How to Protect Your Electronic Assets within Cloud Hosted eDiscovery Platforms in the Post COVID Work from Home Environment
Buyers of eDiscovery services continue to demand efficiency, scalability, speed, increased cost savings, and advanced security for their highly sensitive data. Cloud technology offers the promise of speed, scalability, and cost savings. How these offerings are implemented, maintained, and managed addresses how secure the data they store really is. The demands of a world where the majority of the workforce is dispersed and working from unsecured home environments has driven an increased usage of cloud services and opens the door to risky data storage scenarios that might not be fully apparent to buyers of eDiscovery services. Additionally, the people providing these services may not be knowledgeable about all of the risks inherent to their activities and processes. Because the industry has moved toward commoditization over customization, the workforce consists largely of junior staff that often follow strict protocols and procedures while in the office environment. While these activities may have been proven and vetted in the workplace to meet minimum security standards, the majority of the workforce is not likely to be mindful of the security risks inherent to working outside of the workplace. It’s important for buyers of eDiscovery services to vet the technical capabilities, practices, and the experience of the people that will be handing their data to ensure proper precautions are in place.
Many eDiscovery providers have recently migrated hosted client data from private data centers to cloud or private cloud environments. As hosted data volumes increased, so did the complexities involved in scaling the physical resources required to maintain private hosting environments in a way that met the speed, efficiency, redundancy, and security requirements of customers. This drove eDiscovery providers to reexamine the risks and costs associated with their hosted portfolios and many of them turned to the cloud as a solution. But this also introduced other issues as well that may not have been fully reconciled to date and may be exacerbated by the pandemic, including:
Security – eDiscovery involves an organization’s most sensitive data. It often includes privileged communications, business strategy decisions, trade secret information, potentially embarrassing personal communications, and other confidential communications from its employees, leadership, and legal counsel. Cloud hosting services that are run by eDiscovery providers have a range of security capabilities that are often left unvetted by the eDiscovery buyer. Due to the increasing sophistication of state and non-state hacking entities, there is continued and mounting risk of infiltration by hostile actors. This was painfully demonstrated during the 2020 Solarwinds attack on the US Government, where a trusted technology service tasked with maintaining the computing environment within several of the world’s most secure data centers provided the doorway for hackers to access the country’s most sensitive data. Adding to the security risks associated cloud solutions are the inherent risks with at-home working environments perpetuated by the pandemic. With the advancement and continued adoption of IOT (Internet of Things) devices and the expansion of high bandwidth internet services for residential consumers, there exists multiple pathways for trusted home-based Wi-Fi connected services in the form of “smart devices” (smart speakers, thermostats, doorbells, TVs, etc.) to become compromised in an environment that isn’t regularly monitored for malicious network activity. This is compounded when employees of eDiscovery providers lack experience or knowledge around network security risks.
Reliability – Cloud services offer the promise of unparalleled reliability with limited downtime to impede the document review operations of eDiscovery buyers. Although there may be regularly scheduled maintenance windows, emergency outages – though few and far between – do happen. Disaster-related outages to buyers of eDiscovery services hosted in the cloud, such as Google’s outage in December of 2020, can have profound impacts on a client’s ability to meet court-mandated production timelines.
Data protection and privacy concerns – Cloud hosting solutions can and often do provide data storage local to regional jurisdictions that require PII redaction and identification before extraditing that information to another country (such as the United States). This offers the promise of eDiscovery providers having locally available data storage in the region requiring the privacy regulations. However, given the multitude of regions throughout the globe with data privacy regulations, a buyer of eDiscovery services should not assume that their data is be hosted in accordance with local regulations. In general, buyers of eDiscovery services should confirm with their providers where the physical servers are located that will be housing the protected data. Additionally, with the majority of the service employees working from home due to the pandemic, it may be important to ask how a mindful approach to global data privacy regulations is being addressed. Global context – Cybercrime is projected to have cost the global economy nearly $1 trillion in 2020. Additionally, hacking and infiltrations into government and business entities is increasingly viewed as the best way for adverse nations and other bad actors to create the greatest impact on their targets. This is all exacerbated by the global pandemic, when at home working environments and increased use of social engineering in generally insecure environments present added risks to the security of data under management.
As a buyer of these services, what are some of the ways you can verify that your data is being protected?
Cloud security – Ask if the cloud-based eDiscovery solution has been certified to various security standards. While this isn’t a guarantee that your data is not exposed, it does present some level of comfort that the security protocols of the cloud storage are tested on a regular basis by an impartial third party. Some certifications that are relevant here include: SOC2 Type 2, ISO 27001, ISO 27017, ISO 27018, as well as certifications that indicate the hosting provider is mindful of data privacy regulations and HIPPA requirements. It’s important to distinguish certifications that are attributed to the cloud operator vs. the data hosting service provider. For example, AWS, Google, and Microsoft Azure have a number of sophisticated data security certifications associated with their up-stream operation of the cloud environment, however it’s important to note that an eDiscovery platform running within that cloud environment employs its own security protocols to allow reviewers to access documents and as a result does not inherit all of the security controls that exist on the base layer cloud offering. Make sure you know what security protocols and certifications your application of choice can directly lay claim to.
Work from home security considerations – This one is a bit trickier. Many eDiscovery providers will point to employee handbooks and corporate policy documents as an initial answer, but in this unprecedented time, it is unlikely that those policy documents contemplated a situation where the majority of the workforce was working from disparate outside and nonsecure locations. Depending on the technical environment available at the eDiscovery provider, technical measures can be taken to approximate (as much as possible) the network restrictions in place in the office. No solution will be perfect, but there are some ways to accomplish approximate results. For example, a centralized security approach through the use of a technologically forced VPN (virtual private network) connection to the office environment and access restrictions to prevent employees from using non-work issued computers and networks can be implemented. It’s also important to be mindful of the different levels of security restrictions appropriate for employees focused on different aspects of the eDiscovery process. For example, someone performing document review likely requires less access to sensitive client data than the project manager tasked with organizing the review. In the end, while there is no perfect solution, it’s important to know what at-home protocols your provider is taking and how that impacts the safety and exposure of your data.
Cloud-based eDiscovery solutions provide buyers numerous advantages in tackling the unprecedented challenges facing them in the post COVID world. Although it’s equally important to know and understand what protections those providers are enacting on your data. Cloud storage solutions address issues faced by aging technical infrastructure, can greatly bolster cybersecurity, and can provide eDiscovery providers the flexibility to operate in a global setting. The added challenges posed by work from home environments due to the pandemic mean that buyers of these services should ask more questions about the whereabouts, protections, and technical environments employed by the people working with their sensitive data.
Comments