On July 5th, FBI Director James Comey made a statement that the FBI would not recommend criminal charges against Democratic Party presidential nominee, Hillary Clinton. The announcement was the result of an investigation into the fact that, while serving as secretary of state, Clinton relied exclusively on a personal email account housed by her own personal server rather than using an official, protected state.gov email address. She also communicated from her private email across several electronic devices. Amongst emails about yoga appointments and family outings, Clinton exchanged highly classified information – including Benghazi communications – leading the FBI to question possible breaches of the account from foreign governments and hackers. After months of exhaustive investigation and countless hours of media coverage, the FBI did not uncover sufficient evidence to recommend criminal charges in the case, but concluded that “[Clinton and her staff] were extremely careless in their handling of very sensitive, highly classified information.”
While it’s evident that Clinton probably didn’t think she was being so careless with her data, there are a few simple ways that people in heavily-regulated and litigated industries can avoid being extremely careless. This is especially important when it comes to ediscovery, a time when you’re highly likely to make private information public.
1. The personal & professional are inseparable. Nowadays, people answer work emails on their personal devices and vice versa. They send company files to their home computers so they can work nights and weekends, and send personal documents to print or fax from work. This can be a major headache when it comes to data security, as we saw with the Clinton email scandal. Data that was once relativity secure on company premises leaves the office on portable devices and home networks and is then exposed to the risk of physical and virtual theft. Companies with BYOD or work-from-home policies should establish and enforce strict and specific security guidelines. Employees who work from home or from portable devices should always logout of email accounts and be careful not to join any unknown networks.
2. Keep passwords fresh. Update passwords every 4-6 months. Contrary to popular belief, updating your passwords every 60 or 90 days won’t necessarily result in better security measures, especially when your passwords aren’t strong in the first place. Experts recommend using a password manager like LastPass, DashLane, or KeePass to generate stronger passwords and keep track of them.
3. Beware of the cloud. Add security layers anywhere sensitive data lives, particularly if it’s shared in the cloud. Putting locks on network file directories is simple enough, but with the massive surge in cloud usage, data leaks become more difficult to control. According to expert Joe Moriarty, businesses can better protect cloud-based data “by adding content controls, protection, tracking and deep analytics to files.” Content controls that a company can easily implement to secure data include watermarking files and videos; limiting employees’ ability to forward or print files; and most importantly, preventing unauthorized viewing, saving, and sharing of data.
4. Continued education by HR. Training your employees on security best practices is crucial to preventing a breach. Consider assigning a compliance officer who can be involved in business decisions. Such a position helps bridge the gap between tech-savvy IT employees and those who may not be able to answer, “How does this affect PCI, PII compliance of HIPAA?”
5. Remember printers? According to expert Michael Howard, the biggest mistake companies make when it comes to securing sensitive data is not securing their printing fleet. He goes on to say a staggering 90% of enterprise businesses have experienced a breach due to unsecured printing. In order to avoid this risk, Michael recommends installing security software that limits printing and helps protect your company paper trail.
While establishing day-to-day security practices is important, safeguarding data during ediscovery is a whole new ballgame. During ediscovery, data changes hands many times internally and externally. Data is gathered from multiple network drives, sources, and authorities then handed over to another party or two, and some of that data might end up in the public record. Penalties for breaches during ediscovery can include mistrials, fines, sanctions, and even lawsuits, so the stakes are extremely high.
6. Know your data. Every organization needs to be familiar with where its data resides, the laws governing it, and how it may be collected, processed, retained, and transferred before litigation begins. This is especially important when working with cross-border litigation, given the recent changes in EU data protection laws.
7. Limit scope as much as possible. Evaluate the scope of data that is being requested during discovery. For litigation purposes, can the data requested be reasonably limited so that personal data issues can be reduced or eliminated altogether?
8. When in doubt, redact. Redaction is the only foolproof way to protect sensitive data. With the growing amount of ESI and increasing regulations surrounding things like PII, you can’t risk letting sensitive data slip through the cracks during ediscovery and into the hands of opposing counsel. Unfortunately, the viability and cost of manual redaction is quickly approaching an unsustainable level. With the correct redaction software, companies can ensure sensitive data gets redacted automatically, saving time, costs, and reducing the risk of human error during review.
While the data we deal with on a day-to-day basis may not be labeled as “Highly Classified” like Clinton’s, it’s still very important to have the proper procedures in place for handling and protecting it. With ESI volumes growing at an alarming rate, it’s important that we look to technology for help with data security, particularly during ediscovery, so that we aren’t caught being extremely careless.