Deciphering The Cyber Security Risks Of The eDiscovery Process

Until recently, legal disclosure was heavily manual and paper-based. So burdensome has disclosure become for law firms, in 2018 the Civil Procedure Rule Committee granted permission for a two-year Disclosure Pilot scheme, commencing in January 2019, with a view to reducing such administrative demands. The pilot aims to promote the reliable, efficient and cost-effective conduct of disclosure through a flexible and stream-lined approach.

Disclosure has become a considerable resource drain for law firms in large part due to the proliferation of information pertinent to cases held in electronic form. Information required within litigation may be held on any form of electronic devices, including cameras, smartphones and even drones. Electronic discovery (eDiscovery) not only involves the analysis of emails, voicemails, electronic files, videos, audio and social media, it requires the review of metadata (data relating to data, such as timestamps, file properties and sender / recipient details).

While it remains to be seen whether the new pilot scheme will be considered a success in bringing about much needed efficiency gains for law firms involved in litigation cases, there are a separate but related set of concerns when conducting work of this nature – the cyber security risks.

eDiscovery exposing law firms to new risks

As the law industry embraces the need to undertake comprehensive eDiscovery and disclosure, the very process of doing so exposes firms to cyber security risks. From the outset of the process, there are points of transfer when electronically stored information (ESI) must be brought into the firm’s network from the outside for processing, and similarly when information or data is sent to litigation opponents. And depending on the complexity of the process and the individual case, it is conceivable that several inward and outward ESI transactions may occur. This poses a serious risk for a number of reasons:

  • Firms may be exposed to ESI infected with viruses or malware during any inbound transfer
  • ESI may be sent by multiple unsecure channels which can be intercepted
  • Data is considered most at risk when it is ‘on the move,’ and during eDiscovery, ESI is regularly moved internally and externally
  • The information assets being sent to and from law firms are likely to be sensitive (and hence valuable) in nature – for example, IP, board member emails, customer and client information, corporate secrets and financial arrangements may be included.

But why would a hacker wish to steal eDiscovery related information or data? There are several possible answers to this, including:

Scenario 1) An organised attack could be mounted to find sensitive information which could then be used in a high value ransom request.

Scenario 2) A foreign or domestic entity wishes to gain a competitive advantage. This may involve stealing information regarding intellectual property or attempting to incite a large cyber breach designed to inflict reputational damage to a competitor.

Scenario 3) A cyber criminal locating a repository of eDiscovery information and then seeking to sell it, perhaps to a competitor or on the dark-net.

For any of these scenarios, not only would the firm risk breaching GDPR law, they may risk losing their client, their reputation and a considerable sum of money in fines and compensation.

Any law practitioner who doubts the risks they are running by not taking eDisovery related cyber security seriously should heed the advice of Johannes Scholtes, CSO at ZyLAB, who specialise in eDiscovery solutions for law firms; he states that international hackers “no longer go directly after your company infrastructure to steal information, they go after your legal service provider or law firm as that is much easier, and all data is already nicely organised and reviewed.”

Preventing cyber crime associated with eDiscovery

All law firms should consider implementing an eDiscovery policy, which lays out the processes and procedures to be followed to eliminate any possibility of cyber crime. One of the tenets of best practice is to reduce the number of ESI transfer touch-points. Not only should data being sent to the law firm be done so through encrypted channels, once received it should be coalesced into a central repository designed for the specific purpose of keeping ESI internally and externally secure.

Doug Stewart, vice president of technology and innovation at global software and services company Daegis, which specialise in information archiving, information governance, application development and migration, states other best practice recommendations include:

  • Create a culture of security within the organisation – this includes the implementation and enforcement of policies and training.
  • Ensure any external service providers involved in the eDiscovery process comply with the necessary standards, such as the ISO 27001 security certification. In addition, Johannes Scholtes at ZyLAB states this should be with a minimum of SOC-2 compliance.
  • Do not allow ESI to be duplicated – this also risks compromising the integrity of meta data which is essential to legal defensibility

In summary

All signs now suggest cyber security investment in the area of eDiscovery is mandatory given the rising use of ESI in litigation disclosure and the proliferation of cyber crime. It is likely many law firms have already been victim of such cyber breaches, but clearly would not wish to have this publicly disclosed. Effective cyber security is predicated on identifying and mitigating all gaps in an organisation’s defences, and eDiscovery adds to the challenges of doing so.

The advice is clear; assume the threat is real and that your competitors are already investing in this vital area of security. Ensure eDiscovery is placed at the centre of your firm’s cyber security design. While there will be some cost, this pails in insignificance when compared to the fines, lost revenue and reputational damages following a breach of eDiscovery information. And if your organisation does not possess the necessary skills to do so, consider engaging external eDiscovery cyber security specialists who can rapidly assess your vulnerabilities and recommend options to overcome them.

If you haven’t already, sign up to our free weekly newsletter for all the relevant cyber security news pertinent to the legal sector –