Beyond two factor authentication and encryption of client data, these are the top 10 security vulnerabilities for eDiscovery practitioners to assess and, if appropriate, mitigate:
- Team communication. Masking client, case and custodian names goes a long way to safeguarding conversations in public or if emails go awry. Pseudemizing names works well. Assign “Custodian 123” to “Custodian Jones, Jim”. Call the 2nd request case “Project Green” rather than “BigCo Merger.” Regularly scheduled live meetings can eliminate reductions to writings of team disagreements or perceived crises. Emails can persist in multiple systems and backups. Case management systems can isolate and centralize communication.
- Collection or preservation in place. Most eDiscovery systems require an elevated level of security to collect data in an enterprise. It is now more common for security teams to set up a procedure for temporary access. Approval of more than one department or person to allow the access is known as separation of function and least privilege. “God” accounts that allow unrestricted collection access to sensitive areas used to be a standard emergency operating protocol. The circuit breaker, emergency access to data is very rare in this environment.
- Passwords. Some teams send encrypted data with the password in the transmittal document or on a post it note attached to the hard drive. Worse, they send unencrypted data. Do not send unencrypted data. Communicate passwords through a distinct and different channel, preferably not in clear text.
- Erasing or writing over logs. Access logs can take up quite a bit of space. Logs are essential for breach detection and remediation. They can be moved to less expensive storage automatically to be available if necessary.
- Extra, unencrypted copies of work in progress due to ingestion, processing, early case assessment, staging to review, batches, production sets and privilege logs. While it might be important to keep those files to be able to rollback, if necessary, there should be a step later in the process where work in progress can be securely erased.
- Indices. Just because the ESI documents are encrypted, the indices may be in plain text. Pay attention to index security. A common technique is to restrict access to a specific “service account” for a specific subdirectory. (Thank you to Craig Ball for noticing this vulnerability).
- Mistakes in shipping productions. Quality control checks at the end of the process to verify that the organization, address and production set (ex. privileged included for law firm, privileged excluded for opponent) is the right set to send to the right organization. Sending the production “Signature required” helps in tracking productions. For online transfers, capturing the logs or having a communication that the production set was received helps data accountability.
- Reviewer caches, especially those who work at home or on laptops on sensitive documents. IT can require options to be set on remote machines to minimize and empty caches.
- No real disaster recovery. DLA Piper was down for days due to a ransomware attack. It is essential to test business continuity and disaster recovery plans by at least walking through a tabletop exercise. Nearline backups have replaced offline and offsite backups for faster backup and recovery. To avoid malware and ransomware infecting the backups, reconsider offline and offsite backups.
- Finally, social engineering, in person, via phone or spear-phishing. Someone social engineering will pretend to be someone on the team to get through a security door, to elicit information to break in or to cause a click to download malware. All staff should be trained in avoiding social engineering, including partners, associates, paralegals, IT, reception and facilities services. Here is an example phishing email that fooled Jared Kushner’s attorney, Abbe Lowell of Norton Rose, about spoliation. This email has everything: a close spelling of an incorrect email, familiar language, and a context that would likely get a click: https://twitter.com/sinon_reborn/status/912686341594460161?lang=en