Electronic discovery or eDiscovery has become a critical component of modern litigation and investigations. Electronic devices such as smartphones, cameras, and even drones and vehicles may hold information pertinent to cases, which makes eDiscovery necessary for collecting, reviewing, and producing evidence in an increasingly digital world.
This particular discovery process deals with electronically stored information (ESI), which includes emails, text messages, audio or video recordings, images, and other digital records relevant to litigation disclosure. But because some ESI are confidential and valuable in nature (e.g., intellectual property, customer and client information, corporate secrets), eDiscovery repositories have become desirable targets for cybercriminals.
How does eDiscovery expose law firms to cybersecurity risks?
Data is at its most vulnerable and carries the highest probability of loss when it is in transit. Unfortunately, the very processes of eDiscovery and disclosure hinge on the transfer of ESI across relevant parties, such as when ESI is brought into a law firm’s network or sent to litigation opponents to be processed. And depending on how complex an eDiscovery project or a case is, several inbound and outbound ESI transfers may take place.
This poses a significant risk, as constantly moving ESI is more likely to be intercepted — even more so if the data is sent through unsecure channels or methods. What’s worse about the latter is that it may also expose a law firm to ESI that had been infected with viruses or malware during the transfer.
Another eDiscovery security challenge for law firms is data retention. Many offices have data or records just sitting on their computers with no expiration. This increases their risk profile substantially, as readily available, unprotected data is an easy and preferred target for cybercriminals.
But perhaps the biggest risk associated with eDiscovery is when lawyers and staff assume that they understand the nuances of managing ESI without having the necessary training and skills. For example, it may seem harmless for a paralegal to take a business laptop home and use their home Wi-Fi network to work on an eDiscovery project. However, if their Wi-Fi is unsecure, then they could actually put a law firm and its clients at risk.
The legal industry is being targeted more and more by cybercriminals, as law firms are often slow to embrace new technologies and adopt cybersecurity policies and best practices. It’s therefore critical to ensure that sufficient protocols are in place to defend against the elevated risk of ESI theft or leakage.
Why do hackers steal eDiscovery-related data?
Be it personally identifiable information, executive communications, or financial arrangements, the amount of eDiscovery data that a law firm handles is vast. A cybercriminal would want to steal these to:
Launch an organized attack to find highly confidential or restricted information and hold it for ransom
Inflict reputational damage to a competitor to gain a competitive advantage (especially if the targeted information includes intellectual property or trade secrets)
Sell the data on the dark web or to competitors
Any of the given scenarios would have adverse impacts on your law firm. Not only would you risk breaching state, federal, and international laws, but you would also risk losing clients, damaging your reputation, and incurring penalties and fines.
Thus, it’s important to take reasonable steps to ensure all eDiscovery data is produced and stored securely. At the same time, data must be easy to retrieve so as to avoid costly sanctions for failing to meet court-imposed deadlines.
How do law firms protect eDiscovery data?
To protect your law firm from eDiscovery-related data breaches and security incidents, you must:
1. Prioritize data security
eDiscovery is often delegated to junior associates or paralegals, but all projects require the help of a qualified IT security professional to guarantee the privacy and security of ESI. They will ensure that only appropriate and relevant information are included in the search, and that the capture process is strictly managed according to digital forensic procedures.
Once evidence is captured, only the eDiscovery team must have access to it. And if the ESI includes personal information, data protection laws must be observed. An untrained professional could make several mistakes in this process and potentially contaminate evidence or violate data protection laws.
2. Implement an eDiscovery policy
Lay out the processes and procedures to be followed in every eDiscovery project to eliminate any possibility of data theft or leakage. Having a defined set of steps, diagrams, or checklists can ensure that eDiscovery tasks are carried out correctly and privacy and security considerations aren’t overlooked.
It’s also well worth including in your policy measures to manage as well as reduce the number of ESI transfer points. Not only should transfers be done through encrypted channels, but once data is received, it should be stored in a repository designed specifically for safeguarding ESI.
3. Negotiate a protective order
You can minimize the potential for disputes and ensure that litigation parties have adequate eDiscovery security measures in place by negotiating a protective order that spells out everyone’s responsibilities. Include provisions such as:
- Allowing access to a party’s ESI only on a need-to-know basis and restricting it to computers in a secure area with limited physical access
- Encrypting and limiting the number of copies of ESI, as well as properly disposing all of these once the litigation is complete
- Returning any privileged or protected material inadvertently disclosed by the other party
- Assessing the security and privacy controls used by any eDiscovery vendors or other third-party service providers involved in a particular project
- Promptly notifying involved parties of a security breach involving ESI, taking steps to block any unauthorized access, and cooperating with any investigation
Adopting sound policies and best practices, as well as observing a well-crafted protective order, can help significantly reduce security risks associated with eDiscovery.
Robust cybersecurity measures are key
One of the most effective ways to reduce risk is to establish a strong cybersecurity culture and mindset across your law firm. Train your employees on the nuances of eDiscovery, and empower them with the tools for the best security. While this may incur more costs, this pales in comparison to the fines, lost revenue, and reputational damage following a breach or major security incident.
And if you need help implementing robust eDiscovery cybersecurity solutions, consider engaging external security specialists who can assess your vulnerabilities and recommend the best options to manage them.
We at Integrated Computer Services specialize in IT support for law firms. We'll make sure your Florida practice has the policies and supporting technology infrastructure in place to ensure the security, accuracy, and reliability of your eDiscovery projects. Get your FREE consultation today.