Data is the lifeblood of our modern economy. As the pace of digital transformation continues to accelerate, organizations around the globe will depend even more on insights they can glean from the vast amounts of information they collect. However, that same information can make them juicy targets for cyber bad actors. In December 2020, the SolarWinds hack exposed more than one hundred organizations, including Fortune 500 companies and government agencies. No organization is safe.
Data security is a must, and that holds true for your ediscovery data as well. Shockingly, a recent survey found that only 19 percent of ediscovery professionals had conducted security audits on their outside legal service providers. Whether you perform ediscovery in-house or not, it’s important to ensure your defenses are keeping up with ever-evolving cyber threats. When conducted properly, audits go beyond catching non-compliant behavior and can be an effective way to measure, test, and reinforce security protocols on an ongoing basis. Let’s take a look at what’s involved in conducting a successful security audit of your legal data.
The 5 Main Points of Ediscovery Risk
One of the biggest advantages of bringing ediscovery in-house is it allows you to create, maintain, enforce, and evaluate your own security standards. However, to fully realize these benefits it’s important to gain full confidence in the security practices of your ediscovery software vendor.
We recommend looking for software providers whose applications and data hosting are both SOC 2 Type 2 certified. This certification lets users of cloud services see how well their data is protected. Vendors should be open to having you review their current certification report and answering any questions you may have.
There are five main aspects of ediscovery that risk exposing sensitive company data:
- Internal policies – These dictate how data should be handled and accessed, both by your employees and third-party vendors. Shoring these up is a vital first step to ensuring sensitive information stays secure.
- The people subject to those policies – People are often referred to as the weakest link in security. The most comprehensive policies won’t keep your organization safe if the people that have access to your data fail to follow them.
- Storage infrastructure – How your data is stored can impact its security. Regardless of if it’s saved on a local network or in the cloud, there are a number of considerations that should be made around how your data is saved.
- Applications – Similarly, applications—both local and cloud-based—can introduce vulnerabilities that can lead to a data breach.
- Partners – Third parties including vendors, service providers, and law firms can all introduce security risks into your ecosystem.
Doing Your Pre-Audit Due Diligence
Before you jump into a data security audit, it’s also important to gain a clear understanding of the data you’re sitting on and the people and processes involved in managing it. Some key steps include:
- Evaluating your current data security audit process. If you’re unaware of your existing auditing processes, we highly recommend sitting down with your IT lead to critically examine current practices and determine any potential areas of improvement.
- Gaining an understanding of your full data picture. It’s nearly impossible to keep your data secure if you don’t know exactly where it lives. Your organization likely has a data map for identifying, locating, and preserving relevant data and electronically stored information (ESI) for ediscovery. Use this as a starting point to document every type of discoverable data generated by your company.
- Factoring in employees. Once again, people can be a wild card when it comes to security. It’s important to evaluate the categories of employees that engage with each subset of data and determine how to best ensure compliance with security policies.
Getting Started
Once you have an idea of your data map and processes, you’ll want to determine key parameters for your audit, including:
- Who should you audit? You’ll almost always start with the teams and practices within your organization. We also recommend expanding your audit to include partners like vendors and outside counsel to ensure their security practices meet your standards.
- Who should conduct your audit? The most cost-effective option is almost always your internal IT department. However, an internal team can introduce bias into the process, so it may be worth the additional cost to hire an objective third party to conduct the audit.
- When should your audit take place? Not only do you need to determine the timeframe of your audit, but you should also establish a cadence of follow-ups. It’s important to frequently check your defenses to ensure you’re keeping up with new threats.
Conducting a data security audit requires an investment of time and resources but the benefits far outweigh the costs. Your legal data is one of your most sensitive and valuable assets. A security breach may expose you to potential financial and reputational damage. Protecting that data should be a top priority for every organization.
Dig deeper by reading our guide “How to Conduct a Data Security Audit.”