Attorneys aren’t just stepping up their own cybersecurity practices—they’re also asking opposing counsel to do the same.

Whether it’s a trade secret case or products liability litigation, sensitive corporate information is often exchanged during the discovery phase of litigation. And litigants are increasingly wary of that information being compromised in a data breach.

Parties typically reach agreements, memorialized by stipulated court-issued orders under Federal Rule of Civil Procedure 26(c), that set the terms regarding how confidential information will be disclosed and handled during discovery. Provisions that include what specific measures must be taken in order to safeguard data are becoming more common in these orders.

“Lawyers are increasingly mindful of data security in their protective orders, and for good reason,” William Ridgway, a Chicago-based attorney at Skadden, Arps, Slate, Meagher & Flom LLP, told Bloomberg Law. Ridgway is a former Assistant U.S. Attorney for the Northern District of Illinois, where he served as the Deputy Chief of the National Security and Cybercrimes Section.

“Discovery involves the exposure of voluminous, sensitive data to a new—and often unknown—security environment,” he said. “A protective order presents an opportunity to require data security best practices, much like the requirements one now finds in most vendor agreements that involve the transfer of data.”

Safeguarding Data

Companies and their corporate counsel are more closely scrutinizing how attorneys handle sensitive data, in the wake of several big law firm data breaches. And cybersecurity provisions in discovery orders are a reflection of this increased vigilance.

“There was a time when cybersecurity wasn’t even a consideration in discovery orders. That has changed,” David Horrigan, who is Discovery Counsel and Legal Content Director at Chicago-based e-discovery software provider Relativity, told Bloomberg Law.

Attorneys are realizing there is a need for cybersecurity provisions in protective orders because nobody is exempt from the risks of being hacked, Robert Owen, the partner in charge of Eversheds Sutherland LLP’s New York office, told Bloomberg Law. Owen is the president of the nonprofit Electronic Discovery Institute and a member of Bloomberg Law’s Litigation Innovation Board.

Third parties that turn over information to litigants should also consider demanding these types of protections as well, he said.

Kevin F. Brady, a Washington-based attorney at Redgrave LLP, expressed a similar sentiment in an email to Bloomberg Law.

"[A] greater number of parties in litigation are asking for provisions in protective orders that require the requesting party to either provide adequate assurances that it has reasonable administrative, technical and physical safeguards in place to protect the security and confidential nature of the data that the responding party is producing, or hire an eDiscovery vendor or claims’ administrator that has such an information security program,” Brady said. He is a complex litigation specialist, and his practice also focuses on advising client on electronic discovery, data privacy and data security issues.

Encrypt, Password Protect, and Destroy

Whether to include cybersecurity provisions in protective orders, and what specific measures are appropriate will vary based upon the sophistication of the parties, the size of the case, and the sensitivity of the information, attorneys said.

Measures that crop up in protective orders include limiting access to confidential information to those who have a need for it, requiring information to be encrypted or password protected, and requiring immediate notice of a data breach.

For example, a 2015 stipulated order issued in Takata airbag products liability litigation states that information downloaded from a litigation support site must be stored on devices that are encrypted or password protected. If a user is unable to password protect or encrypt a device, then the information must be password protected or encrypted at the file level, it says.

Any person in possession of another party’s confidential information must “maintain a written information security program” that is designed protect the information from unauthorized access, a 2017 pact between Uber Technologies Inc. and a non-profit corporation says.

“To the extent a person or party does not have an information security program they may comply with this provision by having the Confidential Information managed by and/or stored with ediscovery vendors or claims administrators who maintain such an information security program,” it says.

The Uber and the Takata orders both require a receiving party to promptly provide written notice of a data breach and undertake reasonable efforts to remediate the effects of the breach.

More recently in mulidistrict litigation consolidated in U.S. District Court for the Central District of California, Wells Fargo and customers who sued the bank entered into a January agreement that includes a provision on how a receiving party must safeguard electronic data when shipping it to others. Digital documents shipped on physical media must be encrypted, and paper documents must be sealed with secure packing tape, the order provides.

Additionally, some protective orders are setting out specific damages for noncompliance with security requirements.

“There is also a need to consider privacy and security safeguards when it comes to destruction of confidential data at the end of the litigation,” Brady said.

“In some cases, depending on the type of information, destruction might not be viable when there are overarching statutory or regulatory requirements to maintain that information,” he said.

Attorneys should keep in mind that opposing counsel might push back against the inclusion of burdensome security measures, particularly when when discovery is lopsided such that only one side has to produce large volumes of data.

“It is worth noting that some litigants resist data security requirements, claiming that they merely ratchet up the costs to the discovery process,” Ridgway said. “Courts, however, have become much more receptive to these requirements, recognizing that the price of discovery should not include the heightened risk of a data breach.”