Originally published by Legaltech news.
Security is a top agenda when law firms select EMS vendors
By Monica Bay, Legaltech News
Law firms, corporate counsel and other organizations face increasing challenges when deciding how to handle electronic data discovery. It’s expensive, challenging and often unpredictable.
Over the last decade, e-discovery options for law firms have evolved dramatically. But whether a firm keeps it in-house, overseas or chooses some version of e-discovery managed services, vetting vendors has become even more difficult with the explosion of cybersecurity.
A day doesn’t seem to go by without another news report about a major security breach—among the most recent, hackers in China infiltrated the U.S. Office of Personnel Management data, garnering personally identifiable information (PII) from about 4 million federal employees.
Law firms are especially vulnerable to breaches, because lawyers (especially those in litigation, property or mergers and acquisitions) process highly sensitive information—and law firms are notorious for weak security.
Unlike most professions, lawyers have an ethical duty to protect client data. The ABA “Model Rules of Professional Conduct,” in Rule 1.6(c), state, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
Savvy clients now require firms to prove that they have adequate security via security audits. “Firms that have been slow to recognize the importance of this issue may get a wake-up call when they lose out on engagements because they can’t measure up to client cybersecurity requirements,” said Judy Selby, a partner at Baker & Hostetler, in “Law Technology News”magazine, February 2015.
In reaction to pressure from clients and cyberinsurance companies, smart firms are now putting security on the agenda when hiring e-discovery vendors—especially if the firm represents clients in highly regulated arenas such as finance or health care. While cost management is almost always the top issue when it comes to vetting e-discovery providers, security is quickly becoming the second priority.
Chicago-based Maureen Durack is director of operations at Vedder Price, a general practice firm with 300+ attorneys and offices in Washington, D.C., London, San Francisco and Los Angeles. Security was a priority in choosing an EMS vendor, she said. Her team had grown, adding more people and processes, and all the attorneys and paralegals had been trained. The third part of the equation was upgrading Vedder’s e-discovery technology.
“The firm was already aware of the potential for security issues with technology installations, said e-discovery manager David Siarny. They understood the importance of knowing “who had our data; how was it locked up; whether there is a chance of the data being mingled with other firms’ data—things of that nature,” he said.
The team vetted vendors about “very high criteria in terms of security,” including Sarbanes-Oxley Act and International Organization for Standardization compliance, said Durack. “Subscribing to the general compliance levels in terms of security was a priority—and that was something that we were able to get in our managed services environment,” she said.
Before choosing the winning managed services provider, the Vedder team took a site tour of its data center and learned more about the provider’s IT audit compliance, dedicated server options and ISO certifications.
Business continuity/disaster recovery was another priority, said Durack. The team had found that in e-discovery, “there was not a lot of redundancy, because of the fact that these vendors were hosting extremely large image databases—and so the whole idea of making that redundant was not cost-effective in this marketplace,” she said.
“Quite honestly, it kind of came as a surprise to us when we were doing our research on our vendors, because ultimately, almost everybody else was doing it. We were curious as to why this segment was not necessarily providing redundancy,” observed Durack.
Durack approached one of the vendor candidates to discuss the problem, noting that, “Ultimately, if there’s an outage and we are on trial or we are in the middle of a large production, it’s going to be extremely important to us that we have at least our active cases available. So we worked with them on a strategy to align what our most common needs would be during an outage, or during a problem, to what they could provide. That was a huge criterion for us,” said Durack.
That vendor won the beauty contest, and the system went live in October, 2014. The Vedder team concluded that the best place to house the e-discovery system would be with a managed services partner, “because we could get the level of security that we were looking for, as well as significantly more flexibility,” said Durack.
Chicago-based Andrew Jurczyk, CIO at Seyfarth Shaw, also views data security as a critical factor in evaluating and choosing an e-discovery vendor. He recommends that all firms conduct an internal “thorough third-party audit—and what I mean by that is data privacy, data security.”
Jurczyk also recommends that firms “take that one step further if you are going to get into an engagement.” You need to perform the same audit on your vendors so that when you are audited you can show that you investigated them thoroughly, he advises.
Seyfarth has 800-plus lawyers, nine offices in the U.S. and overseas offices in London, Shanghai, Sydney and Melbourne. One of its signatures is SeyfarthLean, which adopts core principles of Lean Six Sigma.
When the firm was negotiating its EMS agreement, there were “several [vendors] that we were comfortable could meet our demands,” recalled partner Scott Carlson, who founded and chairs Seyfarth’s e-discovery and information governance practice. “The firm culled it down to three, and among the final criteria were cultural and security considerations,” he said. The firm went live with the new system in 2014.
Since then, security audits have become routine tasks at Seyfarth. “The number of audits that are performed on law firms today have increased exponentially,” Jurczyk observed, noting that they are often three-day, on-site events.
Looking back even a couple of years, “I don’t think anybody asked us any security questions,” recalled Lori Chavez, director of Seyfarth’s litigation information management office. Now, she said, it seems that “every RFP we get has an extensive list of security questions.”
Clients, she said, want to know about the security protocols being used by the firm’s managed service team. Questions include “What does your provider do to secure our data?” she said. “We’ve even started to get some inquiries such as ‘Is everything encrypted at rest?’ So I think it’s important to clients. It’s going to have some impact on us; I’m not sure exactly how it’s going to play out yet, but it continues to come up.”
One concrete indicator that cybersecurity worries are rampant: “I just got named the firm’s Data Privacy Officer—in addition to my current role,” said Jurczyk.
Monica Bay is a lawyer, freelance journalist and consultant. Iris Data Services Inc. underwrote this white paper.