As the much-publicized data breaches of the last year reveal, third parties are often the gateway to an organization’s data. As repositories of vast amounts of confidential client data in e-discovery, such as personally identifiable information and trade secrets, law firms and their service providers are third parties especially vulnerable to cyberattacks.
Ensuring the highest levels of security requires law firms to review practices inside the firm as well as with its vendors, including providers of managed e-discovery services. Although a priority of managed service providers is information security, not all providers have the appropriate expertise, investment, or resources to address potential threats. Thus, before outsourcing discovery services, law firms should consider whether their providers can pass the following eight-question security test:
- What are the provider’s security certifications?
Look for ISO 27001 certification; law firms that handle global matters should also check for U.S.-EU Safe Harbor certification. Additionally, ask whether the provider has industry-specific certifications, such as for HIPAA.
- Does the provider use industry-standard data protection processes?
Mechanisms to look for include two-factor authentication and rigorous user permissions processes.
- What form of encryption does the provider use?
Ask your provider how it protects data while at rest and during transmission, and check the level of encryption for cloud-based storage, which should be at least 256-bit AES encryption.
- What are the provider’s processes for conducting chain-of-custody audits?
Make sure the provider has defined processes that require documentation and logging of all provider actions, including processing, loading, exporting, and deleting data.
- What are the provider’s safeguards against intrusion?
Determine whether the provider monitors and addresses suspicious activity at the network, service, and application levels in real-time, 24/365.
- What physical measures does the provider employ to protect data?
Review whether the provider offers 24/365 physical security and monitoring for all data. Also, find out whether the provider requires zoned keycard and biometric scanning for entry and whether it logs all access events. Finally, check its protection against environmental damage and physical disasters.
- What are the provider’s disaster recovery, business continuity, and incident response protocols?
Infrastructure redundancy should include a minimum of two copies of all databases, servers, and storage, as well as fault-tolerant application server clusters. The provider should also have a geographically diverse secondary data center with real time back-up capabilities. Finally, the provider should have—and follow—a procedure for regularly testing and auditing these processes.
- What processes does the provider use to screen and train employees?
Information security employees should have significant expertise in the field. In addition, organizations should require all employees to undergo background checks and sign nondisclosure agreements. The organization should also conduct regular training on documented security policies and procedures.
For law firms, a cybersecurity breach is not a matter of if, but when. Therefore, to demonstrate compliance with their data-security obligations, law firms must ensure that their managed services providers adhere to a comprehensive security and incident response program. Choosing the right managed services partner can offer law firms world-class security, threat detection, and incident response capabilities for their most precious asset: client data.
To learn more about best practices for protecting information, review our recent white paper, “In the Cybersecurity Hot Seat: How Law Firms are Optimizing Security While Reducing Cost and Risk.”
About the Author