Thought Leadership and Industry Trends
Protective Orders Should Mandate Certified Cybersecurity Protections Over Discovery Data
By William Belt, Director of Enterprise Development, CDS.
Data breaches are in the news regularly, including breaches of law firms. So lawyers are increasingly mindful of data security and precautions that can help protect sensitive client data. The cost of a breach is significant, including penalties, lawsuits, technology fixes and reputational damage. In addition, attorneys have an ethical obligation to take reasonable steps to prevent the unauthorized disclosure of confidential information. That’s why firms need to be concerned about their own cybersecurity as well as their vendors’. They also need to consider the security precautions of opposing counsel and opposing counsel’s vendors. In the litigation context, a Protective Order is a key tool that gives counsel and the court the power to control the protection of data that is going to be produced in response to discovery requests. That Protective Order should require all parties to protect data when it is held by counsel or by counsel’s vendors, and those protections should remain in place when the data is produced in discovery.
Counsel typically negotiates a Protective Order requiring each party to protect information shared during discovery. The Protective Order is the “law of the case” and gives the Court the power to control important procedural details including maintaining the confidentiality of data produced in discovery. The Order also gives the Court the ability to take steps when a party violates data disclosure limitations and prohibitions.
In the past these orders typically did not specify the level of security law firms and vendors had to use to secure data. However, that is beginning to change. Lawyers have a duty to protect their client’s data and therefore when they receive information as part of a litigation, best practice is to put it in a repository that meets globally recognized security certifications. Those same certifications should be included in the Protective Order to ensure that the other side is also securing the information properly. Law firms representing clients with voluminous, confidential data especially need to be able to rely on Protective Order language that sets data security precautions as a precondition to the exchange of sensitive information. In many cases where a large enterprise is being sued by an individual or small company, the large company has a lot more to lose in the event of a data breach than the other party.
Law firms should ensure that Protective Orders require both parties to use vendors and hold data in repositories meeting the following standards:
- ISO 27001. This is a globally recognized standard for the establishment and certification of an information security management system (ISMS).
- Type 2 SOC 2. Companies meeting this standard have been fully examined on three Trust Services principles outlined by the AICPA: security, availability, and confidentiality of data.
- HIPAA and PII. Personally Identifiable Information (PII) and Protected Health Information (PHI) are the most sensitive forms of data, and must be managed with the highest standard of security. International litigation may be subject to additional protections under U. law.
- End-to-end security protocols. Security should be ensured at every point in the eDiscovery process, from infrastructure to controlling user access.
For sample data security language for protective orders, check out “Securing Protected Data in U.S. Legal Proceedings: Protective Orders,” Appendix A, from the Sedona Conference (June 2016).
Law firms recognize the need to follow cybersecurity best practices, and they are increasingly mindful that their vendors, opposing counsel, and opposing counsel’s vendors should be required to institute data security best practices as well. Requiring opposing counsel to have recognized data security certifications before they receive responses to discovery requests, and including that requirement in a Protective Order extends protective controls over sensitive client data as that data is transferred during the discovery process, and gives courts the power to intervene to ensure those requirements are followed.