Christine Yi, Legaltech News
10 best practices for data security and what you need to know about where your information is stored.
Nothing is more critical than the security of your electronically stored information (ESI) during the sensitive, expensive discovery process.
You can have impeccable records, defensible collection practices and the best intentions when gathering your data for legal and compliance matters, but all it takes is a building fire, an electrical surge, a security breach or other unexpected disruption to your server to put your firm at risk of data loss, corruption or inadvertent exposure. In addition to potentially suffering court sanctions for failing to safeguard discoverable ESI and losing information relevant to your casework, your firm's reputation can be tarnished.
When you outsource legal services—including processes, hardware, software, hosting, personnel—you are also outsourcing security. These services will come in touch with one of your most valuable and sensitive assets, your data, from employees' personally identifiable information to trade secrets and privileged communication.
Given the increasing variety, severity and number of cyberthreats, combined with the proliferation of international regulations about how and where data may be stored and accessed, a much more critical eye is needed when evaluating legal services providers' data security practices. The vulnerabilities around the high value of information released to legal services providers require selecting a firm that can help insulate data from risk.
Even if you, your counsel or a third-party vendor are the ultimate responsible party for data, the way legal services providers protect information is critical to helping you manage threats to your data. Without doubt, balancing data security and access while remaining on top of litigation, regulatory and compliance matters involves an ever-increasingly complex system. That said, knowing the main threats that drive such complexity and which practices can safeguard data gives you the information to identify the right company to entrust with your data.
10 Best Practices for Information Security
Three areas will impact the safety of your data:
• Technology: The technology protecting your data must be up-to-date to protect against all known threats.
• Processes: Look for processes that ensure access to data is controlled, monitored and reportable.
• People: Staff must learn and understand the importance of following information-related security and retention policies.
The following checklist incorporates analysis of each of these areas and can serve as a measuring stick to evaluate prospective legal and compliance services vendors' information-security programs.
1. ISO 27001 and industry certifications.
The industry benchmark for evaluating an organization's security posture is the ISO 27001 standard. To become certified, data centers must show that they are following best practices and pass an in-depth audit that evidences adequate controls for managing data. Some industries and countries or regions have additional requirements.
For example, health care organizations must ensure their data centers comply with the latest Health Insurance Portability and Accountability Act (HIPAA) audit protocol. Similarly, providers working with financial services firms must meet the rigors of the Payment Card Industry Data Security Standard (PCI DSS). No matter the certification, it is necessary to confirm continued compliance via audits, ethical hacks, vulnerability testing and network penetration tests.
Overseas, organizations such as the Hong Kong Monetary Authority (HKMA) now require businesses to validate that third-party providers have adequate security controls and breach remedies in place. This includes recognized certifications such as ISO 27001 compliance.
Look for these types of certifications throughout your different industry needs and in data centers located abroad.
2. Infrastructure compliance.
Uptime Institute, a think-tank, created a four-tier rating system for evaluating data center resiliency and reliability. The higher the tier rating, the more reliable the availability of data.
A notable threshold is Tier 3-plus certification. Tier 3 facilities are 99.98 percent available, meaning they experience roughly one-and-a-half hours of downtime over the course of a year. Tier 3 also means their power, cooling components and distribution systems have redundancy and concurrent maintainability.
Legal and compliance services providers with localized legal discovery and compliance services are becoming the norm to help organizations comply with increasingly stringent, international data security requirements. A Tier 3-plus certification can be to your advantage when data is stored abroad, especially in Europe and the Asia-Pacific.
3. User access to applications and information systems.
Whether on servers or the cloud, data centers should follow strict documented access control policies based on business needs and client requirements. Additionally, data centers should require two-factor authentication, and store passwords using industry-standard mechanisms. "Authorized Personnel Only" signs on doors indicating that only authorized personnel have access are usually areas where sensitive and confidential data are hosted.
4. Data encryption.
Data centers must protect data both at rest and during transmission. They should use 256-bit AES SSL encryption to safeguard data as it is sent over the network. Similarly, they should encrypt all stored documents, rendering them unreadable without the proper credentials. The need for secure encryption is particularly high when data is involved in cross-border litigation and investigation.
5. Chain of custody and audits.
Data centers must be able to trace the chain of custody for all data and user actions, including logins, document views, coding edits, updates and printouts. A readily auditable historical record should be available for each file processed, loaded into, exported from or deleted from the legal review platform.
6. Data center intrusion detection and monitoring.
Data centers must continuously monitor their network, service and application activity. Hallmarks of a reputable data center are proactive and reactive alert systems triggered by any suspicious activity or system issues. For example, the system should warn designated staff about signs of failure, such as high server temperatures or malicious intrusions.
7. Physical data center security.
Data centers need extensive physical security mechanisms. A baseline to expect is 24/7/365 staffing and monitoring. Zoned keycard access should be designated by security level, and biometric scanning should restrict high-sensitivity areas. All entrances and exits should be recorded and logged. Finally, data centers must protect against damage from fires, floods, excessive heat and cold, humidity, power losses and equipment failures.
8. Redundancy.
At a minimum, data centers should have two database tiers, two storage tiers and fault-tolerant application server clusters. They should also have multiple internet service provider connections to provide failover capabilities.
9. Disaster recovery and business continuity.
Data centers must have documented processes that enable them—and the data they hold—to withstand any disaster. A frequently updated and tested incident response plan should address common scenarios, and disaster recovery protocols should validate that redundancy features remain available. Finally, if a disaster strikes, data should be replicated in real time to a secondary, geographically isolated facility.
10. Employee screening, training and experience.
The strength of a data center's security begins with its people. Hired personnel should be industry veterans with relevant certifications. Reputable data centers use rigorous applicant-screening processes, including background checks and drug testing, where allowed under relevant law. Once hired, all employees should sign nondisclosure agreements and undergo information-security training.
As organizations collect data to send to a services provider, they have one more opportunity to mitigate risk. Instead of sending providers every byte it collects, it can pare its data collection by using analytics technology to detect and cull risk-laden data and nonresponsive information. Less data can not only result in lowering spend, but also enhance your organization's control of what is outsourced, thereby mitigating risk.
No comments:
Post a Comment