Data in litigation and compliance investigations often includes sensitive or proprietary information that demands the highest level of security. But with rampant data breaches and data stored in ever more far-flung locations, how can you ensure that your eDiscovery provider is taking the proper precautions to safeguard your—and your client’s—most prized data assets?
We’re coming to the rescue with a simple checklist that you can use to assess the risk before you entrust sensitive, confidential data to a third-party eDiscovery provider. Here are the key security features that you should expect of your eDiscovery vendor.
First, look for the vendor’s security certifications. One of the best-known, most prestigious standards is ISO/IEC 27001, which sets forth the requirements for an information security management system. It’s important that the vendor has been certified in, and does not just indicate that they comply with, with this standard; it takes approximately three years for most organizations to earn this certification.
Other important credentials to look for are the SAS 70 (State on Auditing Standards No. 70), along with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) reporting standards . Satisfying these standards indicates that the provider’s data centers adhere to the industry’s strictest security criteria.
Make sure that any certifications are recent, and ask the vendor to provide all supporting documentation.
Policies and procedures
Your prospective vendor should have a raft of security-related policies. The policies to look for include password requirements, incident/breach response, data segregation (insulating your data from that of other clients), disaster recovery, and business continuity. The goal is to ensure that no matter what happens to your eDiscovery provider, your data is protected by sufficient redundancies and measures. Given the increasing emphasis on data privacy, the provider should be able to demonstrate compliance with the European Union’s General Data Protection Regulation (GDPR) as well as other applicable privacy laws, including the Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), and any other laws relevant to your organization.
Multi-level security measures
The right vendor will have multiple layers of security to protect against a variety of threats. Physical security measures are essential, including limiting access through securing doors with card access or codes, biometric scanning, and physical identification checks—and those measures must be in place 24/7/365. Environmental controls, such as fire detection and suppression, are also critical.
In addition, the vendor should encrypt data, both while in transit and at rest. It should scan all uploaded files for viruses and apply malware detection tools to ensure that no data corruption occurs. It should also apply regular security patches and testing. Other network security mechanisms, including firewalls and intrusion detection and prevention systems, can provide additional protection. Top providers will also have regular third-party network penetration and vulnerability testing. Ask to see the vendor’s test results.
Finally, security at the user level is paramount. A reputable provider will use multifactor authentication methods as well as restrict access to data through permission-based user roles; it might also limit connections to servers or applications by company or region. The provider should also keep audit logs noting logins, data access dates, and more.