Recently I had the experience of a large and well known e-discovery company being unable commit to even threshold cybersecurity requirements of an RFI from a major healthcare provider.
Bad news for the business development team who worked long and hard to be included in the RFI.
Cybersecurity requirements of clients are rightly becoming more and more demanding. Although most evident in heavily regulated industries, it will eventually be all clients.
"In the future, will only the largest e-discovery providers with the heaviest investment in security infrastructure be able to compete for high value e-discovery work?"
After the Target breach implicated the company’s outside HVAC services vendor, many companies started reviewing third-party vendor risk management efforts, contractual arrangements and access control policies.
Most leading institutions have 3-400 high risk 3rd party vendor relationships; and by one recent survey, 63% of data breaches are caused by vulnerabilities introduced by 3rd parties.
The renewed focus on vendors is illustrated by the New York State Department of Financial Services which in April surveyed and reported on 3rd party cyber risk for its financial services members. The regulators are awake and the cost of all this will run downhill to vendors including those in e-discovery.
By definition, e-discovery vendors handling evidence in high stakes litigation and investigations are high risk 3rd parties (along with law firms); holding the most sensitive and valuable information usually from the most senior personnel of America’s leading corporations.
Consider IP litigation and the associated data as a rich target for cybercriminals.
It’s also the connectivity that drives risk: in house and outside counsel need to log into document review databases housed by vendors, ESI is routinely transferred from client to vendor, some vendors have access to networks directly and remotely to collect ESI, and so forth.
The traditional e-discovery process arguably creates a distinct vulnerability to cybercrime.
The standard e-discovery workflow in the outsourced model requires a lengthy, repeat movement of client data across multiple media, hardware, software suites, personnel and geographic locations, from client to vendor to law firms and other third parties (experts, opposing counsel etc.).
And in document review dozens of individuals log in via the web to review tools containing neatly organized and annotated critical documents. Document review centers with reviewers on site require their own sets of physical data security measures.
"The traditional e-discovery process arguably creates a distinct vulnerability to cybercrime"
E-discovery vendors also often partner or outsource parts of the e-discovery process, creating `nested’ 4th party relationships multiplying entry points, human touches, data spread and volumes.
Moreover, at every stage data is copied and multiplied. By one survey I conducted, one gig of client data became eight gigs over the case lifecycle, increasing intrusion points and making governance and audit difficult.
While there are a few e-discovery vendor behemoths that presumably have robust cybersecurity, the vast majority of the e-discovery industry is service providers in the forty to sixty employee range, who in any industry would be natural targets.
While not a linear relationship, size and resources in the mind of black hats correlate with overall levels of cyber security (inadequate as they often prove).
New regulations force corporate clients to impose new cyber security demands on vendors, which many may be unable to meet.
For example, the HIPAA Omnibus Final Rule clearly places the responsibility for data privacy and confidentiality on the covered entity, meaning the data owner, even as the data goes downstream to outside e-discovery vendors. In the financial services industry, FINRA examinations are clear that outsourcing does notremove responsibility for data or cyber breach from data originators.
Privacy and cybersecurity go hand in hand, and e-discovery vendors must deal with developing stringent regulations for both.
Over the last two to three years there has been a scramble from e-discovery providers to satisfy security certifications.
Yet it can cost several million dollars and take one to two years to complete the design and implementation of a security policy and necessary procedures to meet SSAE 16 SOC Type 2, updated in late 2013. This can be difficult for many mid-range vendors in the $10-20M revenue range to accomplish.
And to work for healthcare providers HIPAA requirements require a separate and equally expensive independent HIPAA audit with different standards. E-discovery vendors increasingly need to be PCI-DSS compliant for matters relating to payment card data and the list compliance needs grows.
Perhaps most effective of all, vendors are scrambling at great expense to become compliant with the stringent ISO 27001 standard (and ISO 27018 for Personal Identifying Information (PII)) updated/in force September 2013.
ISO 27001 defines how to implement, monitor, maintain and continually improve the organization’s information security management system. It contains a standardized set of 133 separate security controls and requires an annual external audit.
Over the last yea at least ten of the better known EDD vendors eventually announced ISO 27001 certification, although how many providers have it is not clear.
But security certifications are just the price of entry to compete for high value e-discovery – and soon, any e-discovery work -- in the endless battle with cyber criminals which experts concede defenders are still losing.
"...security certifications are just the price of entry to compete for high value e-discovery work"
As third party breaches gain attention, e-discovery providers can expect more:
vendor risk assessments (VRAs) as cost of entry
on-site inspections & audits
- ISO 27001 as a base requirement
- security documentation and reporting to client
- role play security breaches & ongoing 3rd party penetration testing
- security monitoring by outside 3rd parties
- high cybersecurity insurance requirements and premiums
- background checks for more staff
- demanding contract terms, warranties, indemnifications
- enforced legacy data audit and destruction
- extending a cybersecurity regime or limiting data transfer to vendor’s partners, subcontractors etc.
- mandatory security incident and breach notification
- detailed service termination procedures
There are many pitfalls in assuring vendor cybersecurity that are beyond the scope here.
But for example, clients should pay attention to scope of locations covered by a certificate for ISO 27001, does it cover all the locations it should or just a co-location or specific facility? Also, the SSAE 16 examination has been criticized for not addressing insider activity and inappropriate data handling. RFPs need to go beyond the traditional "IT Questionnaire" approach and look at information management as a whole.
Which highlights that modern cybersecurity is more than a certifications or just an IT function. It must inform the entire operations and culture of the e-discovery provider and this will be key to winning the trust of large clients.
All of this is and will be costly in financial and organization terms for many e-discovery providers. Will smaller vendors have to merge or be bought in order to acquire the necessary cyber infrastructure?
Clients may use risk profiling to segregate vendors into a high security tier for high value IP/M&A work and second tier for lower value work, like smaller employment cases.
"Will smaller vendors have to merge or be bought in order to acquire the necessary cyber infrastructure?"
The move to bring e-discovery and deploy enterprise e-discovery software in house may accelerate as reluctance grows to send sensitive data beyond the firewall.
On the other hand, developing long-term relationships enhances cybersecurity compliance and will benefit both e-discovery providers and clients.
According to a recent survey conducted by The Cowen Group, nearly 70 percent of corporate counsel reported that data security and cybersecurity play the leading role in how they manage e-discovery.
Against the new reality of escalating and constant cybercrime, clients and vendor risk management professionals need to pay special attention to e-discovery, and the industry continues to need to respond robustly to the threats.
And cybersecurity will likely change the shape of the e-discovery industry itself.
Post A Comment:
0 comments: