Data Security and Privacy in Discovery – Finally Getting the Attention it DeservesJuly 21st, 2015
Last week at LegalTech West, as part of DiscoverReady’s Corporate Counsel CLE track, I facilitated a panel discussion on “Managing Data Security and Privacy in Discovery.” And I had the very good fortune of moderating a panel comprised of three experienced, smart, engaging in-house data security and privacy experts—along with one equally impressive law firm attorney with a national reputation for his expertise in this area. The presentation was so well received that I thought I’d share some highlights here on our blog.
Early in the program Amie Taal, Vice President of Digital Forensics/Investigations at Deutsche Bank, expressed her gratitude that data security and privacy in legal matters finally is getting the attention it deserves. The rise of information governance in the age of big data is one driving force, helping to land data security and privacy on the desks of C-suite executives. But unfortunately another factor is the heightened risk from cybercrime and fraud. With reports of data breaches on the front page of newspapers almost daily, and with the average cost of a breach approaching $150 million, organizations have no choice but to address security and privacy in every facet of their business. All of the panelists agreed that another major influence in this area is the globalization of business, and the need for all organizations—regardless of where they call home—to understand and respect the privacy laws of countries around the world.
John Davis, Executive Director and Counsel for Global eDiscovery at UBS, suggested that with respect to litigation and regulatory discovery, legal departments should develop sound, overarching policies and procedures around data security and privacy proactively, before a specific need arises for a particular legal matter. Those procedures should include vetting service providers and law firms ahead of time, and establishing detailed security and privacy expectations for those providers. John observed that law firms historically received less scrutiny than service providers and vendors, because of the their privileged status as trusted advisors. But in today’s environment law firms no longer can escape that scrutiny—indeed, as holders of their clients’ most secret and valuable information, law firms must step up and develop security protocols equal to other providers.
Speaking of law firms stepping up—Scott Carlson, Chair of the eDiscovery and Information Governance Group at Seyfarth Shaw, explained how his firm became a leader in this area. Seyfarth emerged as one of the first firms to recognize the need for better information security, and to develop and implement best practices. At his firm, a strong CIO played a pivotal role. From there, good training for lawyers and staff was key, along with a gradual but permanent change in the culture around data security. Now the firm conducts—and passes—the most stringent audits and penetration testing its clients can demand.
In the context of legal discovery, however, trusting your law firms and service providers isn’t enough. At some point, an organization will have no choice but to produce highly sensitive and private information to an adverse party. When that adversary is an opponent in civil litigation, many of the tried-and-true methods can adequately protect that information. Strong protective orders, attorneys-eyes-only designations, Federal Rule 502(d) orders, and the use of third-party hosted repositories remain valuable solutions. But Patrick Zeller, Director and Senior Counsel for eDiscovery and Privacy at Gilead Sciences, observed that those solutions are worthless in certain matters—namely, when the party requesting your information is the U.S. Government. If the information must be produced to an agency subject to FOIA, it can be tricky to ensure that sensitive data isn’t made public in response to a FOIA request. Even more troubling: if the information must be produced to the legislative branch, representatives can introduce it on the open floor of the House or Senate! Never mind that disclosing the information was impermissible; the parliamentary privilege prevents prosecution.
Another point on which the entire panel agreed—effective screening and searching for sensitive and private information in large document collections must incorporate cutting-edge technology. We are past the point where we can hire huge teams of human document reviewers and expect them to be effective. Organizations need to consider predictive coding and other advanced analytics—including tools already being used by big data—to help them find and isolate information warranting heightened security and privacy protection.
Thanks to all four panelists for a lively discussion! Our sole complaint was having only an hour to cover this complex, wide-ranging topic. And LegalTech kudos to my colleague Amy Hinzmann, who also moderated a terrific panel. LegalTech News reported on her standing-room-only presentation, in which four in-house counsel discussed the unique e-discovery challenges in government investigations and regulatory actions.
All of us at DiscoverReady had a great experience at LegalTech West—we look forward to seeing you early next year at LegalTech New York!
To learn about DiscoverReady’s industry-leading data security and privacy program, contact us, and we’ll arrange an introduction with a member of our information security team.