[author: Stephen O’Maley]
Efficiency, scalability, speed, increased cost savings, and advanced security for highly sensitive data continue to be highly demanded by users of eDiscovery services. To meet this demand, cloud technology promised several of these benefits.
However, the enhanced security of the data depends on how an eDiscovery service provider implements, maintains, and manages sensitive client information.
This issue has become more significant as the majority of the workforce is dispersed and often working from unsecured home environments has led to increased use of cloud services. This increased cloud adoption has opened the door to riskier data storage scenarios that may not be fully apparent to users of eDiscovery services. In addition, the companies providing these services may not be aware of all the risks inherent in their activities and processes.
As the industry has moved toward commercialization rather than customization, the workforce of some eDiscovery vendors is largely junior staff who should follow strict protocols and procedures in the office. Even though these activities in the office environment have been proven and verified to meet minimum safety standards, the majority of employees are probably unaware of the safety risks associated with working from home.
This paper examines the inherent risks associated with protecting electronic customer data on cloud-based platforms that have arisen with the proliferation of the home working environment. It also explains why it’s important for users of eDiscovery services to assess the technical skills, practices, and experience of the professionals sharing their data to ensure proper precautions are being taken.
THE CLOUD: A SOLUTION THAT BRINGS ADDITIONAL RISKS
Many eDiscovery providers have recently migrated hosted client data from private data centers to public or private cloud environments. As the amount of data hosted has increased, so has the complexity of scaling the physical resources required to manage private hosting environments to meet customers’ speed, efficiency, redundancy and security requirements. As a result, eDiscovery vendors began re-examining the risks and costs associated with their hosted portfolios, and many of them turned to the cloud as a solution. However, this also created other issues that may not have been fully reconciled to this day and may have been exacerbated by the pandemic.
It’s not uncommon for a company’s most sensitive data to be found on eDiscovery platforms. This data often includes privileged communications, business strategy decisions, trade secrets, potentially embarrassing personal communications, and other confidential communications from employees, officers, and legal counsel. Cloud hosting services operated by eDiscovery providers have a number of security features that are often not explored by the eDiscovery user.
Due to the increasing sophistication of state and non-state cyber hackers, there is a continuing and growing risk of infiltration by hostile actors. This was evident in SolarWinds’ attack on the US government in 2020. In this scenario, a trusted technology services company tasked with maintaining the computing environment in several of the world’s most secure data centers offered hackers access to the country’s most sensitive data.
Add to this the inherent risks of working at home environments, which have increased due to the COVID-19 pandemic. With the advancement and continued adoption of Internet of Things (IoT) devices and the expansion of high-bandwidth Internet services for consumers, there are multiple avenues for trusted Wi-Fi-connected home services in the form of “smart devices” (smart speakers, thermostats , alarm systems, televisions, etc.) to be compromised in an environment that is not typically monitored for malicious network activity. This is exacerbated when employees of eDiscovery providers lack experience or knowledge of network security risks.
Cloud services promise unparalleled reliability with limited downtime for eDiscovery users’ document reviews. Although there may be regularly scheduled maintenance windows, emergency outages do occasionally occur. Consider Google’s December 2020 outage. Disaster-related outages for users of cloud-hosted eDiscovery services can severely impact a customer’s ability to meet court orders and other production deadlines.
Privacy and Privacy Concerns
Cloud hosting solutions can, and often do, also for local data storage in regional jurisdictions that require redacting and identification of personally identifiable information (PII) before that information is transferred to another country (e.g., the United States). This offers the promise that eDiscovery providers will have on-premises data storage in the region that privacy regulations require.
However, given the variety of regions around the world with privacy regulations, a user of eDiscovery services should not assume that their data is hosted in accordance with local regulations. In general, users of eDiscovery services should check with their providers where the physical servers that store the protected data are located.
Additionally, with the majority of eDiscovery vendor employees working from home due to the pandemic, it can be important to ask how mindfulness of global privacy regulations is approached.
Cybercrime is projected to have cost the global economy nearly $1 trillion by 2020. Additionally, hacking and infiltrations into government and business entities are increasingly viewed as the best way for opposing nations and other bad actors to have the greatest impact on their targets. All of this is compounded by the global pandemic, as remote working environments and increased use of social engineering in generally insecure environments pose additional risks to the security of the data being managed.
HOW TO ENSURE YOUR DATA IS SECURE
How can users of cloud-based eDiscovery services verify that their data is protected?
An important step is the question of whether the cloud-based eDiscovery solution has been certified according to various security standards. While this is no guarantee that your data will not be exposed, it does provide some comfort in that security protocols are regularly tested by an impartial third party. Some certifications relevant here include: SOC2 Type 2, ISO 27001, ISO 27017, ISO 27018, as well as certifications proving the hosting provider adheres to privacy regulations and HIPPA requirements.
It is important to distinguish certifications attributed to the cloud operator and not the data hosting service provider. For example, AWS, Google and Microsoft Azure have a number of demanding data security certifications associated with their upstream operation of the cloud environment.
However, it is important to note that an eDiscovery platform running in this cloud environment uses its own security protocols to allow reviewers access to documents and therefore does not inherit all of the security controls built on the base-tier cloud environment. offer are available. Make sure you know what security protocols and certifications your preferred application can claim right away.
Work from home security considerations
This brings additional considerations. Many eDiscovery vendors will point to employee handbooks and company policy documents as the first response, but in this unprecedented time, those policies are unlikely to have anticipated a scenario where the majority of the workforce was working from disparate remote and insecure locations.
Depending on the technical environment of the eDiscovery provider, measures can be taken to get close to the network limitations in the office. No solution will be 100 percent risk-free, but there are best practices that can be implemented to mitigate greater risks. For example, the provider can take a centralized approach to security by using a VPN (virtual private network) connection to the office environment, restricting access to non-essential networks and preventing employees from using computers not intended for work.
It’s also important to be aware of the different security restrictions appropriate for employees who are focused on different aspects of the eDiscovery process. For example, someone conducting a document review is likely to need less access to confidential client data than the project manager responsible for arranging the review. It is necessary to understand what home procedures your provider uses and how this affects the security and disclosure of your information.
Regardless of the issues encountered, cloud-based eDiscovery solutions offer users numerous benefits in addressing the unprecedented challenges faced by the post-COVID world. At the same time, it is equally important for users to know and understand which protection providers are protecting their data. Cloud storage solutions solve problems of aging technical infrastructures, can significantly improve cybersecurity and offer eDiscovery providers the flexibility to operate in a global environment. The added risks posed by working from home due to the pandemic mean that purchasers of these services should closely monitor the whereabouts, security and technical environments of the companies working with their sensitive data.