Are You Moving Data Too Much? How to Protect Critical Client Data
As law firms incorporate more technology into their workflows, the frequency with which data must be moved from one location or application to another also increases. Data movements are inherently risky—particularly when the data is from a client.
September 26, 2019 at 07:00 AM
8 minute read
Movement of data is difficult to avoid in today's legal world. In the discovery stage of litigation, for example, a common scenario goes something like this: A client collects data via their in-house IT team or through a third party forensic collections vendor. The collected data is delivered to a law firm. The law firm outsources the data processing to a third-party vendor or processes the data in-house utilizing data processing software. The processed data is then moved into a review platform, either in-house or with a third-party vendor via their public or private cloud. Then, after the data has been initially culled, analyzed and organized, it is temporarily moved out of the review platform into yet another software program to leverage advanced analytics, data visualization, communications graphing, artificial intelligence and tools like technology assisted review. Upon completion of the analysis, the remaining data is then moved back into the review platform for final review and eventual production. Once discovery has narrowed the original data set to the most relevant documents, those materials must be shared among lawyers and parties to litigation, and that may involve the downloading of files from file shares or the transfer of files via email, incurring additional risk.
With every movement (to or from a hard drive or thumb drive, or over a network between any number of machines or devices), the data can get lost or stolen, end up in the wrong hands (inside or outside the organization), get hacked by parties with malicious intent, or otherwise become compromised or corrupted. As law firms incorporate more technology into their workflows to increase productivity and efficiency, and the number of applications and service providers embedded in their processes increases, the frequency with which data must be moved from one location or application to another also increases. Data movements are inherently risky—particularly when the data is from a client.
Because data security is typically considered an IT matter in law firms and is an area in which firm personnel are unlikely to have real expertise, many firms lack the advanced security tools and rigorous protocols that data in transit requires to properly mitigate risk. What should they be thinking about, and what questions should they be asking?
|Encryption for Physical Data Movement
While the details of data encryption may seem obscure to some lawyers, encryption is an essential tool in protecting the confidentiality of client data. Firms should be familiar with the Federal Information Processing Standard (FIPS) used to approve cryptographic modules, and specifically they should meet and maintain all standards required for FIPS 140-2 certification. When firms are transporting or receiving data via physical means, they should ensure the data is stored on FIPS 140-2 encrypted drives.
Among other advantages, FIPS mandates better logging, which provides better visibility into access logs. Also, drive passwords should never be included in an email or letter; always communicate passwords through a phone call, and ensure that the drives you are using support auto erasure of data when someone enters incorrect passwords multiple times.
|FTP Protocols and VPNs for Virtual Data Movement
When data you control is moved virtually—i.e., between applications or between data centers or other network locations—you should be using secure file transfer protocols or SFTP.
The SFTP server should be configured to communicate only with designated IP addresses, and data should be sent using secured virtual private network (VPN) tunnels—essentially private servers for routing data that ensure proper data encapsulation and encryption.
The FIPS standard is also important in this context. Any servers you are using for data movement across networks should run in FIPS mode, because FIPS mandates robust cryptographic controls that ensure that your data cannot be snooped in transit.
|Access Control
Many law firms have multiple divisions and locations from which a diverse range of employees access a variety of applications within a complex IT infrastructure. Who is authorized to use specific applications, and who is authorized to see and "touch" and move specific sets of data while using those applications? Controlling access to data across large organizations is fraught with complexity, but it's a vital piece of the data security puzzle. There should be tiered logging permissions, user logs and user activity tracking. (The FIPS 140-2 standard also addresses some of these issues.)
The goal of access control is to prevent unnecessary or duplicative access to sensitive data. In general, access should be controlled using a strict, rules-based system. Access privileges should be granted only on an as-needed/on-demand basis to the specific users who have a legitimate need to work with the data, and should be read-only whenever possible. Access rights can be configured according to team, job role or even on an individual basis. Another important principle in access control is to keep the number of end points with internet access to an absolute minimum.
Firms require exceptional process rigor and high levels of IT expertise to get access control right. If you can't reliably meet these requirements, look for a vendor that follows the best practices presented in this article to manage access control.
|Data Security in the Cloud and in Dev Ops
Organizations that store, access and manipulate data in a cloud computing environment require, first of all, a good front-end web application firewall or WAF with multi-factor authentication. Also essential: a strict access rules matrix including audit logging, a proper security information and event management (SIEM) solution, and a rigorous vulnerability assessment and penetration testing (VAPT) program that identifies and classifies system vulnerabilities and conducts "ethical hacking" tests to verify specific vulnerabilities actually exist.
Firms engaged in developing their own software and applications must secure their development operations. Ideally, your security and development teams will work closely together to verify static code testing and VAPT testing before any code goes into production. Reputable vendors with development operations will generally conduct such testing routinely, but firms should always ask and make sure the companies they work with to develop custom applications are mature and rigorous in their security protocols.
|Vendor Vetting
Does your firm have a formal vendor assessment process? The data-in-transit protocols for firms outlined above should also be applied to each vendor you use. Firms should have clearly defined processes in place that require the vendor to verify security certifications and the specific processes and tools they deploy in handling data. Do they have their own data centers, or do they rely on the data centers of other vendors? What are the specific security and control measures for the data centers of these "fourth parties"? How do your vendor and the vendors they use manage data handling processes like shipping physical media?
Wherever practical, your goal should be to minimize the number of third and fourth parties that touch your data. When data does move from your firm to a vendor, make sure you are auditing all access. Audit logs should be checked every day. You should also have automated processes in place that identify and monitor inactive accounts and automatically "expire" or eliminate those accounts after a designated period of inactivity.
|Consolidation of Technology
We've already highlighted the inherent risk that results when firms deploy increasing numbers of applications onsite and use vendors that somehow must connect to each other and allow frequent transfers of data back and forth. In response, some firms are moving toward the consolidation of all—or many—processes and applications within a single platform where all data resides in a single cloud. In addition to the mitigation of data security concerns, this approach has several additional advantages. It can minimize the very real problem of fragmented workflows, reduce the burden on employees to learn to use multiple tools, and enable the application of advanced technologies like data analytics and artificial intelligence to a more comprehensive range of litigation- and operations-related activities within the firm.
Firms who are not yet prepared to consolidate on a single platform need to remain vigilant with vendors and their own operations whenever data is transferred. Is there a formal cybersecurity program in place? Does the program adequately address each of the key areas of concern outlined in this article? Is it being followed internally and by third and fourth parties? The only way to know is to ask.
Sundhar Rajan is Chief Information Security Officer for Casepoint. He oversees and is responsible for information security, maintaining security compliances, global infrastructure, all cloud initiatives, and proactive compliance security monitoring. Prior to joining Casepoint, Sundhar spent more than 9 years at the Am Law 100 firm, Crowell and Moring LLP, where he was the Manager of Network Operations. Sundhar brings over 18 years of experience working in information security, leading network security teams, and building highly scalable application infrastructure.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Former McCarter & English Associate Fired Over 'Gangsta Rap' LinkedIn Post Sues Over Discrimination, Retaliation
- 2First-of-Its-Kind Parkinson’s Patch at Center of Fight Over FDA Approval of Generic Version
- 3The end of the 'Rust' criminal case against Alec Baldwin may unlock a civil lawsuit
- 4Solana Labs Co-Founder Allegedly Pocketed Ex-Wife’s ‘Millions of Dollars’ of Crypto Gains
- 5What We Heard From Litigation Leaders This Year
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250