Too many corporate legal teams don’t manage ediscovery data security rigorously enough in-house. They take even fewer precautions when sharing it with service providers. This can be a dangerous gamble, especially considering the data you identify for use in ediscovery is likely among the most sensitive, important data you possess.
Here’s everything you need to know about how legal and IT teams can better work together to manage data security in-house.
Be Proactive with Data Security
It’s important from the get-go to work with your IT team to identify the security of your data. If you haven’t already, generate a data map to expedite the identification of data for ediscovery. Use that information to build a risk map. Once you’ve completed this process, take stock of where your data is in order to identify any potential areas that could be at risk.
Your IT team should have a solid understanding of data that may be at risk, here are some key areas to get started:
- Behind a corporate firewall
- On a networked computer with internet access
- On a cloud-based storage account
- On a personal mobile device
- Within an application, such as slack or dropbox, either locally or on the cloud
- In a vendor’s system
- In an ediscovery storage repository
- In transit between any of the above
Once you’ve identified the following places your data lives, take stock of the vulnerabilities. Determine who has access to what; for the most part, people are the weakest link when it comes to data security. It’s important to be proactive and consolidate your data in secure, access-control places.
Finally, make sure you’re engaging in ongoing training and education with all of your staff, including breach response drills, and annual security audits. Your IT colleagues are usually great candidates for such training as they’re often working on the frontlines of data security and already know the ins and outs of your system.
Choose Your Partners Wisely
What’s that age old saying, when you assume you…? This same logic applies when you assume that your partners, from ediscovery vendors to third-party service providers to outside counsel, are able to securely maintain your data.
Work with IT before onboarding any third party service providers or partners to make sure your sensitive company data will be safe. Auditing this information before onboarding is a critical, often overlooked step that many corporate legal teams miss when assessing their data security. Only 19% conduct security audits with their ediscovery service providers beforehand.
To assess security measures rapidly, get IT involved early to figure out what certifications your partners have obtained. Do they have best-in-class security certifications like SOC 2 Type 2 and ISO 27001?
Avoid the Common Mistakes
By following the above steps closely hopefully you can avoid some of the common mistakes, but just in case here are a few critical things many companies overlook.
Don’t neglect employee training. As mentioned, most security gaps are unfortunately still caused by human error. Engage in regular training with your IT team to test and help employees, across all levels of the company recognize phishing, cyber, and ransomware attacks.
Another common mistake is keeping data in too many places. Many companies continue to struggle with defensible deletion. This retaining of outdated, worthless data is not only cumbersome, it represents ongoing security risks. Be proactive with your ediscovery data and make sure you get all of your data back at the close of every matter. Come up with a plan for defensible deletion. Follow up with anyone who has received data to ensure that it’s been destroyed after a case is resolved.
Plan for Risk
While all of the above might sound like a lot of effort, it’s important to remember that you’re not just getting peace of mind by maintaining control over your data but you have put a partnership in place to stay ahead of future risks. Together, IT and legal can work together to better secure your organization’s data, select diligent partners wisely, and avoid common mistakes around data management..