We’re all in the cloud now, and we’re not going back. (Thank goodness.) Cloud technologies allow us to build faster, build better, and build cheaper, and they also allow a more profound integration of data between systems and organization. The power of the cloud is amplified the more cloud companies work together to provide solutions to business needs.
But as new SaaS companies come up, and older players modernize for SaaS, the security concerns surrounding the cloud increase. How, as a legal leader, can you ensure your sensitive ediscovery data is safe and protected when working with third-party vendors, from tools like Zapproved to services like remote review teams or outside counsel? And why should you care about vendor security in the first place?
Reason 1: Ediscovery Vendors are Targets
Third party vendors–especially vendors whose bread and butter is more service than technology–may not have strong security controls in place. It’s just not where they are focused. Hackers and would-be-hackers know this, and view third-party vendors as easier targets than larger enterprises with fully staffed security teams and a mature security profile.
The statistics are alarming. The number of third-party breaches increased by 35% between 2017 and 2019, with a 273% jump in the number of records exposed in those breaches. In other words, more breaches are exposing more data every year.
Reason 2: A Breach to Them is a Breach to You
Any breach is bad, but a breach of ediscovery data should keep all of us up at night. The data is a treasure trove. Not only do emails, Sharepoint files, Teams messages, and Slack data contain PII, they also contain business sensitive information. Depending on the work your organization does–healthcare, pharmaceutical, energy–the data might also contain trade secrets or personally embarrassing disclosures from your executives and employees. We all remember the Sony emails. Nobody wants to be on the other side of that.
When you send ediscovery data to a vendor, all that information leaves your home system and goes to live in your third-party databases. A breach to those third party databases is the same as a breach to your home systems.
Reason 3: Contracting Will Go Smoother
Vendor Security Risk Management is becoming a practice domain in and of itself. Enterprise IT and InfoSec teams should be running all vendors through security assessments, and may flat out deny contracting with any third-party that doesn’t pass their controls.
Sometimes, this may feel as if the security team is blocking the solutions and workflows that the legal team needs. After investing the time and resources and, frankly, emotional energy in evaluating and choosing a long-term ediscovery partner, having the partnership hung up in contracting is difficult and disheartening.
To help your selection go smoothly through contracting, two things are important. First, you should engage with vendors with strong security postures from the start of a third-party vendor selection process. This will up your chances of getting the solution you want and that’s right for your ediscovery team. Second, involve your IT or InfoSec teams early to identify their security needs for third-parties. Inviting IT or InfoSec to the table early will help create a collaborative selection process, and will minimize the sometimes contentious communication that can develop in a selection process.
Security Features to Look for from Ediscovery Vendors
- This is a now-standard security practice of transforming data from plaintext (its native form) to something that’s unreadable by humans. In order to decrypt and decrypt, you need an encryption key. Encryption practices mature every year as hacker’s ability to decrypt also matures. As with everything in security, encryption is an arms race.
- You’ve most likely used MFA on a banking app or other personal-life system. Fundamentally, MFA is a level of access control that adds a layer on top of username and password. If you can’t authenticate through two different forms–password + mobile, or email authentication + password, for instance–the system denies access, assuming the attempt is made by a malicious party.
Role-Based Access Control
- Role-based access control–or RBAC (pronounced are back)–is a security practice that recognizes that not everybody in an organization needs access to the same information. Only certain roles need to see certain information. Creating access controls on user’s access to information minimizes that amount of data available should there be an identity breach.
Written Data Security Policies
- Employees come and go. Leadership changes. A security posture should not suffer when teams change, when companies grow, when new headcount is added, when long-term subject matter expertise is lost. Having a security policy that is written and documented helps ensure standard security practice over long periods of time. Documented security policy is one of the hallmarks of a mature (or maturing) security posture, and is critical for an organization to manage itself as its people change.
- Your home systems have data retention policies set, but sometimes that data continues to live in third-party systems long after it should. Make sure to confirm your third-party data-purging practices as part of your security evaluation. Legal teams do not frequently consider what happens when a case is closed, or after a matter has been resolved. But old data is still data, and is still vulnerable to a breach.
How Zapproved is a Top Rated Secure Ediscovery Software For Corporate Legal Teams
Protecting Your Data
- We monitor and log all access to our applications and cloud environments to ensure your data is always secure. Our security industry leading practices include regular data backups, data encryption at rest and encryption in transit.
Securing our Environments
- Our security is your security. We host our applications in US-based data centers. We are encrypted in transit and at rest, and have a segmented network architecture to minimize risk profile. We also have ongoing alerting and monitoring capabilities for a fast and proactive response.
- Our applications and environments undergo the full gambit of security testing to keep your data safe. We conduct monthly vulnerability scans, as well as static code analysis on every push and annual third-party gray box penetration testing. In addition, we have a robust and well-documented third-party review of vendor security practices. We practice what we preach.
Security Gold Standard Compliance
- We have established controls to comply with the gold standard in SaaS security audits. Our AICPA SOC 2 Type 2 audit is performed annually by a leading national audit firm. Our controls are mapped and tested against AICPA security, confidentiality, and privacy principles. In addition, we are GDPR and CCPA compliant.