Needles, Hay & E-Discovery

Sometimes the signal to noise ratio can unintentionally function as a security feature.  In other words, if you are a needle hiding in a haystack, the hay protects and provides the cover of camouflage.  E-Discovery turns this analogy on its head, which is why information security for law firms and e-Discovery vendors is a pressing and critical issue.

The very nature of the expansive disclosure obligations amongst parties to a litigation under US and UK law mean that vast quantities of data are going to be transferred between the players.  The process by which this occurs is familiar to lawyers, especially younger associates who have been delegated the unenviable task of sifting through thousands of e-mails, documents, and reports to identify the very high-grade ore amongst the rubble dumped on their firm. As for the side doing the dumping, e-mails, documents, and reports which are considered trade secrets, privileged, or otherwise confidential and non-responsive have been tagged and culled, before the exchange of data. 

In short, the hay has been sifted and all the needles identified.  

If these needles are the digital equivalent of trade secrets, privileged communications, confidential business plans, or any other sort of data that should not make it way to the public domain, then perimeter security surrounding this data at rest should be – at a minimum – viewed as a best practice.  

In an article published recently by Bloomberg BNA, Gabe Friedman makes several excellent recommendations for drafting protective orders that require a receiving party be responsible for reasonable information security practices when receiving and handling data during the discovery phase of a litigation.  

Friedman recommends litigants should require their adversaries to do the following: 

1. Sign a protective order attesting that the receiving law firm meets certain basic cybersecurity protocols and that it indemnifies the disclosing party company against any risk of breach;

2. Use a trusted e-Discovery vendor; or

3. If all else fails, the party must access the data through a separate trusted e-Discovery vendor.

These recommendations, however, raise several additional issues for law firms and litigants, especially in light of the alarming prediction that 80% of the top 100 law firms have already been compromised.  Namely: 

1. What are the basic cybersecurity protocols a law firm should apply as a matter of best practices?

2. Are law firm practices case-specific, meaning do some matters require additional information security precautions than others; and if so, which?

3. What is a trusted e-Discovery vendor, and what are the e-Discovery best practices designed to enhance information security?

Add to this the complex issue of auditing the security of your adversary or e-Discovery vendor and you have a hydra-like combination of information security, law, compliance, and judicial economy.  And with information security concerns on the rise for litigants and firms alike, these issues are sure to be raised frequently and fervently.

These mixed questions of law and security are the reason why Black Chambers exists.  We are here to help establish best information security practices for your firm, and will be there if your organization needs to find a trusted e-Discovery vendor, or audit your adversary.