In a recent blog post by my friend Craig Ball, he notes that litigators have proven obstinate when it comes to adapting discovery practice to changing times and threats, making them easy prey for hackers and data thieves. As Craig observes, data breach headlines have forced corporate clients to bolster their data protection, often dragging reluctant outside counsel along for the ride, insisting that they do more to protect personally-identifiable information (PII), protected health information (PHI), privileged information and, above all, information lending support to those who would sue the company for malfeasance or regulators who would impose fines or penalties.
Corporate clients are making outside counsel undergo security audits and requiring their lawyers institute operational and technical measures to protect company confidential information. These measures include encryption in transit, encryption at rest, access controls, extensive physical security, incident response capabilities, cyber liability insurance, industry (i.e., ISO) certifications and compulsory breach reporting.
Craig's post focuses on the vulnerabilities of requesting parties (or, as corporations call them "plaintiffs' lawyers"), and their experts and litigation support providers. They often find themselves unprepared to supply the rigorous cybersecurity and privacy protection which is a condition of e-discovery. Craig worries that security concerns will be used tactically to deflect and defer discovery, saying that they will serve as hurdles and pitfalls tending to make plaintiffs' lawyers think twice before pursuing meritorious cases. What he suggests is that requesting parties must be ready to put genuine protections in place and articulate them when challenged.
As I too have seen, requesting parties obligingly sign a protective order – without the ability to meet the obligations of the order. This must change – the obligations of a protective order are serious – parties cannot go about business as usual. As Craig observes, "business as usual" includes e-mailing confidential data, storing it on unencrypted media and failing to ensure that all who receive confidential data from counsel handle it with requisite caution.
This kind of conduct will result in a breach, which will ultimately come to light, opening counsel's mishandling of produced data to scrutiny and prompting discovery-about-discovery. The failure to set up secure systems, establish policies, train employees, test and audit processes and require contractors and experts to do the same will be dissected in court. The producing party will claim irreparable harm, the legal press will zero in on the case, and the judge will be angry.
Producing parties will cite that case arguing about the hazards of e-disclosure and heretofore innocent requesting parties will find themselves tarred by the brush of the cited case. Judges may be less willing to grant full and fair discovery and more willing to impose arduous conditions for access.
Craig suggests that requesting parties act now to prepare to receive and protect confidential data sought in discovery.
He offers a dozen suggestions, worth repeating in their entirety:
- "Take cybersecurity duties seriously. It's not someone else's job. It's your job. You are the gatekeeper. This is Rule One, not by accident.
- Don't just treat an opponent's confidential data with the care you afford your own; treat it better. It's like money in your trust account. You don't treat client monies/data like your own. You don't commingle client monies/data with yours, and you don't use that money/data for anything but permissible purposes with careful recordkeeping.
- If there's a protective order, read it closely and be sure you fully understand what it obliges you to do in terms of the day-to-day conduct of any who access confidential information.
- A proper chain of custody is essential. You must be ready to establish who received confidential data and the justification for its disclosure. You must be able to prove you had a good faith basis to believe that the person receiving confidential data understood the need to protect the data and possessed the resources, training and skill to do so. This obligation encompasses anyone who gets the data from you, including experts, clerical staff, associated counsel and service providers. Anyone with access to confidential data must be well-prepared to protect the data because their failure is your failure.
- Proceed with caution when disclosing confidential data to experts. Industry experts serve multiple masters and may seek to exploit confidential data obtained in one matter in other engagements. Secure the expert's written commitment not to do so, and enforce it. As well, don't supply confidential data to an expert without first obtaining the expert's consent to receive and protect it. People who appreciate the burden of protecting other people's sensitive data want to hold as little of it as possible.
- Recognize that you don't get to decide what data warrants protection. The designation rules. If you think something isn't properly designated as confidential or sensitive, challenge the designation; but, until the other side concedes or the Court rules, the designation sets the duty.
- Confidential data should be encrypted in transit and at rest. This means that none of the confidential data gets attached to an e-mail, moved to portable media (e.g., a thumb drive or a portable hard drive) or uploaded to the cloud unless it is encrypted. No exceptions. No excuses. BTW, if you store or transmit the decryption keys alongside the encrypted data, it's doesn't count as encrypted.
- Perimeter protection isn't enough. The biggest risks to confidential data are internal threats, that is, from a craven or careless member of your own team. Trust but verify. Access to confidential data should be afforded only on an as-needed/when-needed basis.
- Access to confidential data must be monitored and logged, as feasible. Remote access and after-hours access should be audited. Safeguard the other side's confidential data in much the same manner as banks protect the contents of safety deposit boxes: There is physical security (walls, doors, alarm systems and guards) and monitoring of the perimeter (cameras and key cards). There's a vault to keep all contents safe when the perimeter is breached, and access controls to make contents available only to authorized persons (dual-keyed boxes and ID/signature scrutiny). Data protection also incorporates elements of perimeter security (limiting physical access to the devices and systems), monitoring (logging and auditing), a vault (strong encryption with sound key management) and access controls (two- factor log in credentials and user privilege management).
- Have a written data security and incident response policy and protocol in place and conform your practice to it. Be sure all employees with access to sensitive and confidential data agree to be bound by the policy and train everyone in proper cybersecurity. You must first recognize a risk to be prepared to meet it. "No one told me to do that" is not the testimony you want to hear when your staff take the stand.
- Be wary of oppressive obligations to destroy or "return" data when a case concludes. Confidential case data tends to seep into mail servers, litigation databases, document management tools and backup systems. Are you prepared to shut down your firm's e-mail and destroy its backup media because you failed to consider what an obligation to eradicate data would really entail? Have you budgeted for the cost of eradication and certification when the case concludes?
- Consider cloud-based storage and review tools that integrate encryption, two-factor authentication and access logging. The cloud's key advantage lies in a user's ability to shift many of the physical and operational burdens of cybersecurity to a third-party. It's not a complete solution, but it serves to put a secure environment for confidential data within reach of firms of all sizes."
Is this a pain? Yes. Will it slow you down? Yes. Is it more costly? Yes. Is it absolutely necessary? Once again, yes. As Craig says, "E-discovery is hard enough. Don't make it harder by giving opponents the ability to claim you can't be trusted to protect their information."
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology