Cybersecurity and personal privacy are real and compelling concerns. Whether we know it or not, virtually everyone has been victimized by data breach. Lawyers are tempting targets to hackers because, lawyers and law firms hold petabytes of sensitive and confidential data. Lawyers bear this heady responsibility despite being far behind the curve of information technology and arrogant in dismissing their need to be more technically astute. Cloaked in privilege and the arcana of law, litigators have proven obstinate when it comes to adapting discovery practice to changing times and threats, rendering them easy prey for hackers and data thieves.
Corporate clients better appreciate the operational, regulatory and reputational risks posed by lackluster cybersecurity. Big companies have been burned to the point that, when we hear names like Sony, Target or Anthem, we may think “data breach” before “electronics,” “retail” or “health care.” The largest corporations operate worldwide, so are subject to stricter data privacy laws. In the United States, we assume if a company owns the system, it owns the data. Not so abroad, where people have a right to dictate how and when their personal information is shared.
Headlines have forced corporate clients to clean up their acts respecting data protection, and they’ve begun dragging their lawyers along, demanding that outside counsel do more than pay lip service to protecting, e.g., personally-identifiable information (PII), protected health information (PHI), privileged information and, above all, information lending support to those who would sue the company for malfeasance or regulators who would impose fines or penalties.
Corporate clients are making outside counsel undergo security audits and requiring their lawyers institute operational and technical measures to protect company confidential information. These measures include encryption in transit, encryption at rest, access controls, extensive physical security, incident response capabilities, cyber liability insurance, industry (i.e., ISO) certifications and compulsory breach reporting. For examples of emerging ‘standards,’ look at the Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information lately promulgated by the Association of Corporate Counsel.
Forcing outside counsel to harden their data bulwarks is important and overdue; but, it’s also disruptive and costly. Many small firms will find it more difficult to compete with legal behemoths. Savvier small firms, nimbler in their ability to embrace cybersecurity, will frame it as a market differentiator. At the end of the day, firms big and small must up their game in terms of protecting sensitive data.
Enhanced cybersecurity is a rising tide that floats all boats.
Well, maybe not all boats. Let me share who’s likely to get swamped by this rising tide: requesting parties (or, as corporations call them “plaintiffs’ lawyers”), and their experts and litigation support providers. Requesting parties and others in the same boat will find themselves grossly unprepared to supply the rigorous cybersecurity and privacy protection made a condition of e-discovery.
Again, cybersecurity and personal privacy are real and compelling concerns, but these security concerns will also be used tactically to deflect and defer discovery. They will serve as hurdles and pitfalls tending to make plaintiffs’ lawyers think twice before pursuing meritorious cases. If you haven’t run into this, you soon will, and your instinct may be to resist. Don’t.
Fighting to be cavalier about data security is a battle that requesting parties cannot win and should not fight. Requesting parties must instead be ready to put genuine protections in place and articulate them when challenged.
I know some will say, “all we have to do is sign a protective order.” But, they don’t see the trap set by executing protective orders without the ability (and sometimes without the intention) to meet the obligations of the order. High profile gaffes will follow, and the failure of a few will be the undoing of many.
A protective order isn’t the answer if it’s an empty promise. Requesting parties can’t agree to employ stringent data protection and then go about business as usual: e-mailing confidential data, storing it on unencrypted media and failing to ensure that all who receive confidential data from counsel handle it with requisite caution.
Here’s how it will go down for some prominent plaintiffs’ lawyer:
- Producing parties will demand protective orders imposing stringent-but-appropriate data protection practices and breach reporting requirements.
- Requesting parties will sign these orders because—let’s be frank—requesting parties will agree to almost anything if they believe it will get them “the smoking gun.” Plus, how do you persuade a judge that she shouldn’t issue a protective order when all the other side wants are sensible measures like access controls, encryption and breach reporting to protect sensitive data and PII?
- Requesting parties will treat information produced in discovery with the same care they bring to their own confidential information, which is to say, not much and less than that protective orders typically require.
- Confidential data will be mishandled, probably with so little actual prejudice as to prompt requesting counsel to ignore the breach reporting obligation in the order, reasoning “no harm, no foul.”
- The breach will ultimately come to light, opening counsel’s mishandling of produced data to scrutiny and prompting discovery-about-discovery. The failure to set up secure systems, establish policies, train employees, test and audit processes and require contractors and experts to do the same will be gleefully dissected in court.
- The producing party will beat its chest in lamentations of irreparable harm. The legal press will have a field day. The judge will be wrathful. The requesting party’s counsel will look like a clown and might lose his ability to serve on plaintiffs’ steering committees.
- Producing parties will ceaselessly argue the now-proven hazard of e-disclosure, and requesting parties everywhere will be tarred with the same brush, challenged to prove they aren’t going to be the next ugly breach. Judges will be less willing to grant full and fair discovery and more willing to impose arduous conditions for access.
A cynical and dystopian prediction? Perhaps. But, don’t imagine it won’t happen. It’s happening now.
The way to keep this in check is for requesting parties to act now to prepare to receive and protect confidential data sought in discovery.
Requesting parties cannot expect to be held to a lesser standard of cybersecurity than the producing parties compelled to surrender confidential data to them. A grizzled trial lawyer once warned me, “Defendants are forgiven several lies. Plaintiffs get none.” So, a party can be incautious with its own data because it’s theirs; but counsel who fail to protect an opposing party’s confidential data will be harshly judged. They don’t just hurt their clients and opponents, they undermine the very foundations of discovery.
So, what must counsel for requesting parties do? Here are a dozen suggestions:
- Take cybersecurity duties seriously. It’s not someone else’s job. It’s your job. You are the gatekeeper. This is Rule One, not by accident.
- Don’t just treat an opponent’s confidential data with the care you afford your own; treat it better. It’s like money in your trust account. You don’t treat client monies/data like your own. You don’t commingle client monies/data with yours, and you don’t use that money/data for anything but permissible purposes with careful recordkeeping.
- If there’s a protective order, read it closely and be sure you fully understand what it obliges you to do in terms of the day-to-day conduct of any who access confidential information.
- A proper chain of custody is essential. You must be ready to establish who received confidential data and the justification for its disclosure. You must be able to prove you had a good faith basis to believe that the person receiving confidential data understood the need to protect the data and possessed the resources, training and skill to do so. This obligation encompasses anyone who gets the data from you, including experts, clerical staff, associated counsel and service providers. Anyone with access to confidential data must be well-prepared to protect the data because their failure is your failure.
- Proceed with caution when disclosing confidential data to experts. Industry experts serve multiple masters and may seek to exploit confidential data obtained in one matter in other engagements. Secure the expert’s written commitment not to do so, and enforce it. As well, don’t supply confidential data to an expert without first obtaining the expert’s consent to receive and protect it. People who appreciate the burden of protecting other people’s sensitive data want to hold as little of it as possible.
- Recognize that you don’t get to decide what data warrants protection. The designation rules. If you think something isn’t properly designated as confidential or sensitive, challenge the designation; but, until the other side concedes or the Court rules, the designation sets the duty.
- Confidential data should be encrypted in transit and at rest. This means that none of the confidential data gets attached to an e-mail, moved to portable media (e.g., a thumb drive or a portable hard drive) or uploaded to the cloud unless it is encrypted. No exceptions. No excuses. BTW, if you store or transmit the decryption keys alongside the encrypted data, it’s doesn’t count as encrypted.
- Perimeter protection isn’t enough. The biggest risks to confidential data are internal threats, that is, from a craven or careless member of your own team. Trust but verify. Access to confidential data should be afforded only on an as-needed/when-needed basis.
- Access to confidential data must be monitored and logged, as feasible. Remote access and after-hours access should be audited. Safeguard the other side’s confidential data in much the same manner as banks protect the contents of safety deposit boxes: There is physical security (walls, doors, alarm systems and guards) and monitoring of the perimeter (cameras and key cards). There’s a vault to keep all contents safe when the perimeter is breached, and access controls to make contents available only to authorized persons (dual-keyed boxes and ID/signature scrutiny). Data protection also incorporates elements of perimeter security (limiting physical access to the devices and systems), monitoring (logging and auditing), a vault (strong encryption with sound key management) and access controls (two- factor log in credentials and user privilege management).
- Have a written data security and incident response policy and protocol in place and conform your practice to it. Be sure all employees with access to sensitive and confidential data agree to be bound by the policy and train everyone in proper cybersecurity. You must first recognize a risk to be prepared to meet it. “No one told me to do that” is not the testimony you want to hear when your staff take the stand.
- Be wary of oppressive obligations to destroy or “return” data when a case concludes. Confidential case data tends to seep into mail servers, litigation databases, document management tools and backup systems. Are you prepared to shut down your firm’s e-mail and destroy its backup media because you failed to consider what an obligation to eradicate data would really entail? Have you budgeted for the cost of eradication and certification when the case concludes?
- Consider cloud-based storage and review tools that integrate encryption, two-factor authentication and access logging. The cloud’s key advantage lies in a user’s ability to shift many of the physical and operational burdens of cybersecurity to a third-party. It’s not a complete solution, but it serves to put a secure environment for confidential data within reach of firms of all sizes.
If this sounds like a big, costly pain, you’re paying attention. It’s a headache. It slows you down, and the risks grow and change as fast as the technology. But if requesting parties don’t put adequate protections in place on their own, courts will allow producing parties to dictate what hoops requesting parties must jump through to obtain discovery–if, indeed, courts don’t deem the risk so disproportionate that they deny access altogether.
E-discovery is hard enough. Don’t make it harder by giving opponents the ability to claim you can’t be trusted to protect their information.
Pingback: Cybersecurity a Pain Point for Plaintiffs | @ComplexD
Jill McIntyre said:
This may go without saying, but counsel for producing parties often share the same confidential data with their own experts, engendering similar concerns. Super insights, Craig.
j. abeles said:
excellent outline of the problem. i would tie up one more loose end in terms of defensible (proactive or passive) destruction of data for closed matters or which has outlived its retention requirements, not to mention the corollary benefits of reducing storage & fees.
Absolutely excellent post overall, and thank you for mentioning “chain of custody”, a ‘link’ if you will in the discovery process that is so overlooked and under-managed; I harp on this so often to vendors and clients when sharing data.
Since your blogroll (sidebar) includes Doug Austin’s blog, it bears mentioning the excellent webinar that Doug & team published just yesterday (May 31) on this very subject. It amplifies your very valid points, and adds some valuable related info, e.g., citations to case law and other reference info. I believe it’s available to all visitors (possibly a registration is required) & highly recommend its straightforward, checklist-style treatment to readers of this post. Find it at https://www.ediscovery.co/webcasts/what-attorneys-need-to-know-about-cybersecurity/
Doug Austin said:
First of all, thanks to ESIDence for the webinar plug!
Great post as always, Craig! At the Master’s Conference in Chicago last week, there was a session (panelists were Martin Tully of Akerman, Jason Priebe of Seyfarth Shaw and Stuart Hubbard of Bradley Arant Boult Cummings, moderated by Robert Childress) where they discussed this very topic and the need for attorneys to be more proactive in data protection beyond just the assumption that it will be covered in a protective order. There was even (very hypothetical) talk about refusing to produce to a party that couldn’t demonstrate adequate data protections. Love the list of suggestions, especially with regard to chain of custody, which is even more important than ever in these days of frequent data breaches.
As a cloud provider, it’s interesting to me how many firms who consider engaging us want considerable information about our security infrastructure and policies and whether we are compliant with standards like HIPAA, FISMA and ISO 27001 (which we are), but fail to observe those same standards at their own firms when they are managing much of the same client data we are. I wonder when their clients will hold them to those standards.
The cobbler’s children are often unshod.