Zapproved has been acquired by Exterro, the leader in Legal GRC.
Read more here

Zapproved

Ediscovery Software For Corporate Legal Teams

Search

3 Reasons Why Ediscovery Vendor Security is Important

by - Legal Operations

vendor security

We’re all in the cloud now, and we’re not going back. (Thank goodness.) Cloud technologies allow us to build faster, build better, and build cheaper, and they also allow a more profound integration of data between systems and organization. The power of the cloud is amplified the more cloud companies work together to provide solutions to business needs. 

But as new SaaS companies come up, and older players modernize for SaaS, the security concerns surrounding the cloud increase. How, as a legal leader, can you ensure your sensitive ediscovery data is safe and protected when working with third-party vendors, from tools like Zapproved to services like remote review teams or outside counsel? And why should you care about vendor security in the first place?

Reason 1: Ediscovery Vendors are Targets 

Third party vendors–especially vendors whose bread and butter is more service than technology–may not have strong security controls in place. It’s just not where they are focused. Hackers and would-be-hackers know this, and view third-party vendors as easier targets than larger enterprises with fully staffed security teams and a mature security profile. 

The statistics are alarming. The number of third-party breaches increased by 35% between 2017 and 2019, with a 273% jump in the number of records exposed in those breaches. In other words, more breaches are exposing more data every year. 

Reason 2: A Breach to Them is a Breach to You

Any breach is bad, but a breach of ediscovery data should keep all of us up at night. The data is a treasure trove. Not only do emails, Sharepoint files, Teams messages, and Slack data contain PII, they also contain business sensitive information. Depending on the work your organization does–healthcare, pharmaceutical, energy–the data might also contain trade secrets or personally embarrassing disclosures from your executives and employees. We all remember the Sony emails. Nobody wants to be on the other side of that. 

When you send ediscovery data to a vendor, all that information leaves your home system and goes to live in your third-party databases. A breach to those third party databases is the same as a breach to your home systems.

Reason 3: Contracting Will Go Smoother

Vendor Security Risk Management is becoming a practice domain in and of itself. Enterprise IT and InfoSec teams should be running all vendors through security assessments, and may flat out deny contracting with any third-party that doesn’t pass their controls. 

Sometimes, this may feel as if the security team is blocking the solutions and workflows that the legal team needs. After investing the time and resources and, frankly, emotional energy in evaluating and choosing a long-term ediscovery partner, having the partnership hung up in contracting is difficult and disheartening. 

To help your selection go smoothly through contracting, two things are important. First, you should engage with vendors with strong security postures from the start of a third-party vendor selection process. This will up your chances of getting the solution you want and that’s right for your ediscovery team. Second, involve your IT or InfoSec teams early to identify their security needs for third-parties. Inviting IT or InfoSec to the table early will help create a collaborative selection process, and will minimize the sometimes contentious communication that can develop in a selection process. 

Security Features to Look for from Ediscovery Vendors

Data Encryption 

  • This is a now-standard security practice of transforming data from plaintext (its native form) to something that’s unreadable by humans. In order to decrypt and decrypt, you need an encryption key. Encryption practices mature every year as hacker’s ability to decrypt also matures. As with everything in security, encryption is an arms race. 

Multi-Factor Authentication

  • You’ve most likely used MFA on a banking app or other personal-life system. Fundamentally, MFA is a level of access control that adds a layer on top of username and password. If you can’t authenticate through two different forms–password + mobile, or email authentication + password, for instance–the system denies access, assuming the attempt is made by a malicious party.

Role-Based Access Control

  • Role-based access control–or RBAC (pronounced are back)–is a security practice that recognizes that not everybody in an organization needs access to the same information. Only certain roles need to see certain information. Creating access controls on user’s access to information minimizes that amount of data available should there be an identity breach.   

Written Data Security Policies 

  • Employees come and go. Leadership changes. A security posture should not suffer when teams change, when companies grow, when new headcount is added, when long-term subject matter expertise is lost. Having a security policy that is written and documented helps ensure standard security practice over long periods of time. Documented security policy is one of the hallmarks of a mature (or maturing) security posture, and is critical for an organization to manage itself as its people change. 

Data Purging 

  • Your home systems have data retention policies set, but sometimes that data continues to live in third-party systems long after it should. Make sure to confirm your third-party data-purging practices as part of your security evaluation. Legal teams do not frequently consider what happens when a case is closed, or after a matter has been resolved. But old data is still data, and is still vulnerable to a breach.

How Zapproved is a Top Rated Secure Ediscovery Software For Corporate Legal Teams

Protecting Your Data

  • We monitor and log all access to our applications and cloud environments to ensure your data is always secure. Our security industry leading practices include regular data backups, data encryption at rest and encryption in transit. 

Securing our Environments

  • Our security is your security. We host our applications in US-based data centers. We are encrypted in transit and at rest, and have a segmented network architecture to minimize risk profile. We also have ongoing alerting and monitoring capabilities for a fast and proactive response.

Continual Testing

  • Our applications and environments undergo the full gambit of security testing to keep your data safe. We conduct monthly vulnerability scans, as well as static code analysis on every push and annual third-party gray box penetration testing. In addition, we have a robust and well-documented third-party review of vendor security practices. We practice what we preach.

Security Gold Standard Compliance

  • We have established controls to comply with the gold standard in SaaS security audits. Our AICPA SOC 2 Type 2 audit is performed annually by a leading national audit firm. Our controls are mapped and tested against AICPA security, confidentiality, and privacy principles. In addition, we are GDPR and CCPA compliant. 

Ready to learn more about how ediscovery software can help with security?

Get in Touch

4 Strategies to Advance Your In-House Legal Department

Let’s face it, being a corporate legal team in the year 2023 is no easy task. A lot has changed in recent years, and teams now rely on collaboration between legal, technical, and operational specialists. To advance in-house legal department strategy, today’s ediscovery teams must be multifaceted, integrating different considerations, roles, and technologies. But this […]

How Zapproved’s Automated Custodian Workflows Helps Corporate Legal Teams

Why Staying on Top of Legal Hold Custodians is so Important What’s the first thing you do when an active legal hold custodian is leaving your company? Do you find yourself scrambling to figure out what ediscovery actions need to be taken? Has the employee’s data been preserved? Where are the employee’s laptop and company […]

Two Ediscovery Best Practices for Information Governance

For most enterprises, managing data is like herding billions of very active cats. As corporations moved from paper to digital data (but still retained mountains of paper files), the sprawl initially shocked and disoriented those responsible for knowing where the data was kept.  Fast forward to now, and the shock has worn off. That is […]

Zapproved is Now an Exterro Company!

Legal GRC Platform Exterro Announces Acquisition Of E-Discovery Provider Zapproved Combination of Zapproved’s Industry-Leading Customer Service and Exterro’s Award-Winning Legal GRC Platform Will Enable Organizations to Better Manage the Complex Interconnections of E-discovery, Privacy, Legal Operations, Digital Investigations, Cybersecurity Response, and Information Governance. PORTLAND, Oregon – Jan. 19, 2023 – Exterro, a leading provider of […]