In football, a turnover occurs when one team inadvertently gives possession to the opposing team. There is the fumble, when a player already in possession of the ball loses control and it is recovered by the other side. Then there is the interception, when a ball thrown by the offense is caught instead by a player on the opposing team’s defense. There is nothing more sacred than securing the ball because statistics show that the team that turns the ball over less is significantly more likely to win that game.
Just as protecting the ball is critical to winning games, in information governance and eDiscovery, protecting the data with robust security controls can limit losses due to costly data breaches.
With the emergence of cloud computing, today more than ever organizations are managing and storing data outside the corporate firewall and, by extension, forfeiting some level of control over security protocols and protection. Moreover, legal and IT are beginning to recognize that similar risks exist in the e-discovery process, as sensitive information frequently moves and is stored outside the firewall during multiple phases of the electronic discovery reference model (EDRM).
Just as in football, the most dangerous moment in the information security game occurs during the exchange of data from one entity to another. By implementing security controls to govern the transmission or transfer of data, an organization can significantly lower its risk and minimize the costly exposure of a data breach.
“Awareness of the risks associated with data as it traverses within and outside the organization is just the beginning.”
– Andy Teichholz, senior e-discovery consultant for Daegis
During the e-discovery process, it is not unusual for data to pass between multiple organizations or users. Many organizations do not have single end-to-end e-discovery solutions in place and therefore rely on various vendors to handle specific activities during different stages of e-discovery. For example, Vendor A may be used to performing data processing in one platform while Vendor B is asked to load and host the data in another platform. Corporate data now resides in new separate locations. The challenge of tracking the data is further exacerbated when a vendor fails to disclose it uses a sub-contractor. Each data transfer creates additional risk as information security policies and procedures will vary significantly for each organization touching the data
It is not just third-party handoffs that mean risky business. Intra-company data transfers carry their own risk too. Within organizations that conduct e-discovery activities, there may be a number of different individuals and resources required to perform different tasks. Without adequate controls in place, data may be accessed by those without the appropriate security clearance and authorization.
Every enterprise must take proactive steps to implement internal security protocols for data transmission within the enterprise. It should start with an internal assessment to determine risks and to identify steps to remediate any limitations or deficiencies discovered. Additionally, IT, legal and other departments responsible for information governance and risk should establish specific criteria that vendors must satisfy before they are entrusted with handling data outside of the corporate firewall
Safe handling tips
- Recognize that information security is a management-focused, not technology-based process. For e-discovery, it’s ideally a by-product of collaboration between a cross-functional team of stakeholders (e.g., IT, legal, project managements, data processors, operations) knowledgeable about the issues associated with data security within and outside the sphere of IT. All of these stakeholders should be involved in the conversation and development of the process
- Data should be encrypted as it is exchanged externally with law firms, partners, vendors or storage providers, as well as internally between departments within an organization. As a component of their long-term data security due-diligence process, organizations must also thoroughly audit the encryption policies and procedures of their provider organizations.
- Stakeholders must know what information is being produced, and who has access to it. Most companies do not adequately track where and when copies of potentially sensitive data are created, making it difficult to monitor who has access to the information. By implementing a policy designed to control and monitor the number of copies made, as well as procedures to control how that data is accessed and disseminated, organizations can curtail the uncontrolled copying and distribution of corporate data.
Awareness of the risks associated with data as it traverses within and outside the organization is just the beginning. Taking the necessary precaution to limit exposure during these crucial points, especially during the e-discovery process, is an investment that can ensure a winning strategy and should reduce the turnover margin significantly.
Andy Teichholz is the senior e-discovery consultant for Daegis, a leading provider of e-discovery software and professional services. Andy assists corporations and law firms on all phases of the e-discovery process including data identification, scoping strategies, preservation, collections, processing, review, analysis, and production.