4 Critical Factors to Address When Storing and Sharing ESI Evidence in the Cloud
You’ve issued legal holds to your custodians, searched through their accounts, and identified key electronically-stored evidence (ESI) that’s relevant to your litigation. With this evidence in tow, you’ll now need to preserve your files for later analysis and review. More and more organizations nowadays handle this process entirely in house. But those still moving data to the cloud to be reviewed, processed, and analyzed by external law firms, have to consider these four factors to maximize their evidence’s safety. As law firms store a lot of sensitive information, Intellectual property documents, and transaction data like M&A documents, they constitute a prey of choice for cybercriminals. After all, why hack an organization when you can hack their law firm and get information about other companies at the same time. Notably, a recent example of this is the group of hackers called ‘’Dark Overlord’’ taking possession of 18,000 legal and insurance documents being held by various law firms for 9/11 litigation.
Cloud platforms can be used to preserve personally-identifiable information and sensitive data in compliance with U.S. and global privacy laws. They can also be helpful for storing or sharing ESI evidence in a controlled, secure environment for review, processing, and production. But that’s assuming they’re managed the right way.
Here are four factors to address when storing ESI evidence in the cloud:
Factor 1: How Are You, or Your Law Firm, Planning to Handle Internal Threats?
According to Verizon’s 2018 Data Breach Investigations Report, organizational insiders (current and former employees, executives, and other stakeholders, etc.) were responsible for 28% of data breach events last year. Leaving cloud account passwords in the wrong hands or using lax user access controls can increase risks that ESI evidence will be corrupted and rendered inadmissible, or leaked. As SurveyMonkey recently discovered, roughly 1 in 3 workers share their user passwords with their co-workers. These issues aren’t necessarily limited to what goes on within your own organization or your law firm; you’ll also need to account for insiders at cloud provider holding your data as well. You can address this by working with your law firm to set up and implement consistent, comprehensive identity access management (IAM) policies with multifactor & risk-based authentication, and the principle of least privilege (POLP) when determining user access privileges to cloud accounts. By restricting users’ access to only the resources necessary for their day-to-day work, organizations can reduce the likelihood of rogue stakeholders or custodians corrupting their ESI.
Factor 2: What is Your, or Your Law Firm’s, Strategy for Addressing Shadow IT Issues?
Ideally, cloud server plans should be flexible enough to allow to not only host data but also run applications. Nonetheless, any apps running in a cloud environment has to be approved by IT. The presence of unauthorized apps and software—or shadow IT—is a problem. McAfee reports that 40% of IT-related projects carried out by businesses are actually carried out without the knowledge or approval of the IT department. At the same time, 80% of employees are using software-as-a-service (SaaS) apps at work--often without IT’s knowledge or approval. Because IT teams can’t update and patch applications they don’t know about, shadow IT apps could contain vulnerabilities that cybercriminals can exploit. By taking advantage of vulnerabilities and “backdoors” in unauthorized apps, hackers will be able to access and compromise both entire cloud environments and ESI. To avoid this, organizations should implement a vetting procedure to control the types of data, SaaS programs, and apps allowed to run in a cloud environment.
Factor 3: How Do You, or Your Law Firm, Plan to Address Endpoint Security Problems on Your Cloud-connected Devices?
“man-in-the-cloud attack,” a strategy that allows hackers to not only pilfer data from user devices and gain remote access to cloud accounts but also to do so without stealing any login credentials. Since many of the major cloud-based file-sharing and data transfer apps use OAuth tokens to synchronize file uploads and downloads between the cloud and user devices, hackers can infiltrate an employee’s device and compromise the token. Doing this would allow hackers to redirect cloud-stored files from a worker’s device to the cybercriminals’ account and allow them to wreak havoc on an organization’s cloud-based data. When addressing these kinds of advanced cloud-centric threats, legal and IT teams should be exploring ways to integrate file activity monitoring (FAM), and cloud access security broker (CASB) programs to monitor specific accounts and terminate access privileges to suspect devices.
Factor 4: What Steps Are You, or Your Law Firm, Taking to Mitigate Data Loss Risks and Vendor Lock-In Obstacles?
Data loss is a real risk for any organization, regardless of whether cloud or on-prem storage is used. Organizations need to explore what types of immutable storage options are compatible with their cloud solutions. While evidence can always be manually exported to on-premise storage, organizations could also look into archiving to preserve critical cloud-stored ESI evidence like email messages and ensure they can’t be tampered with.
Recap: To Address When Storing and Sharing Evidence in the Cloud
Although cloud storage platforms are a practical solution for storing your organization’s ESI evidence and sharing it with your outside counsel, it’s also riskier than reviewing, processing, and analyzing your data in-place. Moving sensitive data outside the protection designed for it, that you can control as a data owner, is an additional risk. You’ll need to ensure that the custodians of your data, even if they’re as trustworthy as a law firm, are properly managing access controls and implementing effective security measures in order to mitigate spoliation and data leak risks.
About the Author: Eric Pesale is an attorney who writes about business and legal issues for various publications, law firms, and companies. His articles on eDiscovery, cybersecurity, and information governance have been featured in CSO, The New York Law Journal, Above the Law, and Lexology. Eric is the founder and chief legal contributor of Write For Law®, and is admitted to practice in New York, Connecticut, and New Jersey.