Ediscovery Security: How to Protect Corporate Legal Data

High tech colorful lock, with email and computers indicating a secure space.

Mitigating risk is important to legal professionals regardless of their role or area of expertise. Many investigations involve sensitive data and serious allegations, all of which have the potential for additional complications if the information is mishandled. Today, we’re discussing one of the primary risks associated with ediscovery: data security.

What is Data Security for Ediscovery? 

All organizations handle sensitive data, whether it’s medical records, employee social security numbers, recipes and other trade secrets, or any other type of information that could be disastrous if it fell into the wrong hands. While your company might do a great job of protecting those records when they’re housed within its walls, what happens when they get out? With data breaches becoming more common every day, the risk can be high, especially if you’re sending files to third-party providers for legal document review. What’s a corporate legal team to do?

Common Mistakes When Managing Security for Ediscovery

  • Neglecting employee training.
    • Most security gaps are still caused by human error. That’s why it’s important to engage in regular training and testing to help employees—across all levels of the company—recognize and avoid phishing and other cyber attacks.
  • Keeping too much data in too many locations.
    • Establish a defensible data deletion policy that allows you to dispose of outdated files.
    • For data you do need to retain, make sure it is stored in a central, modern location, rather than held in legacy systems or across multiple facilities.
    • Additionally, make sure you get your ediscovery data back at the close of all matters. Often, vendors and law firms—not to mention opposing parties and expert witnesses—retain sensitive data after a matter has ended, creating a security risk.
    • Follow up with anyone who has received data to ensure that either they return or destroy it after a case is resolved.
  • Failure to verify vendor security protocols.
    • Different vendors have different standards. Remember to ask current and potential vendors about their security policies and protocols, and whether they hold SOC2 Type II or other relevant certifications.

Ediscovery Security Must-Haves 

Today in ediscovery, it should be no surprise that data security is a rising concern among corporate legal teams and that IT departments want to know that critical business data is safe and protected. The concern over data security is translating into increased pressure for businesses and ediscovery software vendors to transparently demonstrate their commitment to security and controls. That is where SOC 2 certification comes into play. 

Here are some considerations for how corporate legal teams and ediscovery software can improve security: 

  1. Share the Responsibility: Security is a shared responsibility that requires collaboration and communication amongst application providers, infrastructure providers, and end-users so that all parties are working together to protect data access both logically and physically.
  2. Secure By Design: Look for applications that support granular permissions allowing least privilege where all access is limited to only what is necessary to complete the job. Additionally, the software should be able to provide holistic logging that tracks to the individual user or operator. Data should always be encrypted whether in transit or at rest.
  3. Use Third-Party Verification: Organizations should seek third-party verification that their providers are living up to security commitments via SOC 2 report, penetration testing or other measures.

Understanding SOC 2 Type 2 Certification

SOC 2 Type 2 certification is an important way for any ediscovery vendor working with larger, enterprise-level companies to be transparent about security practices.  This is the same audit report used by companies such as Amazon Web Services (AWS), Google, and Salesforce, etc., to validate the security of infrastructures and services. 

The recurring audit includes a complete evaluation of a company’s infrastructure, software, people, procedures, and data over a period of time based on the security principles as defined by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles and Criteria. This certification ensures the system has controls in place to protect against unauthorized access (both physical and logical).  

When it comes to working with the cloud, performance and reliability are critical for enterprises. As ediscovery teams at enterprise organizations have more stringent data security standards, vendors that are SOC 2 Type 2 compliant can prove they have the people, processes, and systems in place to ensure data security.

Contact Zapproved at https://zapproved.com.  


Meg McLaughlin

Meg McLaughlin is the Senior Director of Marketing at Zapproved.