publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/338432
ILTA WHITE PAPER: JUNE 2014 WWW.ILTANET.ORG 35 BE CAREFUL WITH YOUR DATA It is important to understand that security and privacy concerns for the cloud are not all theoretical. Many solo and small firms utilize Dropbox for cloud-based file access and storage. While the convenience and performance of Dropbox cannot be refuted, it would be wise for those concerned about security and privacy to take a deeper look. Services like Dropbox have terms of service that grant senior engineers access to any content stored on their cloud-based systems. That access should raise eyebrows for anyone with data stored that is bound by attorney- client privilege. In addition, when you have attorneys come and go within a firm, it is difficult to retain full control over data hosted in the cloud. The data synchronizes with cellphones, tablets, PCs, Macs and more. Just cutting off access to a departed employee only limits future synchronization; it doesn't delete the multiple offline copies of client data that might be lingering on rogue systems. That could be a big problem for adhering to record retention policies and client directives to destroy or retain client data. There is also very little oversight or third-party validation of cloud providers' security systems and controls. The process to become ISO certified and have security controls validated are expensive and time-consuming. But be vigilant; ISO certification does not guarantee a secure system. The debate about the cloud as it relates to privacy and security will exist for many years to come. More and more firms are putting both e-discovery and DMS client data on cloud-based systems. However, voiced concerns are valid, and the cautious are wise to ask more questions of vendors offering cloud-based storage systems. Even the most robust cloud-based systems have suffered from outages and are subject to data breaches. Invest in great people and tools to secure the data and understand that it is a continual process to address security and privacy, not a one-and-done exercise. There is no black-and-white answer to where your data should be hosted. Your strategy could change, depending on the situation. Taking privacy and security into consideration, along with client needs, will help guide you when determining if you should handle your different data differently. DIFFERENT DATA, DIFFERENT SECURITY? 15 Security and Privacy Questions for E-Discovery Systems • How much data is there and what data types need to be stored? • Who needs access to the e-discovery data? Do external parties need access? • Who will maintain access lists, and how often will they be audited? • What e-discovery tools will be used, and are they cloud-compatible? • Have you vetted the various e-discovery cloud providers/platforms? What are their SLA provisions, and are they ISO certified? • Is the cloud e-discovery platform on a shared infrastructure? • Are there multiple copies of the data (who has access, where are the data kept)? • Are there any regulatory issues involved in the case or with the data? • Are there any region-specific laws or rules involved (e.g., Safe Harbor)? • Is the e-discovery database redundant and/or backed up or replicated? • How long will the data need to be kept (i.e., any record retention policies)? • Where is the cloud provider's data center, and are they ISO certified? • Has the provider or partner ever suffered a data breach? • What is the e-discovery data life cycle plan once the case concludes? • What happens to originals, paper, load files and other media provided during the discovery process? • If outside vendors are used to process the e-discovery data, have their security policies been audited? Are they ISO certified? Do they destroy and certify all copies have been turned over or deleted?