Data security is one of the many risks in-house counsel must stay on top of. A data breach carries with it severe legal and regulatory implications and may be the quickest way for a company to lose the faith of its customers. When facing litigation, however, counsel often focus on what seem to be more pressing issues, such as case strategy, setting reserves and collecting evidence, not to mention trying to keep case costs under control. Despite the pressure and workload, counsel cannot afford to lose sight of data security as the same risks apply - in fact, they are multiplied - when part of the litigation and discovery process.
Any time a company controls privileged, sensitive or protected information, it can lead to regulatory, reputational and business risks. Companies may find themselves in trouble with government agencies, shareholders, customers and the public. When that information includes discovery documents related to a specific litigation matter, add an adverse result in the matter to the list of likely results.
The right partners can help mitigate these risks, but in-house counsel must understand how data can be lost or stolen, what are the consequences of data breaches and how the legal department can work with service providers to minimize those risks.
Risks Of Security Breaches
Security can be breached in a number of different ways, even in what seems to be a secure environment like a law firm. Disgruntled employees may walk out the door with memory sticks or send files in e-mails to themselves at home. Even worse, information may be outright stolen: last year, a hard drive containing pension information for more than 70,000 employees was taken from American Airlines' corporate headquarters. Hackers can tap into networks. Employees forget iPads in the back of taxicabs. Employees may send e-mail over unsecured networks.
Reputational Risks
When the personal information of employees, customers, or clients has been compromised, companies cannot hope to brush it under the rug. According to the National Conference of State Legislatures, 46 states and the District of Columbia have enacted legislation requiring companies to notify everyone whose personal information has been lost or stolen. Under most of these compulsory notification laws, companies must immediately disclose, usually in writing, a data breach to those whose private information may have been compromised.
Data does not have to be stolen before these notification laws are triggered - a company merely has to be unable to account for it, or more specifically, there simply must have been a time when the company could not account for it. The party holding the data usually bears the burden of proof to show that no breach has occurred. Any time a company cannot prove that there has been no breach, the compulsory notification laws kick in.
Most discovery documents include personally identifiable information. If a potential data breach occurs at the service-provider level, in-house counsel must notify law firms and clients about it since they may be identifiable. For example, consider a financial services company involved in a lawsuit where numerous brokers are potential custodians. A third-party provider who loses control of data will compromise data not only about the broker, but also about almost every client with whom the broker may have communicated.
When a company has to start writing letters informing clients that it turned over personal data to someone else who then lost control of it, the company may never recover the trust of those clients.
Regulatory Risks
There are also significant regulatory issues, whether data is inadvertently lost or deliberately stolen. Different regulations govern different types of information, from internal financial information, to data covered by the Sarbanes-Oxley Act, to insider trading and financial controls. Losing control of any information that relates to these different areas can have serious implications.
Legal Risks
In the midst of a lawsuit, a data security breach can force a company's hand. Once an organization has lost control of data relevant to a lawsuit, there are few good alternatives. A claim that documents were covered by attorney-client privilege would likely not hold up. (The amended Federal Rules of Civil Procedure allow for the "clawback" of inadvertently released information, but it is unclear to what extent this would apply to a breach as that rule mainly applies to documents inadvertently sent to adversaries, not to the outside world.) The most likely result of a data breach during a matter would be a quick settlement under less-than-ideal circumstances before the news goes public.
Business Information Risks
When sensitive data ends up in the wrong hands, the ramifications can be long lasting. Litigation often involves sales projections, intellectual property and competitive information. Likewise, the Hart-Scott-Rodino Antitrust Improvements Act of 1976 (HSR) Second Request process that companies go through during an acquisition often includes some of the most important and private company documents. If this information falls into the wrong hands or becomes public, a company can lose its competitive edge.
Keeping Private Data Private
Most companies have internal safeguards to protect against security breaches, but they must also guarantee the safety of their information once it leaves their building or is shared with others. During litigation, companies often share their most confidential information with others, including law firms and litigation service providers. Without the proper safeguards in place, in-house counsel may not be able to ensure that these third parties are taking the proper precautions.
These risks are serious and real, but in-house counsel can also meet these challenges head on and minimize the probability of data security breaches. Finding the right service provider to work with during lawsuits is the key, so it is important that in-house counsel know what to look for and what questions to ask.
Information Management And Chain Of Custody
In-house counsel should ask service providers about their best practices and procedures and how they ensure those procedures are followed meticulously. In order to minimize the chance for security breaches, companies must manage information correctly, and the chain of custody must remain unbroken at all times. Every piece of information must be tracked and trackable at all times. There should never be a point in the chain of custody where data cannot be accounted for.
Access to data must be strictly controlled. The company should have its own set of controls, which the service provider sets up. Then, someone at the company should be able to administer the controls, while the service provider regularly monitors password usage.
When raw data comes in to the service provider, it should be carefully inventoried and entered into a custody log before it is uploaded and converted to the format the company has requested.
The service provider should be able to audit network and user transactions so it can determine user IDs, the source IP address and the host. This will ensure that only those who are authorized to look at the data can actually see it.
The service provider should be capable of instituting a VPN network. With a VPN, anyone who accesses the data will need to have the proper antivirus and personal firewall software installed. The service provider should also be able to document controls against malicious software, employees and hackers.
Advantages Service Providers Can Bring
Some in-house counsel may be wondering why they cannot just leave data security to their law firms. Generally speaking, highly skilled, knowledgeable service providers offer expertise and capabilities that are difficult for law firms to acquire. After all, law firm lawyers' core competencies are legal issues, not data.
Law firms also rarely have dedicated security teams that track current threats. An overworked law firm IT staff member will struggle to provide the same services as a security professional with a hosted solution.
Service providers with hosted e-discovery solutions have dedicated personnel for security whose lifeblood is keeping data secure. Of course, there is nothing inherently secure or insecure about the servers at law firms, but security depends on policies and procedures. A good service provider should have the right controls in place, including storing data in locked rooms that require pre-approved access. As well, the service provider should have intrusion detection and prevention systems in place to monitor all traffic that comes into the company's networks.
Law firms also typically lack a professional who polices compliance, making sure all the policies are being followed. A service provider should have a dedicated security engineer who makes sure that only those with permission to see data can actually access it and that everyone is following all policies and procedures at all times.
Trust The Cloud
For many organizations worried about data security, it may seem counterintuitive to trust cloud computing, where data is stored online instead of on servers and disks. But cloud computing can be perfectly secure, so long as the service provider has a strong reputation and documented security procedures are written into the agreement.There is nothing inherently unsecure about "the cloud." Like anything else, security revolves around choosing the right solution and surrounding it with the right expertise, policies and procedures.
While in the midst of litigation, in-house counsel may feel overwhelmed. There are many factors to consider and frequently a short period in which to make a lot of decisions. Meanwhile, litigators are under pressure to control costs and do more in- house. While those are worthy goals, it is crucial to take data security into account. Cutting some corners might seem like a great place to save a few bucks, and some law firms may not outline these risks as adamantly as others. But keep in mind that a data breach can be extremely expensive on all fronts and perhaps the quickest way to turn a small matter into a bet-the-company situation.
Published February 28, 2011.
