Attorneys know, or should know, that they have an ethical obligation to protect client data. Besides, doing so is good client service. For those reasons, lawyers selecting an E-Discovery vendor or ESI review platform should not let their guard down regarding data security issues.
In the current data breach environment, attorneys cannot assume that an E-Discovery vendor has adequate security simply because the vendor is comfortable in the digital world. Like law firms, ESI vendors must focus some of their time and resources into cybersecurity. Inside and outside counsel must ask the right questions to conduct effective due diligence when selecting a vendor or review platform.
Whether the list below is overkill or just a start, will depend in large part upon the nature and sensitivity of the data in your particular project. For example, will your data include medical, financial, trade secret or other sensitive information? Also, the questions to ask will vary depending upon the extent to which you are embracing, or avoiding, cloud-based solutions. There are data security risks no matter which route you choose, but because the concerns vary, the questions should be tailored accordingly. These 10 questions are a good starting point for most evaluations.
- Will data be encrypted in transit to the vendor’s servers, platform or hosting location?
- Will data be encrypted while at rest once it is being hosted or stored by the vendor?
- Is multi-factor authentication available for logging into the system where the data is held?
- Does the vendor’s platform provide the option for the client to send data directly and securely to the platform?
- Does the vendor’s platform allow for sufficient access control levels between “reviewer” on up to “team leader” and administrator?
- Where are the vendor’s servers physically located and what security measures are in place?
- What redundancy and disaster recovery plan does the vendor offer for data it is hosting?
- Is the vendor willing to respond to the EDRM’s security questionnaire or a similar inquiry to evaluate their cybersecurity?
- Is the vendor willing to sign and abide by an appropriate confidentiality and/or protective order?
- When the project is over, what is the vendor’s process to destroy or return the data, how will that be documented, and what will be the charge to do so?