This article is the second of a four-part series. In Part 1, we explored security standards. In the next installment we will look at IT versus legal perspectives.
When it comes to data security, many attorneys focus on malicious hacking. However, there are many other ways that data can be lost, including through human error. In August 2011, the law firm of Baxter, Baker, Sidle, Conn & Jones lost the medical data of 161 patients that the firm was representing in a malpractice suit, according to a Baltimore Sun article. Media reports indicated that one of the employees of the law firm left an unencrypted hard drive containing the information on a commuter train.
Every group and party involved in litigation has a responsibility to keep data secure, but the ultimate responsibility lies with in-house counsel. While it is critical that in-house counsel are familiar with security standards and build them into contracts and service level agreements, that is only the beginning to ensuring data security.
In-house counsel can’t assume that their law firms and vendors will keep data secure and confidential according to the terms of their agreements. Legal departments need to identify security best practices during litigation to be sure that their data stays confidential and that the chain of custody remains unbroken.
Shoring up weaknesses
Some points of the custody chain are more vulnerable than others, and in-house counsel should spend particular time and effort examining and shoring up those areas. For example, any time data is moved from one location or network to another, security risks increase. This is true whether data is being transported electronically, on hard drives or on laptops. An expert may accidently leave her laptop in a cab, or a reviewer may email a file through an unsecure network.
In order to minimize the chances of a data breach at these highly vulnerable points, in-house counsel must be sure that everyone involved is using the security standards and processes outlined in the contracts and agreements, such as ensuring that all data is encrypted at all times.
Along with encryption and firewalls, all data should be password protected, so only authenticated users can access it. Different security levels should also be built into the system, so that users only see the data for which they have the proper clearance.
The best technology and process will decrease the chances of theft or loss, but security measures are only as good as the people using them. In-house counsel need to be sure that vendors and law firms have the right training and background checks in place so that everyone who touches the data can be trusted to manage it safely.
While third parties and law firms should understand the importance of security best practices, the legal department needs to set the right tone. During meetings and project plan updates, attorneys should periodically stress the importance of data security and following proper protocols. In-house counsel should also consider building an audit function or spot-check review into project plans and agreements, so that they can verify that agreed-upon protocols are being followed.
Identifying and maintaining security best practices is not a one-time event. In-house counsel need to plan for it before litigation, and consider it an ongoing part of e-discovery.