Thought Leadership and Industry Trends
Securing data during eDiscovery collection for litigation
By Kevin Treuberg, Director of Forensic Services, CDS.
Cybersecurity is a huge concern for companies, but often there is not the same thought given to security of data during the eDiscovery collection process. There are many ways in which data can be lost or compromised during collection resulting in serious legal, financial and reputational consequences. Best practice for companies is to take the following steps to ensure the physical and digital security of their data at every stage of collection:
- Before collection:
- Make sure the right data is being collected. EDiscovery service providers should interface with someone at the company to make sure the data is properly identified.
- During collection:
- Use equipment with no other data on it.
- Save data to encrypted media. Standardized encryption methods (e.g. randomly generated passwords) and hardware should be used.
- Data should be encrypted at the point of collection to ensure that personally identifiable or sensitive data is not compromised.
- Data in transit:
- Create duplicate copies of data in case equipment fails during transit.
- Notify eDiscovery service providers when data is being sent, in what format and by what method. Also confirm who should receive the data.
- Send the encrypted media and the password separately (ex. hard drive by mail; password by email).
- If transmitting data electronically, companies must use a secure ftp site. If they do not have a secure site, then contact the eDiscovery service provider to establish one.
- When shipping hard drives, use proper packaging to protect sensitive equipment.
- Data with eDiscovery service providers:
- Ensure controlled access. EDiscovery service providers should limit data access to staff who are working on the litigation.
- EDiscovery service providers should maintain high security certifications, infrastructure and protocols to protect data.
- Data with other service providers:
- Outside law firms and vendors should also have appropriate security policies to secure data.
Misidentification, lost or compromised data can result in significant delays, added cost, legal liability and sanctions as well as reputational damage to companies. Avoid problems by following these guidelines.