By Daniel Gold, Esq.
For years, I’ve been speaking at CLEs, lunch and learns, and writing about what I have been calling the “slippery slope” of e-discovery data. I have implored in-house legal professionals to continuously have thoughtful dialogues about who has their data, where it is going next, and to ensure there are appropriate security controls in place so that the data resides in a reasonably similar fashion as they would store the data themselves.
What do I mean by this “slippery slope” of e-discovery data? Think of it like this: from a security perspective, a corporation 
creates, maintains, protects, backs up, and defends its data that its employees create daily. Generally speaking, there’s data replication, backups being run, firewalls, and antivirus programs getting necessary security patches, protections against phishing and malware, controls around what applications can be downloaded, et cetera. Typically, there are protocols and controls in place that cover everything from Acceptable Use, Change Management, Clean Desk, Incident Response, and so much more. Policies are governed by typical GRC standards or Governance, Risk, and Compliance that are drafted in collaboration with the legal department to minimize risk and increase compliance. Suffice it to say, for the most part, Fortune 500 companies have a fairly sophisticated approach to “protecting the castle.”
The breakdown occurs when a company knows or reasonably should know that there may be litigation, there is a duty by law to then take an employee’s data and put a “legal hold” on it, which ensures that this data, which has been identified as being important for purposes of litigation, is not erased or destroyed in any fashion. Depending upon the company’s in-house legal team, this particular matter may then be outsourced to one of many law firms that may handle that specific issue of law. And here is where the slope becomes slippery.
Over the years, I’ve met hundreds of law firm and in-house lawyers who have confirmed that more often than not, companies are not sending law firms security questionnaires to ensure that the company’s data is being housed by the law firm in as secure and robust fashion as the company itself maintains the same. Furthermore, even if the company is sending out a security questionnaire, a recent study proves what I have been evangelizing for years, and that is the law firms are not adhering to nor complying with the client’s security policies. The study found that two-thirds of 200 law firms across the country were 100 percent noncompliant with a client’s systems, and 95 percent of the firms were noncompliant with their own cyber policies.
Then, the slope gets even more slippery. This litigation matter that was given to the law firm may require the law firm to then outsource the company’s data to a legal service provider who can process all of the various files, cull them down to both what is potentially reasonable as well as relevant and into a review database for the law firm to begin their analysis (with something other than keywords, I hope). The question becomes, and I have equally validated my hypothesis over the years of meeting with so many legal professionals, what security questionnaires are the law firms sending out to each of these LSPs to confirm whether or not their security controls align both with the law firms, and more importantly, with that of the corporations? Answer? De minimis, at best.
While I generalize to prove an important point, all too often, what I hear is that the number question is not security controls, but rather, what is your lowest cost per GB? What is your ingestion rate? Do you charge on the compressed or the uncompressed? Do you charge for analytics? Do you charge for production? How much control do we have over the database? Not to lessen the importance of asking these questions as these are all equally valid questions. However, ensuring that a security questionnaire goes out to a legal services provider to ensure that they maintain the appropriate levels of security controls that are reasonably similar to that of the company should not be mutually exclusive with the version of TAR (technology-assisted review) they are using.
The reluctance to do so for convenience or to shorten a timeline on a project may be seen by some as a shortcut as an ethical requirement under the ABA Model Rules of Professional Responsibility. For instance, under Rule 5.3, it states that a lawyer who has direct supervisory authority over nonlawyers (i.e., legal service providers) to ensure that the person’s conduct is compatible with the professional obligations of the lawyer. This is elucidated in Comment 4 of this Rule. For purposes of this article, the professional responsibilities would fall squarely within Rules 1.6(c) and Rule 1.1. Under 1.6(c), it states that a lawyer, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” The question becomes, however, how a lawyer would know this without having the requisite amount of competency in relevant technology to understand whether or not (a) the provider’s security protocols are acceptable and (b) whether there is also the appropriate level of compliance around the same. To know this, we turn to Rule 1.1 in which a “lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness, and preparation reasonably necessary for the representation.” In 2012, the ABA modified Comment 8 of this Rule to state that to maintain the requisite knowledge and skill, a lawyer must understand the “benefits and risks associated with relevant technology.” Thankfully, 38 states across the country (and Canada) have modified their State version of this rule to include similar verbiage.
All of this being said, there is a lot of good news. In my ideal world of data security, there would be no longer be a slippery slope of client data. There’s no slope at all. Data would flow centrally within a corporation and stay within the corporation. The corporation would be charged with sourcing a trusted provider to perform investigations, and then if it were to become an e-discovery matter, the data would flow to an e-discovery database in a highly secure and dedicated managed services environment (emphasis on the word services). Leveraging the services provided by the managed services team, the corporation would primarily benefit from their highly skilled and diverse talent pool that serves as a true extension of their legal team. From there, law firms and review lawyers could log into the database owned and maintained by the company. If carried out correctly, a true partnership would, therefore, exist between the company and provider and then out to law firms from there. If executed successfully, we all stand to benefit from a vastly more secure and defensible approach to managing data.
