This document discusses information security risks in the eDiscovery process and best practices for managing them. It identifies common risks like hand-offs of data between parties and a lack of access controls. A process-driven approach is recommended, with defined roles and responsibilities across organizations. Hallmarks include addressing security in project plans, encryption of data in transit and deliverables, access control, and auditing compliance. The document provides examples of protective order terms addressing various data types and controls. It also discusses certifications and evaluating partners' security practices.
2. CLE Information For attorneys requiring CLE, a CLE Verification Code will be given verbally during this session. Please pay close attention and write down the code for your records. You may need this code to get your CLE. If you have any questions, members of this panel will be in the networking lounge immediately following this session. Please save your questions and visit us there. 2
7. Today’s Topics What are the information security risks? Why is a process driven approach to information security needed? Who should be responsible for information security in the eDiscovery process? What are the hallmarks and best practices of good information security in the eDiscovery process? What’s the best way to evaluate the information security practices of your eDiscovery partners? 7
8. Information Security Defined “Information security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide: Integrity - guarding against improper information modification or destruction, and ensuring information non-repudiation and authenticity; Confidentiality - preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and Availability - ensuring timely and reliable access to and use of information. 44 U.S.C. § 3542(b)(1) 8
10. The Dominant eDiscovery Risks Mind the Gap Hand-offs between parties Changes / Exceptions / Rushes Information security red flags General Lack of Awareness Treating information security as an IT issue Uncontrolled Copies Shared Accounts / Uncontrolled Access Lack of audit trail / Chain of Custody Productions Pre-production Information Security Protections Data destruction / sanitization at conclusion of litigation 10
11. Data Types / Controls HIPAA Export Controlled Data Privacy / EU / PII PCI Financial Regulations State laws / Regulations governing data breach notifications 11
12. Sample eDiscovery Risk Analysis 12 CP = Corporation | LF = Law Firm | SP = Service Provider Risk: 1 (low) to 5 (high) scale C = Confidentiality | I = Integrity | A = Availability
13. Sample Risk Analysis (continued) People (very high) Process / Procedures (high) Technology (moderate) Transportation of data (very high) Production and copy sets (high) Presentation / Trial exhibits (high) 13
14. Why A Process Driven Approach Systematic Approach Risk Assessment and Treatment Collaborative / 360° View Continual Improvement Documented Audited Thoughtful & proactive, not ad hoc & reactive 14
15. Who is Responsible? Information security is not solely an IT issue Cross-functional teams including IT, operations, PM’s, specialists, records and legal A collaborative approach is needed Corporation(s) Law firm(s) Service Providers Define roles in project plan 15
16. Hallmarks & Best Practices Address info security in project plan Ensure all parties understand obligations Enter protective orders / confidentiality agreements Encrypt all data when in transit Encrypt all deliverables 16
17. Hallmarks & Best Practices Limit access to business need Restrict and control copies Produce smallest volume of sensitive data Audit User permissions and access Compliance with information security procedures 17
18. ND Cal Protective Order Levels CONFIDENTIAL (a) Outside counsel of record/employees; (b) Other parties’ employees (c) Experts; (d) The court and its personnel; and (e) Court reporters, professional consultants/vendors HIGHLY CONFIDENTIAL – ATTORNEYS’ EYES ONLY (a), (c), (d) & (e) [above] In-house counsel with no competitive decision-making HIGHLY CONFIDENTIAL – SOURCE CODE (a), (c), (d) & (e) [above]
19. ND Cal Source Code Provisions Inspection On secured computer In a secured room with no Internet access or network access Party may not copy code onto any recordable media/device Copies Limited paper copies bates numbers and the label “HIGHLY CONFIDENTIAL - SOURCE CODE.” Receiving Party Maintain all paper copies of any printed copies in a secured, locked area. Maintain a record of individuals who inspected source code May make additional paper copies for pleadings, expert’s expert report or deposition May not create any electronic images of the paper copies
20. Export Control Protective Order Provisions Export Control. Disclosure of Protected Material shall be subject to all applicable laws and regulations relating to the export of technical data . . . , including the release of such technical data to foreign persons or nationals in the United States or elsewhere. The Producing Party shall be responsible for identifying any such controlled technical data, and the Receiving Party shall take measures necessary to ensure compliance.
21. HIPAA Protective Order Terms This Order authorizes disclosure of Protected Health Information such disclosures pursuant to 45 C.F.R. § 164.512(e) of the Privacy Regulations issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Further, pursuant to 45 C.F.R. § 164.512(e)(1)(v), this Order is also a Qualified Protective Order and all parties and attorneys are hereby: (A) Prohibited from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested; and (B) Required to return to the covered entity or to destroy the protected health information (including all copies made) at the end of the litigation proceeding. This Order permits disclosure of confidential communications, made for the purposes of diagnosis or treatment of a patient’s mental or emotional condition, including alcohol or drug addiction, nor does this Order permit disclosure of records or information relating to HIV testing or sexually transmitted disease which are protected from discovery by any statute, court rule or decision. Nothing in this Order authorizes any party or any attorney for any party to release, disclose, exchange, submit, or share any Protected Health Information to any other person or entity not unrelated to this litigation.
22. Evaluating Info Security: Ask Questions Make use of the RFI / RFP to ask information security questions Ask people, process and technology questions Audit / Inspect Trust with verification Check references 22
23. Information Security Certifications ISO 27001 Auditable international standard with 133 controls SAS 70 Less defined than ISO27001 but widely used in the US SSAE 16 Supersedes SAS 70 Additional requirements added EU Safe Harbor and Similar Certification needed to handle data from the EU and other jurisdictions 23
24. ISO 27001 Risk Assessment ISMS Policies and procedures to implement controls Scope must be defined Management sponsorship and review Continual improvement Scheduled internal and external audits User Awareness/Understanding of Obligations 24