By Paul Hiteshew

Published on Fri, June 5, 2020

All posts by this person

Watch it on demand by clicking here.

You’ve likely heard more than a few times in recent years how attractive the legal industry has become to cyber criminals as law firms, corporations, and service providers have been hit by a steady stream of data breaches and security incidents. Ensuring that sufficient security protocols are in place for your outside vendors who are managing large portions of the ediscovery process, as well as keeping a close eye on your own internal processes, are at the top of the list of cybersecurity challenges in the rapidly evolving ediscovery world.

The Risks of Cybersecurity in eDiscovery – Is Your Data Safe

Facing the harsh reality that most companies aren’t even aware when they’re hacked, coupled with companies who experience a breach and don’t report it, how can you ensure your data is safe? If you haven’t yet been hit by a large-scale breach, your data has likely still been exposed at some point. To decrease risk, corporations and law firms need to ensure cybersecurity is a focus for all stakeholders across their organizations. Below are the top five considerations when it comes to the scope of the overall cybersecurity threat in ediscovery and who is most at risk:

  1. Cybersecurity market trends – The data breaches and incidents you hear about are just the tip of the iceberg. The majority are undetected or unreported and most companies aren’t even aware when they’re being breached. One of the biggest issues for all organizations is problems with reporting and it’s critical to understand that just because you can’t see it, doesn’t mean it isn’t happening. In addition, many companies are being hacked daily but not yet reporting the breach. There are also many different forms of breaches that can be differentiated from the exfiltration of data. Everything can be categorized as an incident, but that doesn’t mean it qualifies as a breach. Chances are good that your organization has probably been breached in some manner.
  2. General risk landscape – As COVID-19 has transformed the information security risk landscape, there’s been a huge shift to remote work which disrupted a lot of companies. Bad actors are taking advantage of this shift and some organizations have struggled to get adaptable security controls in place. The shift to working from home also brings in a whole new level of tools and communication methods that open up big security vulnerabilities. It’s imperative to understand what your current risk looks like and to make sure to have risk mitigation strategies in place. Take a look at your data landscape and understand that different types of data have different importance levels. From a risk perspective, prioritize the security of more sensitive data over other less important types of data.
  3. Attention shift to security in legal – An often overlooked security vulnerability in the EDRM is data retention. Organizations commonly have data sitting around with no expiration and that increases your risk profile substantially. Another area of vulnerability is around access control processes. If you allow everyone to access all of your data and lack tracking mechanisms, you’ve got a serious existing risk. Now is the time to augment your processes, limit access, and track exactly where your data goes. In addition, when third parties have access to your data, it’s imperative to establish a strong working relationship with those suppliers and maintain an active touchpoint. Yearly assessments aren’t sufficient - you need regular audits and you want those suppliers to be an expert in your company and as invested in your company as you are.
  4. Importance of culture and mindset – Establishing a strong cybersecurity culture and mindset across your organization is one of the most important components of reducing risk. To make the risks salient to people across the organization, hone your message to your various employee groups and empower them with the tools for the best security. COVID-19 forced cybersecurity to become more of a priority overnight, but going forward, it’s that culture that needs to come from within a company so everyone understands the risk management strategy and how to keep data safe. Talk to your employees more and get them invested in prioritizing cybersecurity while also focusing on establishing trust across your business lines.
  5. In-house vs. outsourcing – Data volumes are exploding and digital transformation is now a commonplace concept, but the legal industry is notoriously slow to catch up. When contemplating whether to keep your IT infrastructure and security in house or to outsource it, consider implementing a structure where in-house resources drive the cybersecurity agenda, but a properly set up outsourced provider takes responsibility for your cybersecurity. In this model, you’ll have a structure with more candid education and input on your risk structure as well as dedicated security experts handling the risk. When choosing an outsourced model, make sure you understand a provider’s SLAs and guarantees around cybersecurity products like ransomware.

Ultimately, cybersecurity is not just the organization’s responsibility, it’s everyone’s responsibility. It’s critical to stay on top of your security environment, develop strong relationships with third parties who hold your data, and create processes that ensure you’re always paying attention. Particularly in the ediscovery space, it’s important to shore up the information governance side of your house with data retention policies because holding on to data for too long only increases your risk profile. If you have any questions or want to share your cybersecurity journey in ediscovery thus far, please feel free to reach out to me at PHiteshew@lighthouseglobal.com.

To continue your ediscovery cybersecurity exploration, see related content below:

About the Author
Paul Hiteshew

Executive Director, Security Engineering and Operations

Paul has over 20 years of experience in building and running large enterprise scale infrastructure globally. He has 10+ years running Incident response and Security teams globally. He has deep expertise in strategy, design, and implementation of Operations and Security Engineering. He has extensive experience in Rolling out Global operations in emerging markets and expertise in Security Compliance and Data Protection/Recovery.