovery workflow, particularly when data is transferred or duplicated. Well thought out information security practices are the best way to mitigate these and other information security risks inherent in the e-Discovery process.
Here are five tips to help your organization address data integrity and security at every stage of the e-Discovery process.
1. Create a Culture that Values and Enforces Security Protocols
Adhering to, monitoring, auditing and updating security standards across your organization are clearly no small task. Responsibility is often assigned to the IT department, as many perceive data security to be a technical matter. Yet security experts know that one sure sign of an immature information security program is when IT is wholly tasked with managing its development, maintenance and enforcement. In truth, data security is an issue that touches every member of your organization.
Data security often suffers because of a lack of awareness of individual roles and responsibilities. Security is a collaborative process involving virtually every employee, across all departments. From shipping and operations to attorneys, legal support staff and executives, everyone must maintain a 360-degree view of the issues, goals and stakes involved. Tight information security requires documented processes and ongoing refinement that must be continually monitored.
Corporations, law firms and service providers all hold critical roles in each phase of e-Discovery, and a comprehensive information security plan should be made explicit at the outset of every e-Discovery project in order to instill the expectation that security is a critical, collaborative task.
2. Select Partners that Meet Strict Security Standards
Once you have made the investment in security internally, selecting vendors that share a commitment to security is critical. While many vendors tout their security credentials, only a select few have subjected themselves to the strict oversight, costly approval process and ongoing auditing required for certification under the internationally recognized ISO 27001 standard. While other certifications exist, only ISO 27001 requires adherence to a standardized set of 133 separate security controls, annual external audits and a full review for renewal every three years.
In international matters, cross-border data transfers are particularly sensitive. Data privacy laws vary widely by jurisdiction and certifications such as the E.U. and Swiss Safe Harbor demonstrate that international matters require different levels of security assurance.
Lastly, many RFPs focus solely IT security or entirely neglect to address information security. Cover security questions in RFPs, including details regarding encryption practices, how data flows throughout the organization and how it is tracked -- the people and processes. If a vendor lacks independently validated security certifications, it can be difficult to discern the level of security it is capable of providing. Selecting vendors that meet standards like ISO 27001 and have demonstrated success handling international matters means that you can be confident data security is a priority.
3. Limit Access, Handoffs and Data Duplication
Data integrity is exposed to risk whenever information is passed from custodian to custodian. If such handoffs feel like a leap of faith, you need tighter security. Data can be compromised in transit, and unless you have explicit guarantees that policies are in place and that those handling and receiving the data will manage it securely and responsibly, you must assume the worst.
Whether data is transferred internally or to contract review teams, vendors or outside counsel, the individuals who can view that information should be restricted to those with a business need to do so. When data is sent, ask hard questions: How many copies of the data will be sent? On how many hard drives? To whom will it be sent and when? Was the data received without incident?
By keeping these points in mind, you can determine who is in control of the data at each stage. Maintaining a clear chain of custody is critical for both security and defensibility.
4. Encrypt, Encrypt, Encrypt
Although it may seem obvious, and can be time-consuming, encrypting all deliverables that leave your organization is a key step in ensuring data security and limiting liability.
5. Remain Vigilant
Maintaining security is a constant task -- one that is rarely rewarded when it is maintained, yet harshly judged and punished when it is not. The consequences of failing to control and protect e-Discovery data can be significant, but by building information security awareness and practices into your organization, and selecting partners that place a similar premium on data integrity, you can help ensure that a breach will not happen on your watch.
The tips above are represent some general guidelines, but are by no means a comprehensive list. Each matter requires a fresh review of security policies and procedures, a reexamination of the reliability of your partners and a reaffirmation to your own employees that security is a top priority. The ability to establish and maintain data integrity should be viewed as a key, primary differentiator when selecting vendors and partners. Service providers may offer the latest technology and produce the more relevant data faster than a competitor, but one false step can render even the best data worthless.
Image courtesy of Maksim Kabakou (Shutterstock)
Editor's Note: To get more tips on data security, see Peter Spier's Enterprise Security: Your Biggest Risk is You