EDRM Code of Conduct/Principle 6 - Privacy and Security

From Working EDRM

Comments: Please submit comments to the EDRM Code of Conduct forum

Contents 1 Principle 1.1 The Principle 1.2 The Corollary 2 Discussion 3 Best Practices 4 Examples

Principle

The Principle

Service Providers should establish and implement procedures to ensure the security and integrity of all client information.

The Corollary

Clients should take reasonable actions to protect the privacy of their own information and not rely exclusively upon the processes of the Service Provider.

Discussion

When clients transfer electronically stored information ("ESI") to Service Providers, they expect the information to remain as or more private and secure as it was while in their own facility. Clients frequently make this assumption without inquiring about the service providers privacy policy or security measures. When this confidence is shattered, it can result in conflict and litigation.

Service Providers have a responsibility to implement the highest level of security their budget will allow and to ensure that they comply with privacy policies or rules set by the client, industry or country from which the ESI originated. If there are inadequacies in their security infrastructure, service providers have a duty to reveal those weaknesses to clients so that they may make an informed decision.

Best Practices

1. Service Providers should exercise reasonable diligence to remain knowledgeable and competent in the rapidly developing privacy and security laws applicable to electronic discovery.^[1]
2. Service Providers should implement the highest security measures reasonably possible to safeguard important client ESI.^[2]
3. Service Providers should disclose inadequacies in their security infrastructure so that clients can make an informed decision whether to assume the risk.^[3]
4. Service Providers must inquire as to the origin of the data to confirm that the data was not collected in violation of any national or international privacy laws.^[4]
5. Service Providers have the duty to promptly notify clients of any breach of privacy or security of their ESI while in the custody of the Service Provider.^[5]

Examples

1. ^  Example - Best Practice 1: There are ample opportunities for Service Providers to remain up to date on privacy and security laws related to ESI including groups such as EDRM and The Sedona Conference. Publications such as Law Technology News are provided at no cost to anyone who wishes. Events such as Webinars produced by technology companies and meetings such as LegalTech give Service Providers methods of remaining current.
2. ^  Example - Best Practice 2: Service Providers must employ security professionals who exercise due diligence in implementing the most effective security measures appropriate for the ESI being processed.
3. ^  Example - Best Practice 3: Client contacts Service Provider and requests processing of highly sensitive trade secrets in preparation for litigation. If Service provider is also processing the opponents ESI and there are inadequate measures in place to ensure there is no commingling (for example if Service Provider had security breaches in the past), the Service Provider must alert the client.
4. ^  Example - Best Practice 4: Service Provider receives delivery of sensitive personal information from the European Union but the service provider is not a Safe Harbor. Service Provider should inquire whether the ESI was collected and transferred for processing under an exception provided by the country of origin’s privacy laws.
5. ^  Example - Best Practice 5: Service Provider accidentally sends privileged documents to opposing counsel. Service Provider must inform the client as to the security breach as soon as reasonably possible.