How Private is Your Private Data When It Comes to eDiscovery?

Photo by KylaBorg (Flickr/Creative Commons)

Editor’s Note: The author of this post works in the eDiscovery industry and is teaching a course on eDiscovery at Touro Law Center this fall.

By Chris Gallagher, national director of eQ discovery services

Home Depot, IRS, Chase, and Ashley Madison — no one is safe anymore from security breaches or data privacy leaks. It is not a matter of ‘if’ but generally a matter of when some form of your private data will be compromised. A breach always truly reveals how private that ‘private’ data really is. Let’s take a moment and discuss some of the potential privacy breaches when it comes to eDiscovery.

eDiscovery is generally defined as any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil, criminal, or investigatory matter. Sometimes however, ‘secured’ is the weak link in that litany of steps. The very nature of the information being collected generally makes it an area that is ripe with juicy content. The information has already been deemed worthy for some type of investigation, lawsuit, or criminal matter – eDiscovery deals with mass amounts of information, a treasure trove of potentially privileged data both personal and corporate.

In today’s 24-hour news cycle where corporate reputations and trust can be ruined in an instant, protecting this data is so much more important. While it’s not always possible to know where and when these breaches are likely to occur, it is possible to prepare and protect against breaches. Considering the estimated annual cost to the global economy from cybercrime is approximately $400 billion, it is well worth the time and preparation.

So how does one address this and where are the likely breaches going to occur?

The first step is to identify the risk profile. What is the risk the particular data in question poses? Information such as credit card numbers, attorney client communications and trade secrets represent a target rich environment for the unscrupulous.

Once the risk assessment has been completed, the amount of hands touching that data should be significantly limited. It is critical that all parties with access to the data should have a written and adhered to set of internal controls, ones that go far beyond the chain of custody and logging procedures. During the data collection process, an errant hard drive or laptop can present serious risk. By working with a vendor who routinely manages such workflow will limit the likelihood of any missteps occurring.

After the data is collected and enters the processing phase, risk outlook increases exponentially. Theoretically, the pertinent data is now set aside for attorneys to deem its privileged nature. In these cases, it’s necessary to confirm that all those viewing the files are subject to confidentiality and non-disclosure agreements. If the risk profile of the data is extremely sensitive in nature, consider locking the machines displaying the ESI to limit the ability to access the Internet or insert any multimedia devices such as a thumb drive, which would allow others to save confidential files. It is not unheard of to enact restrictions on cellphone use during the information review process. This helps prevent any ability to take photos of the sensitive documents. As in all things, it is nearly impossible to eliminate all risk to data from a privacy standpoint. As long as people are involved in the process, the risk will always remain but by taking precautions, being proactive and implementing best practices, these actions will help to significantly reduce the likelihood of privacy leaks during the eDiscovery process.