E-discovery powers up legal processes
Q&A:e-discovery and cybersecurity
Jason Straight is senior VP and chief privacy officer at UnitedLex, which provides advisory services and data management solutions to corporate legal departments. A former practicing attorney who leads the Cyber Risk Solutions practice at UnitedLex, Straight spoke with KMWorld recently about e-discovery and cybersecurity.
KMWorld: Cybersecurity is a major concern to most companies these days. What cybersecurity considerations do legal practitioners need to think about during e-discovery?
Straight: Data must be protected during e-discovery just as it does when it is a part of any other business activity. The degree of security risk depends on the nature of the data. Standard business contracts might not be highly sensitive and thus create minimal risk, but exposure of intellectual property that represents the crown jewels of a company could be a major risk. Data that attackers go after most often, such as credit card and bank account information, is not frequently subject to e-discovery requests, but other types of highly sensitive data—such as executive communications, strategic projections and financial performance data—are often found in high concentrations in certain litigations. Unfortunately, the businesspeople who are in the best position to understand the risk value of the data are not those who are responsible for ensuring its protection during the discovery process—this function is carried out by the IT department or by the legal department. It is important for internal stakeholders to communicate effectively.
KMWorld: Are laws keeping up with the technology relative to e-discovery and cybersecurity?
Straight: The rapid pace of technology advancement makes it very difficult to effectively legislate around cybersecurity. Having said that, existing laws that create an obligation to protect certain classes of data, such as protected health information or other identity-related data, certainly apply in an e-discovery context. Protections applied in the ordinary course of business must be maintained through the e-discovery process. Privacy laws often come up in the context of discovery. In one recent case we handled, a U.S.-based company had data subject to discovery that was managed by an IT team in Asia but was stored on servers in the European Union (EU). The company needed to produce the data, but also had to comply with the privacy laws in the EU and potentially Asia. Most countries have their own laws that restrict the transfer of data within or outside the country, so companies must be aware of those laws.
KMWorld: Does e-discovery in the cloud present special security challenges?
Straight: In general, cloud providers understand that a data breach poses an existential threat to their business. If they lose a client’s information, especially in a sensitive context such as financial or legal activities, the reputation damage can be severe. The well established companies understand this. Nevertheless, it is important to discuss with the provider what measures they are taking to protect your sensitive data. There has been quite a bit of fear mongering about the cloud, but for the most part, data can be as safe in the cloud environment as it would be within the organization—so long as best practices around access controls and other security measures are employed.
KMWorld: What are the three most important steps a company can take to improve its cybersecurity, both in the context of e-discovery and more broadly?
Straight: First, companies need to focus on protecting their most important and valuable data. Not everyone in a company will agree on what that is, but it’s essential to have this conversation. Second, since preventing attacks is nearly impossible—it’s a question of when, not if—companies need to have a response plan in place to minimize the impact. Finally, cybersecurity is no longer an IT problem—it needs to be addressed at all levels of the organization. Since key stakeholders are in the best position to understand which data losses would cause the greatest impact, they need to work closely with IT to communicate priorities so the appropriate protective measures can be taken.