Now - Evidence Exchange

3/16/2015
How Secure Is Your Company’s E­Discovery Program? | The Metropolitan Corporate Counsel
How Secure Is Your Company’s E­Discovery Program?
Monday, March 16, 2015 ­ 10:46
AlixPartners LLP
David J. White
Matthew Cohen
It is difficult to look at a newspaper these days
without seeing at least one article disclosing a
major data breach, and it’s no wonder that
corporate executives and counsel are scrambling
to secure their environments and avoid
becoming the next headline. To this end,
companies are cataloging information assets,
auditing access controls, testing firewalls, and
reviewing privacy and security programs as a David J. White
whole. After the Target breach implicated the
Matthew Cohen
company’s HVAC services vendor, many companies started reviewing third­party contractual
arrangements and access control policies. The Home Depot breach also started with a hacked
vendor, further increasing scrutiny of vendor access rights. One area that hasn’t received
much attention, however, is the downstream transfer of corporate data in connection with
litigation and regulatory matters to e­discovery vendors, outside counsel, experts and
opposing parties.
As holders of the company’s most valuable and secret documents, legal departments are a
prime target for hackers. At the heart of any legal matter are the documents that have been
gathered for the purpose of asserting or defending the claims and for disclosure in discovery,
and in a typical litigation or regulatory investigation, many are central to the company’s
operations, including employee and customer personally identifiable information (PII),
company financials, intellectual property, confidential agreements, deal papers, transactional
records, and other highly sensitive and proprietary information. More importantly, the legal
department usually has the authority to override the company’s security controls, allowing it
to investigate and gather records from highly secure systems and extract that data for use in
legal matters. The downstream storage, use and sharing of this extracted information presents
one of the biggest security gaps in many companies, yet it often goes unchecked.
The discovery lifecycle involves many parties. Once collected from its original source,
information is often copied to mobile media and transported for processing and review by
outside e­discovery vendors and/or outside counsel. In preparation, copies may be held in
staging areas on a file server or on storage area networks (SANs) or network attached storage
(NAS) within the company. Because staging areas generally are not set up to store sensitive
data, they are not as secure as the original data sources. Once collected, data is often shipped
http://www.metrocorpcounsel.com/articles/31977/how­secure­your­company%E2%80%99s­e­discovery­program
1/5
3/16/2015
How Secure Is Your Company’s E­Discovery Program? | The Metropolitan Corporate Counsel
using common carriers. While it’s easy to ensure portable media are encrypted before
transport, this isn’t always done due to time or resource constraints or simply a lack of
training or awareness. Further, some media, like legacy backup tapes, can’t be encrypted and
must instead be physically secured and properly transported.
Protecting Information Prior To Production
Correcting these security gaps before the data leaves the company’s custody is easily
accomplished by mapping the flows and implementing policies to close the holes through
encryption, anonymization and access controls. However, protecting the data once it is in the
hands of others is more difficult. And there are many hands, including e­discovery and data
restoration vendors, the company’s own expert witnesses and outside counsel, opposing
counsel and their witnesses and vendors, governmental agencies, and various courts and
tribunals, just to name a few. For example, in labor and employment class actions, defending
companies often collect the PII of tens of thousands of employees. This data remains
vulnerable to hackers at each handoff or delivery, both in transit and while at rest in the hands
of each party in the chain. How do you control the security practices of these actors and
ensure that data is properly disposed of at the close of the matter?
Dealing with vendors, experts and attorneys with whom you have a contractual relationship is
the easiest. These contracts should ensure that outside parties are legally obligated to
adequately protect the company’s data and are fully liable for loss or inadvertent disclosure,
and that the company has the right to audit and enforce these requirements. Reviewing their
security practices and certifications should include independent third­party testing and
certification. While disclosing test results will be a security concern, vendors should be
comfortable disclosing executive summaries that describe testing methods and an overall
“rating” when requested. The goal is to make sure the service provider’s security meets or
exceeds regulatory requirements within your industry, or at least meets appropriate standards
for the data being handled. Anything less poses too much liability for the company.
Ensuring that vendors have adequate security programs isn’t just good practice, its likely
required by law for many companies. For example, the U.S. Department of Health and Human
Services’ HIPAA Omnibus Final Rule clearly places the responsibility for data privacy and
confidentiality on the covered entity, meaning the data owner, even as the data moves
downstream to outside vendors. Similarly, in a recent examination priorities letter, FINRA
reminded firms that
[O]utsourcing covered activities in no way diminishes a broker­dealer’s responsibility for
1) full compliance with all applicable federal securities laws and regulations, and FINRA
and MSRB rules, and 2) supervising a service provider’s performance. Outsourcing will
be a priority area of review during 2015 examinations, and will include an analysis of the
due diligence and risk assessment firms perform on potential providers, as well as the
supervision they implement for the outsourced activities and functions.
Further, the SEC's new guidance requires that companies disclose not only material
cybersecurity events when they occur but also potential material risks. When outsourced
functions carry material risks, the guidance requires a description of the functions and how the
company manages the associated risks. When a company suffers a data loss in this context, a
material issue may need to be disclosed or, further, may give rise to a shareholder claim that
http://www.metrocorpcounsel.com/articles/31977/how­secure­your­company%E2%80%99s­e­discovery­program
2/5
3/16/2015
How Secure Is Your Company’s E­Discovery Program? | The Metropolitan Corporate Counsel
the company should have disclosed the (now apparent) material risk before the incident
occurred. The best defense in such circumstances is the company’s due diligence in selecting
the vendor and vetting its security certification.
Given these fiduciary and legal obligations, corporate counsel cannot be expected, nor do they
have the means, to independently verify every outside partner’s security programs. Reliance
upon independent third­party certification is the only viable solution, and service providers will
have to keep up with prevailing certifications in today’s evolving markets, or risk losing their
client base. The biggest challenge for service providers has been
choosing which certification(s) meet their client’s
regulatory needs and unique legal requirements,
each of which also takes considerable time and
money to measure against. For example, it could
potentially cost several million dollars and take one
to two years to complete the design and
implementation of a security policy and necessary
procedures to meet banking industry standards, such
as SSAE 16 SOC 2, the Service Organization Controls
("SOC") framework established in 2011 by the
American Institute of Certified Public Accountants.
Furthermore, these requirements are similar to but
not the same as HIPAA requirements, which require
either an independent HIPAA audit against the OCR
HIPAA Audit Protocol or measurement against the
FedRAMP or NIST 800­53 standards. Therefore a
SOC 2­compliant service provider cannot
automatically tell healthcare clients that it also meets
healthcare industry standards; it must go through a
separate process, again at great cost. Looking to
overcome these issues for all companies with sensitive data, the White House released the
Cyber Security Framework (CSF) developed by the National Institute for Standards and
Technology (NIST) in 2013. Initially set up as a voluntary framework only for businesses that
operate as part of the country’s critical infrastructure, the CSF has become the defacto
measurement standard for many cyber­insurance carriers and courts considering liability,
making it mandatory for industries in and out of the critical infrastructure.
Importantly, the NIST CSF is not a certification, nor does it mandate specific controls or
requirements, but rather is designed to initiate discussion about how to manage risk. It is also
purely a U.S. construct and not recognized internationally. Therefore, vendor practices that
are consistent with the NIST framework may be insufficient. In response, leading vendors are
investing in certification against the International Standards Organizations (ISO) family of
cybersecurity standards revised in 2013, commonly called ISO 27000. Recognized globally,
these standards outline hundreds of potential controls and control mechanisms. For example,
ISO 27001 defines how to implement, monitor, maintain and continually improve the
organization’s information security management system. It reaches well beyond NIST and
focuses on protecting all types of information, not just information stored or processed in IT
http://www.metrocorpcounsel.com/articles/31977/how­secure­your­company%E2%80%99s­e­discovery­program
3/5
3/16/2015
How Secure Is Your Company’s E­Discovery Program? | The Metropolitan Corporate Counsel
systems. Also, unlike the NIST Cybersecurity Framework, ISO 27000 clearly defines which
records are needed for certification, and what minimum standard is to be implemented.
Finally, ISO 27018 establishes commonly accepted control objectives, controls and guidelines
for implementing measures to protect PII. These controls enable vendors to make two
important commitments: first, to establish defined policies for the return, transfer and secure
disposal of PII and, second, to proactively disclose the identities of sub­processors and inform
the customer if data is ever requested by law enforcement agencies. For these reasons, ISO
27000 is quickly becoming the mandatory standard for measuring service providers, though
due to its relative newness and the time required to certify all operations, many are still in the
process of independent certification.
Protecting Information After It Has Been Produced
It is much more difficult to protect information produced to adverse parties, tribunals and
downstream entities, such as their vendors and experts, with whom you do not have
contractual relationships. Traditionally this is dealt with through the meet­and­confer process
or other negotiations aimed at securing binding agreements to protect transferred data. Court
orders may be sought when agreement is not forthcoming. Counsel should ensure that any
obligations imposed by a stipulated or court­mandated protective order extend to each party’s
data­sharing partners. In fact, doing so may be required in cross­border discovery involving
information regulated by countries with strict data privacy laws. The catch here is that while
you, as the producing party, may be able to obligate receiving parties to protect your data as
if it were their own, there are presently no mechanisms to audit or otherwise ensure those
obligations are being met. While parties may have post­disclosure recourse, they have
virtually no power to manage the risks of inadvertent loss. We know of no matter where a
litigant has successfully resisted the production of discovery on the basis of a vendor’s
inadequate substantiation of data protection capabilities or its refusal to allow an audit of its
security practices. Until certification becomes more common and expected, this conundrum
will persist.
Additionally, protective orders should include provisions for the final disposition of information
from all downstream participants at the close of the matter, and counsel on both sides should
follow through. They should also cover any derivative works and provide for written
certification that the data was either securely destroyed or that it has been returned to the
producing party, including copies made for disaster recovery purposes. Similar efforts should
be made to clean up data held by your own service providers, which may still be sitting on
corporate staging areas or otherwise held outside of routine retention schedules by custodians
or system stewards.
Conclusion
In leaving these issues unresolved, the legal department can present a gaping hole in
corporate data security programs; however, closing the gap is relatively easy. Counsel simply
needs to consider the entire lifecycle of discovery­related information and establish proper
security measures at every stage. They should take time upfront to decide what level of
protection is deemed adequate for their industry and for the type of information they are
handling, and to properly vet service providers. The cost of doing so is extremely small
compared to the reputational and financial costs of a data breach.
http://www.metrocorpcounsel.com/articles/31977/how­secure­your­company%E2%80%99s­e­discovery­program
4/5
3/16/2015
How Secure Is Your Company’s E­Discovery Program? | The Metropolitan Corporate Counsel
David White is a director at AlixPartners LLP, where he advises clients on information
governance, information security and electronic discovery. Matthew Cohen is a managing
director at AlixPartners, where he co­lead’s the firm’s global electronic discovery practice and
advises clients involved in regulatory investigations and litigation. Please email the authors at dwhite@alixpartners.com and mcohen@alixpartners.com
with questions about this article.
Disclaimer • Privacy
The Metropolitan Corporate Counsel, Post Office Box 1399, Mountainside, NJ 07092.
Contact us at info@metrocorpcounsel.com © 2015The Metropolitan Corporate Counsel All rights reserved.
http://www.metrocorpcounsel.com/articles/31977/how­secure­your­company%E2%80%99s­e­discovery­program
5/5