The federal government, like many private companies, is focusing on cybersecurity and data privacy to a greater extent than ever before. It is establishing new standards for its own systems as well as imposing strict requirements on anyone who holds its information, including third parties like vendors and contractors. Problems arise, however, when those third parties are involved in litigation and the government data they hold may be subject to eDiscovery. Because of the costs and resources needed to store data for eDiscovery, those documents will often be held by an eDiscovery service provider in a cloud environment. The rules governing such situations are not clear at this point, but there are best practices that companies and their law firms can follow to stay ahead of compliance issues that may arise.
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based products and services. Its goal is to maximize security and cost-effectiveness for government agencies seeking new and updated technology by encouraging cloud adoption. FedRAMP is a mandatory program for any cloud service provider that hosts data for government agencies. However, when it comes to hosting data for eDiscovery, FedRAMP certification does not yet appear to be a requirement.
Although there isn’t a strict mandate, the federal government has a strong interest in protecting its own data as well as information that third parties hold. The US federal government’s demands that companies improve their practices and reduce security risks are only going to increase in the future. Companies should expect more scrutiny and regulation, particularly those companies who hold government data. In the legal data discovery context, it seems probable that in individual cases the federal government will require the use of eDiscovery service providers with FedRAMP certification to handle matters containing government data. At a minimum, it will favor those providers with such certification.
As a result, companies and law firms should proactively consider using eDiscovery service providers with FedRAMP certification to improve their own risk management as well as in preparation for additional compliance requirements. Taking this step is not only a good business practice but can reflect favorably on parties who have voluntarily met FedRAMP standards.
CDS is the first eDiscovery provider to obtain FedRAMP certification and to be approved to handle sensitive data for government agencies in its cloud-based platform.
To learn more about our long-term commitment to data security or find out about how the CDS Federal Team can assist with the movement of your eDiscovery or Records Management workloads to the Cloud, contact us today.