Chips Ahoy: #Meltdown and #Spectre Implications for Legal Professionals Part II
Last post, we reviewed the implications of the Meltdown and Spectre for legal and eDiscovery teams. Our teams work with the most highly confidential and valuable client information, oftentimes in cloud or other multi-tenant solutions vulnerable to Meltdown and Spectre.
Hardware and operating system changes can wreak havoc on the best of applications, and with our legal applications, can have implications for authenticity (hash code changes), throughput (review speed) and what gets indexed or left behind. Our legal applications have timeouts, some embedded and some configurable, that inform the application when to quit attempting to extract text, to build an image (TIFF/PDF) to print, to sort, or to copy a file. With patched systems running slower, it is important to be alert changes in system behavior, both obvious and subtle.
To keep privileged information confidential, and to keep review teams on an even keel, eDiscovery and legal team leaders can put a structure in place to catch and remediate items that are obvious now, or will emerge in the future.
A roadmap for legal and ediscovery teams beginning the long march to remediation is below.
1. Designate an executive sponsor, a person with partner or C Level respect and reach.
2. Hire crisis management firm or appoint an internal communications lead
3. Designate a project manager
4. Look at staffing levels and vacations to make sure of coverage.
5. The project manager or designate should attend all meetings of your organization’s change control process.
6. Staff up in the areas of Quality Assurance, Quality Control and analytics. Design test beds to quickly assess changes in hash values for known files and changes in file metadata.
7. Establish a regular ediscovery team meeting for information sharing, prioritization and decision-making.
8. Consider (and reconsider) the ediscovery backup and recovery program in light of current conditions
9. Get assessed and get the assessment
a. How many different companies
b. How many different IT organizations
c. How many different mission critical systems
i. Hardware inventory (insurance, asset tags)
ii. Operating system inventory by hardware asset
iii. Network(s)
iv. Security related (VPN, firewalls)
v. Desktops/laptops
vi. Tablets and phones (including BYOD)
vii. Databases (Oracle, SQL, Open Source)
viii. Emails
ix. CRM(s)
x. ERP(s)
xi. Other groupware (slack, Yammer)
xii. Financials(s)
xiii. HR System
xiv. IP/Source code system
xv. Internally developed Libraries
xvi. Deployment code
xvii. Test code
xviii. Social media
xix. Work from home computers
10. If no time for a new assessment, pull out the last business continuity and disaster response plans for a tabletop walkthrough
11. Ediscovery teams should have a list of all active cases, to include a contact person from each law firm, and a contact person from each service provider.
a. Establish a first among equals to make the final decisions, a person who can listen to multiple functional stakeholders, synthesize, prioritize
b. This work may be duplicative of, or can initiate a data remediation plan to return or destroy data for closed cases.
12. Consider retention bonuses for key team members. The remediation of this vulnerability, let alone incidents bound to come, put security, privacy, project managers and front line personnel, along with QA, QC, DevOps, network on the back end in demand for the next year.
13. Review contracts for service levels, as remediation may cause more downtime, and slowing of systems (consider impacts and communication plans for changes in loading data, producing data, and the impact to review speed/document—some estimated current patches add 30% overhead) Adjust project plans and communication with counsel accordingly.
14. Only the Meltdown vulnerability is on its way to being patched, Spectre is yet to be solved, so there are still other shoes to drop.