Cloud Security & eDiscovery: Separating Myth, Fact, and Marketing Fluff
Cloud computing – or data storage in the cloud – is often touted as a cure-all for the woes of mounting ESI costs. Whether considering cloud computing for the home with storage backup services like Google Photos or iCloud, or considering cloud computing for a business process like eDiscovery, the same considerations apply: How do you know your data is really secure? How can you be sure you won’t be subject to a breach, and how can you ensure your provider doesn’t accidentally lose or delete your data – or do something illegal with it (intentionally or by mistake)?
When it comes to personal privacy, these questions are worth serious consideration. And when it comes to litigious – or potentially litigious – data involved in corporate litigation or regulatory investigations, these questions can make or break a law firm or corporation’s reputation and significantly affect profitability. A cloud provider’s security vulnerabilities could, if exploited, not only compromise the security of its clients, but also extend culpability to any of the provider’s clients who didn’t properly vet their vendors.
So what can lawyers who handle large amounts of litigious data do to ensure that their firms, corporations, and their ownreputations are secure when working with the many vendors who handle and store discovery data on behalf of legal clients?
Understand What the eDiscovery Cloud – and Cloud Security – Actually Entails
Before cloud storage, businesses would have to make large, up-front investments in hardware (servers and other data storage equipment) and software, just to do business at all. This in spite of the fact that very few businesses were explicitly in the “data storage and management” business. Even a restaurant supply company – in the business of storing, transporting, and distributing food and ingredients to restaurants – would need to home-grow some expertise in data storage and management just to be able to support their own business.
This meant that data security was wildly variable from organization to organization. Even law firms – perhaps especially law firms – had wildly variable approaches to keeping clients’ data safe and well-managed.
Enter “the cloud.”
What is the eDiscovery Cloud?
The cloud is simply a data center – containing varying levels of hardware and software, housing variable amounts of data – all accessible via secure logins via the internet. That’s it.
“The cloud,” then, in the context of litigation discovery, solves the problem of businesses having to invest, up-front, in their own hardware (expensive servers, networking equipment, and so on) and software (programs to organize and manage data stored on those servers) in order to do their actual, revenue-generating work. The cloud enables companies and firms to outsource these activities to a third party by simply paying a usage-based monthly fee, thereby significantly reducing any one organization’s startup costs.
Some of the more well-known, consumer-facing names in cloud outsourcing are Microsoft Azure, Oracle Cloud, and Amazon Web Services (AWS). And, one of the largest names in business-facing cloud computing is Office 365 – a cloud-based service that doesn’t replace, but changes the delivery mechanism for, programs most of us are already familiar with: Microsoft Outlook, Word, Excel, PowerPoint, and more. This allows users of these programs to – instead of buying each individually, and upgrading periodically – they pay a subscription fee to log into the programs and use them over the internet. In turn, their data is stored in a Microsoft data center rather than locally on their own computers, or in their companies’ backup servers.
What Makes the eDiscovery Cloud Secure?
Since the cloud is essentially just a data center, the same things that make a data center secure – or vulnerable to risk – are the same things that make “the cloud” secure: The processes – both physical and virtual - put in place around that data center, the training surrounding those processes, and the people and mechanisms that enforce compliance with those security processes.
Some “best practice” security standards and processes include:
- - Access controls: An eDiscovery provider should have controls in place for who has access to their data center, as well as who exactly can access your data, software, and hardware.
- - Network practices: A good vendor should have documentation showing they’ve established, implemented, and currently maintain an information security and information governance framework that enables their security team members to detect incidents, investigate effectively, and respond quickly and thoroughly.
- - Regular audits: All eDiscovery providers should be regularly audited by all data security auditing organizations for continual compliance.
- - Risk assessments: eDiscovery providers should conduct regular internal and external risk assessments on their own security practices – as well as those of any vendor they contract with. Savvy attorneys may wish to contract with third parties (or their own procurement departments) to conduct their own risk assessments.
- - Backups: All eDiscovery providers should understand the importance of data backups. It’s crucial for all organizations to have a full working backup of data to combat attacks and to be disaster-ready.
- - Use Policies: Clearly outlined requirements and expectations for all new hires and any third parties that access the data.
- - Incident response playbook: A seasoned eDiscovery vendor will have a plan in place to quickly and thoroughly respond to any data breach, including an in-depth transparent communication plan for their clients.
- - User awareness programs:Providers should have periodic communication programs to all users to remind them of compliance obligations and processes.
- - Formal information security trainings: Every new user, employee, and contractor should receive in-depth, in-person security training and pass thorough follow-up knowledge tests.
- - Security staff:Your eDiscovery provider should have a full-time staff of certified information security professionals.
- - Data loss prevention processes: Users stealing data – even unintentionally – is a major threat. Providers should control access, monitor vendors and document review contractors, andemployees to reduce data leakage.
- - Insider threat risk reduction: Put in place robust user activity monitoring processes to prevent, detect, and mitigate insider threats.
- - Physically secure location: The most secure data centers are located in regions not prone to earthquakes, floods, hurricanes, and other natural disasters.
- - Well-designed: A secure data center should have limited entry points, so that entrance to the building can be controlled and monitored.
- - Barriers: Additional physical security features can include fencing, concrete walls, and landscaping features designed to limit access and reduce vulnerability to outside elements.
What Makes the eDiscovery Cloud Insecure?
While no one eDiscovery provider can completely eliminate the risk of a data breach or other cybersecurity incident when faced with a determined threat, the best providers can reduce the risk significantly.
When choosing a legal services or eDiscovery provider, there are a few red flags that can help you determine when you might be working with an inexperienced provider:
- - Lack of overall experience: If your eDiscovery services provider isn’t well-established, they may not have had the experience handling high volumes of sensitive data subject to litigation, regulatory restrictions, or export controls.
- - Lack of internal security processes: There is a strange (and false) perception that having a cloud-based environment alleviates your organization from any internal security practice. For example, if we offloaded our entire environment into AWS, we still would have to have our own internal security posture (data encryption, ISO 27001 certification, physical & network security standards, etc.).
- - Software experience without service delivery experience:Many software makers may wish to grant direct access to their platform to users without the intermediary of an experienced service delivery organization. if your provider is a software maker that recently added a “service delivery” component to its offering, they may not have the robust people, processes, and policies in place to properly secure your – and your clients’ – data.
- - Marketing fluff: Beware of hype around technology that’s “cloud-based.” If the technology is exactly the same as what you may have been using previously – but you’re hearing a lot of hype in the marketplace about the fact that it’s now “in the cloud,” that’s a sign you may want to dig deeper. The benefit to you, the user organization, of cloud vs. “not cloud” isn’t necessarily immediately apparent. The benefit, in fact, may be to the company selling the technology.
The Smart Lawyer’s Data Security Checklist: Five Things to Know
Any lawyer evaluating an eDiscovery provider should arm themselves with as much information as possible about data security processes, practices, and qualifications. Always ask your eDiscovery service providers – cloud or otherwise – to show you evidence of:
- 1. Detailed security processes & enforcement policies
- 2. Regular security trainings & user engagement programs
- 3. Experience handling – via the cloud – large amounts of data similar to the type of data you’ll be entrusting to them
- Ask for reference clients and interview them extensively
- 4. Experience handling “specialized” data processes, including data subject to export controls, or data
- 5. Experience handling – and recovering from – a security incident.
- Ask for details about how they communicated with their clients and what specific playbook or ready-made process they deployed in the situation. If possible, speak to the reference client they name.
While data risk cannot be reduced to zero during discovery, smart lawyers can use this checklist to ensure their providers are as secure, ethical, and conscientious with their and their client’s data as humanly possible.