Over the next several weeks, “E-Discovery Beat" will be running a series of articles on e-discovery issues that are of particular interest to IT professionals. In this first installment, we explore the important role data security plays in the design and function of e-discovery data management technology.
Data security has emerged as a major consideration for organizations looking to purchase e-discovery software. The nature and sensitivity of the electronically stored information (ESI) handled within software system makes it imperative that IT align system security requirements with those that are already in place for corporate networks and individual systems on which discovery takes place.
Traditionally, few organizations have been able to achieve such an alignment. IT security controls and e-discovery technologies, though they both involve sensitive ESI, have matured independent of one another. While IT security has mainly been concerned with protecting networks from unwanted access or tampering, e-discovery systems have been designed with access in mind. Different groups – mostly comprised of legal professionals – need to analyze and manage large volumes of documents. As one analyst recently described, data security has always been the “elephant in the e-discovery living room."
Today, there is a much greater awareness of the information security as it relates to e-discovery. That's not to say everyone is doing it right. Ensuring e-discovery systems align with corporate information security requirements requires a close collaboration between IT and Legal. When evaluating system needs and capabilities, legal can sometimes overlook the security issues that may arise from “how" those needs are being met. That's where IT comes in.
Of course, data security encompasses a number of issues - far too many to cover in a single post. For the purposes of brevity, this piece will focus on three critical areas: confidentiality, integrity and availability.
Confidentiality might be the most salient of topics that fall under the data security umbrella. Put simply, it addresses the protection of information from disclosure to unauthorized parties. This is a particularly vexing challenge in e-discovery, since it inherently involves sensitive legal issues and large volumes of corporate data. Fortunately, there are several ways the risk of data exposure can be mitigated, which include:
Authentication and authorization procedures. The easiest way to prevent unauthorized access to sensitive data is to employ rigid authentication protocols to whatever e-discovery system is in play. Authentication is commonly done through the use of account names and passwords. Today, organizations often have several systems, e-discovery and otherwise, that require some form of authentication. It can be burdensome and even risky for workers and IT personnel to manage authentications procedures for each individual system. That's why many large organizations rely on single sign-on systems (SSOs) allowing a user to only login once before accessing all the business apps he or she is authorized to use. SSO accounts for the common need to conform corporate security processes. Rather than have to account for each individual application that a worker has access to when he or she leaves the company, SSO systems allow IT to revoke departed employee access to all applications at once, eliminating oversights that may result in an individual retaining access to a system long after they've left the company.
Another complication that arises with e-discovery involves the many individual processes and steps that e-discovery projects entail and varying levels of risks that are associated with each one. Organizations may feel comfortable allowing a junior-level paralegal to initiate legal hold reminders but wish to restrict them from having the ability to release a custodian from hold, initiate a document collection or have access to certain reports. The issue arises when all of these actions are initiated by a common system. Role-based access controls (RBACs) are an approach more sophisticated systems take to help govern which individuals have access to which actions. RBACs allow organizations to define each user's role and restrict their access to certain parts of the system based on those roles.
Data Disposition It is imperative that organizations store ESI collected for a matter on designated storage with rigorous security controls. Not only does this protect the ESI from unwanted exposure, but it aides in the disposition of that data once the matter is resolved. This prevents accidental re-exposure down the road. Too often, organizations are reluctant to discard ESI that serves no business or legal value to the organization. The 'save everything' mentality is born partly out of ignorance -- an unfounded fear that deleting “any" ESI could have legal consequences. Another factor is the relative affordability of data storage. Storing terabytes and terabytes of data no longer represents the crippling business expense it once did and that helps to fuel the 'save everything' mentality.
Confidentiality addresses the unwanted exposure of data. Data integrity deals with the protection of ESI from being modified by unauthorized parties. All organizations should make it a priority to limit the movement of ESI during e-discovery because that's when it's most vulnerable to tampering. Many companies are investing in more comprehensive, end-to-end discovery systems that can reduce the number of data handoffs (say between a collections and processing tool). When ESI is in “motion," it is imperative that it be secured through strong encryption to prevent the malicious or accidental exposure of information to unauthorized personnel. For particularly sensitive data, encryption should be employed at both the data-transit level and at the storage level to prevent access and tampering of data at rest.
Another way to bolster data integrity is with robust auditing processes for logging all data modifications. This ensures that any modifications are well-documented and can be recognized and clearly explained – which (unfortunately) can be required months or years after the change took place.
The third key data security consideration is availability, making sure that authorized parties can access the information when needed. E-Discovery projects are invariably on a tight schedule and the people analyzing and reviewing ESI often bill by the hour. Additionally, e-discovery workloads are not evenly distributed. Several large collections can all occur at once, inadvertently crippling the network and the production systems from where they are drawing. The e-discovery software system should be architected in a redundant fashion, with the necessary duplication of critical components and functions to increase reliability and availability of information. It should also be equipped with simple and intuitive backup and restore mechanisms to allow organizations to recover from failures without massive disruption to regular business activities.