It is difficult to look at a newspaper these days without seeing at least one article disclosing a major data breach, and it’s no wonder that corporate executives and counsel are scrambling to secure their environments and avoid becoming the next headline. To this end, companies are cataloging information assets, auditing access controls, testing firewalls, and reviewing privacy and security programs as a whole. After the Target breach implicated the company’s HVAC services vendor, many companies started reviewing third-party contractual arrangements and access control policies. The Home Depot breach also started with a hacked vendor, further increasing scrutiny of vendor access rights. One area that hasn’t received much attention, however, is the downstream transfer of corporate data in connection with litigation and regulatory matters to e-discovery vendors, outside counsel, experts and opposing parties.
As holders of the company’s most valuable and secret documents, legal departments are a prime target for hackers. At the heart of any legal matter are the documents that have been gathered for the purpose of asserting or defending the claims and for disclosure in discovery, and in a typical litigation or regulatory investigation, many are central to the company’s operations, including employee and customer personally identifiable information (PII), company financials, intellectual property, confidential agreements, deal papers, transactional records, and other highly sensitive and proprietary information. More importantly, the legal department usually has the authority to override the company’s security controls, allowing it to investigate and gather records from highly secure systems and extract that data for use in legal matters. The downstream storage, use and sharing of this extracted information presents one of the biggest security gaps in many companies, yet it often goes unchecked.
The discovery lifecycle involves many parties. Once collected from its original source, information is often copied to mobile media and transported for processing and review by outside e-discovery vendors and/or outside counsel. In preparation, copies may be held in staging areas on a file server or on storage area networks (SANs) or network attached storage (NAS) within the company. Because staging areas generally are not set up to store sensitive data, they are not as secure as the original data sources. Once collected, data is often shipped using common carriers. While it’s easy to ensure portable media are encrypted before transport, this isn’t always done due to time or resource constraints or simply a lack of training or awareness. Further, some media, like legacy backup tapes, can’t be encrypted and must instead be physically secured and properly transported.
Protecting Information Prior to Production
Correcting these security gaps before the data leaves the company’s custody is easily accomplished by mapping the flows and implementing policies to close the holes through encryption, anonymization and access controls. However, protecting the data once it is in the hands of others is more difficult. And there are many hands, including e-discovery and data restoration vendors, the company’s own expert witnesses and outside counsel, opposing counsel and their witnesses and vendors, governmental agencies, and various courts and tribunals, just to name a few. For example, in labor and employment class actions, defending companies often collect the PII of tens of thousands of employees. This data remains vulnerable to hackers at each handoff or delivery, both in transit and while at rest in the hands of each party in the chain. How do you control the security practices of these actors and ensure that data is properly disposed of at the close of the matter?
Dealing with vendors, experts and attorneys with whom you have a contractual relationship is the easiest. These contracts should ensure that outside parties are legally obligated to adequately protect the company’s data and are fully liable for loss or inadvertent disclosure, and that the company has the right to audit and enforce these requirements. Reviewing their security practices and certifications should include independent third-party testing and certification. While disclosing test results will be a security concern, vendors should be comfortable disclosing executive summaries that describe testing methods and an overall “rating” when requested. The goal is to make sure the service provider’s security meets or exceeds regulatory requirements within your industry, or at least meets appropriate standards for the data being handled. Anything less poses too much liability for the company.
Ensuring that vendors have adequate security programs isn’t just good practice, it's likely required by law for many companies. For example, the U.S. Department of Health and Human Services’ HIPAA Omnibus Final Rule clearly places the responsibility for data privacy and confidentiality on the covered entity, meaning the data owner, even as the data moves downstream to outside vendors. Similarly, in a recent examination priorities letter, FINRA reminded firms that
[O]utsourcing covered activities in no way diminishes a broker-dealer’s responsibility for 1) full compliance with all applicable federal securities laws and regulations, and FINRA and MSRB rules, and 2) supervising a service provider’s performance. Outsourcing will be a priority area of review during 2015 examinations, and will include an analysis of the due diligence and risk assessment firms perform on potential providers, as well as the supervision they implement for the outsourced activities and functions.
Further, the SEC's new guidance requires that companies disclose not only material cybersecurity events when they occur but also potential material risks. When outsourced functions carry material risks, the guidance requires a description of the functions and how the company manages the associated risks. When a company suffers a data loss in this context, a material issue may need to be disclosed or, further, may give rise to a shareholder claim that the company should have disclosed the (now apparent) material risk before the incident occurred. The best defense in such circumstances is the company’s due diligence in selecting the vendor and vetting its security certification.
Given these fiduciary and legal obligations, corporate counsel cannot be expected, nor do they have the means, to independently verify every outside partner’s security programs. Reliance upon independent third-party certification is the only viable solution, and service providers will have to keep up with prevailing certifications in today’s evolving markets, or risk losing their client base.
The biggest challenge for service providers has been choosing which certification(s) meet their clients' regulatory needs and unique legal requirements, each of which also takes considerable time and money to measure against. For example, it could potentially cost several million dollars and take one to two years to complete the design and implementation of a security policy and necessary procedures to meet banking industry standards, such as SSAE 16 SOC 2, the Service Organization Controls ("SOC") framework established in 2011 by the American Institute of Certified Public Accountants. Furthermore, these requirements are similar to but not the same as HIPAA requirements, which require either an independent HIPAA audit against the OCR HIPAA Audit Protocol or measurement against the FedRAMP or NIST 800-53 standards. Therefore a SOC 2-compliant service provider cannot automatically tell healthcare clients that it also meets healthcare industry standards; it must go through a separate process, again at great cost. Looking to overcome these issues for all companies with sensitive data, the White House released the Cybersecurity Framework (CSF) developed by the National Institute for Standards and Technology (NIST) in 2013. Initially set up as a voluntary framework only for businesses that operate as part of the country’s critical infrastructure, the CSF has become the defacto measurement standard for many cyber-insurance carriers and courts considering liability, making it mandatory for industries in and out of the critical infrastructure.
Importantly, the NIST CSF is not a certification, nor does it mandate specific controls or requirements, but rather is designed to initiate discussion about how to manage risk. It is also purely a U.S. construct and not recognized internationally. Therefore, vendor practices that are consistent with the NIST framework may be insufficient. In response, leading vendors are investing in certification against the International Standards Organizations (ISO) family of cybersecurity standards revised in 2013, commonly called ISO 27000. Recognized globally, these standards outline hundreds of potential controls and control mechanisms. For example, ISO 27001 defines how to implement, monitor, maintain and continually improve the organization’s information security management system. It reaches well beyond NIST and focuses on protecting all types of information, not just information stored or processed in IT systems. Also, unlike the NIST Cybersecurity Framework, ISO 27000 clearly defines which records are needed for certification, and what minimum standard is to be implemented. Finally, ISO 27018 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect PII. These controls enable vendors to make two important commitments: first, to establish defined policies for the return, transfer and secure disposal of PII and, second, to proactively disclose the identities of sub-processors and inform the customer if data is ever requested by law enforcement agencies. For these reasons, ISO 27000 is quickly becoming the mandatory standard for measuring service providers, though due to its relative newness and the time required to certify all operations, many are still in the process of independent certification.
Protecting Information After It Has Been Produced
It is much more difficult to protect information produced to adverse parties, tribunals and downstream entities, such as their vendors and experts, with whom you do not have contractual relationships. Traditionally this is dealt with through the meet-and-confer process or other negotiations aimed at securing binding agreements to protect transferred data. Court orders may be sought when agreement is not forthcoming. Counsel should ensure that any obligations imposed by a stipulated or court-mandated protective order extend to each party’s data-sharing partners. In fact, doing so may be required in cross-border discovery involving information regulated by countries with strict data privacy laws. The catch here is that while you, as the producing party, may be able to obligate receiving parties to protect your data as if it were their own, there are presently no mechanisms to audit or otherwise ensure those obligations are being met. While parties may have post-disclosure recourse, they have virtually no power to manage the risks of inadvertent loss. We know of no matter where a litigant has successfully resisted the production of discovery on the basis of a vendor’s inadequate substantiation of data protection capabilities or its refusal to allow an audit of its security practices. Until certification becomes more common and expected, this conundrum will persist.
Additionally, protective orders should include provisions for the final disposition of information from all downstream participants at the close of the matter, and counsel on both sides should follow through. They should also cover any derivative works and provide for written certification that the data was either securely destroyed or that it has been returned to the producing party, including copies made for disaster recovery purposes. Similar efforts should be made to clean up data held by your own service providers, which may still be sitting on corporate staging areas or otherwise held outside of routine retention schedules by custodians or system stewards.
In leaving these issues unresolved, the legal department can present a gaping hole in corporate data security programs; however, closing the gap is relatively easy. Counsel simply needs to consider the entire lifecycle of discovery-related information and establish proper security measures at every stage. They should take time upfront to decide what level of protection is deemed adequate for their industry and for the type of information they are handling, and to properly vet service providers. The cost of doing so is extremely small compared to the reputational and financial costs of a data breach.
Published March 16, 2015.