Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Information Security in the eDiscovery Process


Published on

Information security is a high priority concern for both corporations and law firms in the eDiscovery process. The challenge is translating this concern into practice. Failing to take special care to ensure security can expose your company or client’s most critical information. A centrally managed, systematic approach based upon a formal management system is the best way to ensure the highest level of information security.

In this session, we will offer an overview of information security best practices, standards and processes, such as:

::: Why a process driven approach to information security is needed?
::: Who should be responsible for information security in the eDiscovery process?
::: What are the hallmarks of good information security?
::: How to evaluate information security practices in your eDiscovery partner or vendor?

Published in: Technology
  • Be the first to comment

Information Security in the eDiscovery Process

  1. 1. Information Security in the eDiscovery Process<br />
  2. 2. CLE Information<br />For attorneys requiring CLE, a CLE Verification Code will be given verbally during this session.  Please pay close attention and write down the code for your records. You may need this code to get your CLE.<br />If you have any questions, members of this panel will be in the networking lounge immediately following this session. Please save your questions and visit us there. <br />2<br />
  3. 3. Panelist Introductions<br />Aaron Crews<br />eDiscovery Counsel<br />LittlerMendelson P.C.<br />3<br />
  4. 4. Panelist Introductions<br />Mark Michels<br />Former Litigation & eDiscovery Counsel<br />Cisco Systems, Inc.<br />4<br />
  5. 5. Panelist Introductions<br />Doug Stewart<br />Director of Technology<br />Daegis<br />5<br />
  6. 6. Panelist Introductions<br />Andy Teichholz, Esq.<br />Senior eDiscovery Consultant<br />Daegis<br />6<br />
  7. 7. Today’s Topics<br />What are the information security risks?<br />Why is a process driven approach to information security needed?<br />Who should be responsible for information security in the eDiscovery process?<br />What are the hallmarks and best practices of good information security in the eDiscovery process?<br />What’s the best way to evaluate the information security practices of your eDiscovery partners?<br />7<br />
  8. 8. Information Security Defined<br />“Information security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide:<br />Integrity - guarding against improper information modification or destruction, and ensuring information non-repudiation and authenticity; <br />Confidentiality - preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and <br />Availability - ensuring timely and reliable access to and use of information. <br />44 U.S.C. § 3542(b)(1)<br />8<br />
  9. 9. Risk and Responsibilities<br />9<br />
  10. 10. The Dominant eDiscovery Risks<br />Mind the Gap<br />Hand-offs between parties <br />Changes / Exceptions / Rushes<br />Information security red flags<br />General Lack of Awareness<br />Treating information security as an IT issue<br />Uncontrolled Copies<br />Shared Accounts / Uncontrolled Access<br />Lack of audit trail / Chain of Custody<br />Productions<br />Pre-production Information Security Protections<br />Data destruction / sanitization at conclusion of litigation<br />10<br />
  11. 11. Data Types / Controls<br />HIPAA<br />Export Controlled<br />Data Privacy / EU / PII<br />PCI<br />Financial Regulations<br />State laws / Regulations governing data breach notifications<br />11<br />
  12. 12. Sample eDiscovery Risk Analysis <br />12<br />CP = Corporation | LF = Law Firm | SP = Service Provider<br />Risk: 1 (low) to 5 (high) scale<br />C = Confidentiality | I = Integrity | A = Availability<br />
  13. 13. Sample Risk Analysis (continued)<br />People (very high)<br />Process / Procedures (high)<br />Technology (moderate)<br />Transportation of data (very high)<br />Production and copy sets (high)<br />Presentation / Trial exhibits (high)<br />13<br />
  14. 14. Why A Process Driven Approach<br />Systematic Approach<br />Risk Assessment and Treatment<br />Collaborative / 360° View<br />Continual Improvement<br />Documented<br />Audited<br />Thoughtful & proactive, not ad hoc & reactive<br />14<br />
  15. 15. Who is Responsible?<br />Information security is not solely an IT issue<br />Cross-functional teams including IT, operations, PM’s, specialists, records and legal<br />A collaborative approach is needed<br />Corporation(s)<br />Law firm(s)<br />Service Providers<br />Define roles in project plan<br />15<br />
  16. 16. Hallmarks & Best Practices<br />Address info security in project plan <br />Ensure all parties understand obligations<br />Enter protective orders / confidentiality agreements<br />Encrypt all data when in transit<br />Encrypt all deliverables<br />16<br />
  17. 17. Hallmarks & Best Practices<br />Limit access to business need<br />Restrict and control copies<br />Produce smallest volume of sensitive data<br />Audit<br />User permissions and access <br />Compliance with information security procedures<br />17<br />
  18. 18. ND Cal Protective Order Levels<br />CONFIDENTIAL<br />(a) Outside counsel of record/employees;<br />(b) Other parties’ employees<br />(c) Experts;<br />(d) The court and its personnel; and<br />(e) Court reporters, professional consultants/vendors<br />HIGHLY CONFIDENTIAL – ATTORNEYS’ EYES ONLY<br />(a), (c), (d) & (e) [above]<br />In-house counsel with no competitive decision-making<br />HIGHLY CONFIDENTIAL – SOURCE CODE <br />(a), (c), (d) & (e) [above]<br />
  19. 19. ND Cal Source Code Provisions<br />Inspection<br />On secured computer <br />In a secured room with no Internet access or network access Party may not copy code onto any recordable media/device<br />Copies<br />Limited paper copies bates numbers and the label “HIGHLY CONFIDENTIAL - SOURCE CODE.”<br />Receiving Party<br />Maintain all paper copies of any printed copies in a secured, locked area.<br />Maintain a record of individuals who inspected source code<br />May make additional paper copies for pleadings, expert’s expert report or deposition<br />May not create any electronic images of the paper copies<br />
  20. 20. Export Control Protective Order Provisions<br />Export Control. Disclosure of Protected Material shall be subject to all applicable laws and regulations relating to the export of technical data . . . , including the release of such technical data to foreign persons or nationals in the United States or elsewhere. The Producing Party shall be responsible for identifying any such controlled technical data, and the Receiving Party shall take measures necessary to ensure compliance.<br />
  21. 21. HIPAA Protective Order Terms<br />This Order authorizes disclosure of Protected Health Information such disclosures pursuant to 45 C.F.R. § 164.512(e) of the Privacy Regulations issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Further, pursuant to 45 C.F.R. § 164.512(e)(1)(v), this Order is also a Qualified Protective Order and all parties and attorneys are hereby: (A) Prohibited from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested; and (B) Required to return to the covered entity or to destroy the protected health information (including all copies made) at the end of the litigation proceeding.<br />This Order permits disclosure of confidential communications, made for the purposes of diagnosis or treatment of a patient’s mental or emotional condition, including alcohol or drug addiction, nor does this Order permit disclosure of records or information relating to HIV testing or sexually transmitted disease which are protected from discovery by any statute, court rule or decision.<br />Nothing in this Order authorizes any party or any attorney for any party to release, disclose, exchange, submit, or share any Protected Health Information to any other person or entity not unrelated to this litigation.<br />
  22. 22. Evaluating Info Security: Ask Questions <br />Make use of the RFI / RFP to ask information security questions<br />Ask people, process and technology questions<br />Audit / Inspect<br />Trust with verification <br />Check references<br />22<br />
  23. 23. Information Security Certifications<br />ISO 27001<br />Auditable international standard with 133 controls <br />SAS 70<br />Less defined than ISO27001 but widely used in the US<br />SSAE 16<br />Supersedes SAS 70 <br />Additional requirements added<br />EU Safe Harbor and Similar<br />Certification needed to handle data from the EU and other jurisdictions<br />23<br />
  24. 24. ISO 27001<br />Risk Assessment<br />ISMS<br />Policies and procedures to implement controls<br />Scope must be defined<br />Management sponsorship and review<br />Continual improvement<br />Scheduled internal and external audits<br />User Awareness/Understanding of Obligations<br />24<br />
  25. 25. Continual Improvement<br />Quality & innovation cycle: TQM, Six Sigma, ISO 9000 & 27001<br />Source: Shewhart / Deming<br />
  26. 26. Thank You!<br />Questions?<br />Contact<br /><ul><li>Aaron Crews –
  27. 27. Mark Michels –
  28. 28. Doug Stewart –
  29. 29. Andy Teichholz –</li>