publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/518940
ILTA WHITE PAPER: MAY 2015 WWW.ILTANET.ORG 15 FOUR PRINCIPLES OF RESPONSIBLE E-DISCOVERY DATA MANAGEMENT As more firms adopt greater mobility options for attorneys, they too need to be evaluated for security. For example, are your attorneys using iPads to review client documents, review deposition transcripts or exhibits? How do you ensure they are not storing data (knowingly or inadvertently) to their personal iCloud? Is the use of their personal iPad for work something your firm is managing through a mobility management tool? If not, they should. This allows for administrators to remotely wipe data from a lost iPad or other mobile device. Develop an understanding of how attorneys are working with client data on mobile platforms. Do you have policies or procedures in place to protect the client data while also enabling your attorneys to work in a mobile environment? Another data protection consideration point is during ESI processing. Some processing tools will identify content in the client documents that must be protected, such as Social Security numbers and credit card information. Consider whether these detection tools should be turned on during processing so documents can be properly redacted for personal identifying information (PII). Many litigation support platforms, just like DMS systems, allow for the ability to limit access to certain documents from specific users or user groups. Consider whether particularly sensitive client data should be further secured in the database by limiting access among users of the database. PRINCIPLE OF PROTECTION: "An information governance program shall be constructed to ensure a reasonable level of protection to information that is personal or that otherwise requires protection." If you're receiving client ESI, you must ensure its security throughout the litigation life cycle. With the growing number of data breaches and reports that law firms are potential targets, the security of client data is paramount. Clients in highly regulated industries such as banking, energy or health care usually have detailed instructions about storing and encrypting their data. Consider adopting your strictest client's policies across all clients. Once you have received, logged and secured the physical media from the client, a working copy should be created using a method that will preserve the metadata (e.g., SafeCopy or RoboCopy). The original media should then be kept in a secured storage area. If it becomes necessary at some point to access the original media, record the date the media were checked out, to whom, and the date the media were returned. It is also important to limit the number of repositories in which client data can reside. Hence, client data received as part of discovery should be stored in the litigation support repository, not on a file server, not on loose media in someone's office, and not in the document management system. A centralized repository that requires a user name and password for access further protects the client data. Provide access to only those who require it, and enforce your firm's ethical walls on any source of litigation support data. Manage departing employees and their access to the client data. Establish a process, and make someone responsible for ensuring that departing employee and contract attorney access is immediately removed from the database upon their departure from the firm or the conclusion of a review. If a database is hosted with a vendor, make sure the vendor removes any logins. Always encrypt client data when transferring files to vendors or other counsel. We might not all agree that transferring encrypted data via a cloud platform is more secure than transferring it through a hard drive, but develop a consistent policy for your firm. Consider using a secure file-transfer platform that will encrypt the data in transit, provide you with a record of the transfer and purge the files after a set period. You might also want to invest in keypad- secure hard drives. Some firms have done away with unsecured thumb drives, which, while not popular, might be something you want to consider. Data leaving the firm, whether being sent to a vendor for processing, opposing counsel for a production or an expert for evaluation, should always be encrypted as a best practice.