The Rule of Professional Conduct 1.15 requires that client information be “appropriately safeguarded” lest you run afoul of the duty to act competently. The new Comment 8 to Rule 1.1 on Competency states that a lawyer “should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology …”.
Whether you’re in-house counsel protecting your organization’s data assets or you’re outside counsel making sure your client’s information is safeguarded, there are 5 things you can do right now to make sure you stay competent during the e-discovery process.
1) Make sure your service providers are ISO 27001 Certified.
You want to make sure that the most robust security measures are in place. The ISO 27001 is an internationally recognized information security management standard (ISMS) that specifies comprehensive requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS.
ISO 27001 requires a rigorous certification process conducted by an independent accredited auditor under the International Organization for Standardization. Not all service providers have the security infrastructure in place to achieve ISO 27001 certification, so it’s important to make sure your service providers do.
2) Make sure your cloud is a private one.
There is a difference between a public and private cloud. Public clouds such as Amazon Elastic Compute Cloud (EC2), IBM’s Blue Cloud, Sun Cloud, Google AppEngine and Windows Azure Services Platform use shared hardware and software accessible by the public. Private clouds only allow access to a limited number of authorized users.
Make sure all of your client’s data is safely floating on a private cloud and know the standards in place governing security – e.g., procedures to limit access; data backup, restoration, firewalls or encryption; notification procedures in case of breach. See the New Hampshire Bar Association guidelines for Cloud Computing Considerations and the ABA eLawyering Task Force for helpful checklists.
3) Track the process for documented chain-of-custody.
To maintain an unbroken chain-of-custody, coordinate with all entities in the e-discovery process and explicitly spell out your expectations in project protocols and contracts. The protocol must ensure that: there is continuous possession and documented inventory of the data; that the data is not modified; a complete copy is made using a reliable copying procedure; and, data security and integrity is maintained at all points in the process. Make sure that the protocol is followed throughout the process, auditing periodically, especially at data transfer points.
4) Understand who has access and ensure it’s limited.
Check with all entities in the e-discovery process to understand who will be granted user access to the data and under what conditions. Gather and review all authorization, authentication and permission mechanisms guarding access and make sure periodic audits are in place.
5) Maintain control over BYOD.
A recent survey found that 67% of people use personal devices at work, regardless of the office’s official BYOD (Bring Your Own Device) policy. With increased use of work communications over laptop, tablet or smartphone, lawyers should use encryption and other appropriate security tools to protect data transmission of information regarding client matters. Take a second to learn about encryption methods and work with your organization’s IT team to make sure your devices are covered.
Chris O’Brien is chief operating officer at Xerox Litigation Services. He can be reached at email@example.com.