Because law firms become repositories of client data as part of their engagement, it is no surprise that they are increasingly coming under attack from cyber criminals seeking to steal private, sensitive, and even confidential information. Lawyers have an obligation to protect privileged client information and firms must make reasonable effort to prevent the unauthorized disclosure of information or access to it. That duty extends to data involved in eDiscovery. Whether firms are accomplishing eDiscovery in-house, or rely on consultants for assistance with the electronic discovery process, they must ensure the security of their eDiscovery tools is iron-clad to meet their obligations.
Having eDiscovery tools behind the firewall of one’s own corporation, firm, or vendor is no longer the best option. Having the technical expertise, budget and scalability to securely manage terabytes and petabytes of legal data is not usually feasible for most corporations and firms. Multinational organizations and financial institutions are among the very few entities that can support such infrastructure. Most other organizations use cloud-based software and outside expertise for eDiscovery.
The fight to keep data safe is complex and expensive. According to a study published by CSO Online, data breaches in 2020 cost companies and average of $3.86 million. (https://www.csoonline.com/article/3434601/what-is-the-cost-of-a-data-breach.html#:~:text=The%20average%20cost%20of%20a,over%20the%20last%20five%20years.)
The number of identified attacks on law firms, corporate legal departments, and their eDiscovery vendors is also increasing and jeopardizing attorney-client privilege, to name but one problem. Law firms and corporate legal departments must have answers to highly complex security questions before engaging with an eDiscovery expert. They should know if their eDiscovery experts:
- Ensure basic cyber hygiene, including routine patching, user awareness, trained network defenders, and 24/7 monitoring.
- Have defined information assurance processes that identify risks associated with hardware and software, and mitigations to the same, and that they review user permissions and access for their entire organization.
- Offer training that educates users as to how ransomware attacks appear and how to prevent them, and even to report them to information security assets.
- Manage access to all data under its canopy with physical and/or logical segregation, the concept of least privilege, and employ automated protections such as file integrity monitoring, access control, and both system and file system monitoring tools.
Law firms must take steps to defend against a security breach at every step of their process to prevent a breach of attorney-client privilege. While security is not yet standardized across the eDiscovery industry, the EDRM offers a useful Security Audit Questionnaire to help firms and corporations evaluate their vendors.