by Cary Tapscott
All corporations scrutinize eDiscovery vendors when it comes to security. Typically, this includes both a full security audit to make sure physical and virtual firewalls are up to date and penetration testing to find security weaknesses.
Until recently, though, many corporations were sending their data to law firms without checking the firms’ security.
Within the past 12 to 18 months, corporate clients have realized the vulnerability of their data at law firms, and the firms have been required to increase their data security in order to keep their corporate clients. Some law firms already had firewalls and policies in place, but they may not have been as robust as needed. Some firms may have been equipped to handle the added scrutiny and were ready for it, while others hadn’t been proactive until they were forced.
Obviously, most law firms will have some kind of firewall in place that they can show their corporate client. So what security protocols do law firms need to add that they don’t already have in place?
Chain of Custody
Clients need to know that the law firm will know exactly where their data is at all times, as well as who is in charge of it at each moment. Physical media should be bar-coded and labeled, and kept in a secure data and storage facility at all times, whether it is with the law firm or the eDiscovery vendor. The bottom line is that there should be no question that it was impossible to alter evidence throughout the process.
Status of the Technology
As mentioned above, law firms should already have a firewall, but how new is their software? Do they audit their systems and protocols regularly?
Another consideration is Bring Your Own Device (BYOD) policies. Corporations want to be sure their outside attorneys’ devices – as well as the devices of anyone else that has handled their data – can be cleared remotely with a moment’s notice.
Separation of Data
One key part of data security at an eDiscovery vendor like DSi is separation of data. Data should be segregated so that not everyone in the facility has access to it. Law firms need to replicate this policy, making sure that data isn’t stored on a server where all employees could open it.
Protocols for USB Drives
USB drives are one of the greatest threats to data security. Law firms need protocols in place to ensure that data cannot be transferred to a USB drive, or other removable media, and taken out of the facility. There are a few ways to prevent this, including software upgrades and protocols set in the system.
DSi consistently provides proof of data security in the form of documentation or a tour of our facility. Law firms are increasingly being expected to provide the same proof. Simply having a firewall is no longer sufficient for corporate clients.
Data security is something corporations should speak about to any vendor that touches their data. The security measures an eDiscovery vendor takes are irrelevant if a law firm doesn’t have the same security in place. Data must be protected at every stage of the process.
For more information about data security, read this blog with five questions you should ask about data security .