When you are outsourcing some or all of your eDiscovery process to a third-party service provider, you’re also outsourcing data security—potentially putting your or your client’s most valuable and sensitive assets, data, at risk.
Any single factor or combination of factors can compromise data security: technology may not be up-to-date in protecting against all known threats; processes may have holes in controlling and monitoring data; and/or the people themselves may not understand or adhere to information-related security policies.
Below are 10 best practices to look for:
- ISO 27001 and Industry Certifications:
An industry benchmark for evaluating an organization’s security, ISO 27001 shows that data centers are following best practices for managing data. Some industries have additional requirements, like financial services firms (i.e., Payment Card Industry Data Security Standard). Internationally, countries have also put standards in place—for example, the Hong Kong Monetary Authority now requires businesses to validate that third-party providers have security controls and breach remedies in place.
- Infrastructure Compliance and Uptime:
A threshold for infrastructure led by think tank Uptime Institute, is Tier 3-plus certification which ensures facilities are 99.982 percent available to users.
- User Access to Applications and Information Systems:
Features to look for include strict documented access control policies based on business needs and client requirements, two-factor authentication, and password storage using industry-standard mechanisms.
- Data Encryption:
Data centers need to protect data both at rest and during transmission, using 256-bit AES SSL encryption to safeguard data going over the network. Similarly, they should encrypt all stored documents, rendering them unreadable without the proper credentials. (This is especially important for data involved in data transfers.)
- Chain of Custody and Audits:
In case of an incident, you will need to know what happened. Chain of custody for all data and user actions in an application (i.e., user logins, coding edits, etc.) and an auditable historical record for each file processed, loaded into, exported from or deleted from the review tool, can show what happened and when.
- Data Center Intrusion Detection and Monitoring:
Proactive and reactive alert systems triggered by any suspicious activity (i.e., malicious intrusions) should be part of network, service, and application activity monitoring.
- Physical Data Center Security:
Extensive physical security that include mechanisms such as 24/7 staffing and monitoring, zoned keycard access, biometric scanning, and monitoring and logging entrances and exits, can deter malicious activity.
In layman’s terms, redundancy means back-up. It refers to network, hardware, power and geographic. Multiple layers of redundancy (at a minimum, two database tiers, two storage tiers, fault-tolerant application server clusters and multiple Internet service provider connections) can provide immediate failover capabilities, ensure data is safe and maximize uptime.
- Disaster Recovery and Business Continuity:
Documented plans and processes to weather a disaster are critical. The most robust data centers have frequently updated and tested incident response plans, disaster recovery protocols that validate the availability of redundancy along with data replication (in real time) to a geographically isolated secondary data center.
- Employee Screening and Training:
Finally, employee screening and training is the starting point (and also potentially a weak link) for data center security implementation. Data centers should use rigorous applicant- screening processes, including background checks where allowed under relevant law, ensure employees have relevant certifications, and undergo rigorous information security training.
Not all data centers are created equal. But by understanding the potential risks and best practices for information security, you can more successfully manage your electronic evidence and eDiscovery obligations.