Is your production in a picnic basket or a safe?
IMPORTANT UPDATE: TrueCrypt, the free encryption software, is no longer supported.
Producing documents as a response to a discovery request is common practice. The request comes in, you do the discovery, and rush like mad to get the production out on time. Usually with not a minute to spare. Whew! Just made it! Rinse, repeat.
But where is the data going and how will it get there safely? And more importantly, what will happen to your precious and highly organized (and hopefully searchable) data once it gets to where it's going? Who has access to it? Where will it "live"? Will copies be made? What happens to the data when the case ends? Etc.
These are all questions that rarely get asked, but are incredibly important to the security of your data. Think about it. Let's say you have followed best practices for securing your e-discovery environment that we previously mentioned here (and you've read Craig Ball's most-awesome post about forms of production). You've centralized your data locations. Your hard drives are encrypted, and you have an iron-clad chain of custody process that can easily show you everyone that touched the documents and when they were touched.
Your discovery workflow has topnotch data security! Congrats. And you made your document production in record time. You are an amazing document production machine. All hail your efficient and secure discovery acumen!...You get the point.
And now...the data you once held in a secure environment is out of sight, out of mind...in someone
environment....that you have no control over! Ahhhhhhhhhhh!!
If you're going into a panic attack right now, that's normal. Breathe in. Breathe out. Do that ten times. Done? Ok. It's not the end of the world. Not yet anyway.
Now, you won't likely be able to force your requesting parties to build the kind of secure discovery environment that you've built. But, you can take steps to make sure your valuable data is treated with care. And at the very least, knowing the who, what, where, and when about your data once it leaves your cold, iron-clad hands is better than not knowing.
Here's a step by step guide to securing your document productions:
Step 1: Encrypt the Ship
If you must ship your data on physical media (like a hard drive or DVD) or over FTP, make sure the shipment is encrypted before it leaves your hands. Not encrypting your data is the equivalent to sending your documents in an open-air picnic basket. Sure, it's easy to pack for a picnic, but it's also easy for anyone to reach in and grab your juicy treats without asking for permission.
When you encrypt your data, using a tool like BitLocker, you turn your picnic basket into an armored truck. But it's even better than an armored truck, because you can't easily Robert Di Nero your way into blowing the doors off the truck unless you have the key or password, which, for the time being, only you have access to. DO NOT WRITE THE PASSWORD ON A POST-IT NOTE AND STICK IT TO THE HARD DRIVE, PLEASE!!
Best practice is to wait for confirmation (see below tips) before you share your password with the requesting party. If the receiver doesn't have access to BitLocker, have them get it. It's your data, and they need to take excellent care of it, right?
Step 2: Confirm the Receipt
The ship has sailed in it's armored picnic basket and is now ready to be opened and enjoyed by the receiving party (Ok, maybe the picnic metaphor can end here?). Great! Your data shipping process is now so secure that even Somali pirates wouldn't even bother trying to get in. Now what?
Get a digital confirmation from the person receiving the data that they actually received it. As cute and novel as they are, DO NOT RELY ON CARRIER PIGEONS OR RAVENS to confirm receipt. They clearly can't be trusted and make too much of a mess to be worth it. So get the confirmation in writing. An email is fine, but if you want to go one step better, use a digital notice confirmation service that will record the date/time when they received it.
(--helpful plug-- you can use Logikcull's Notices feature for this, ask us about it or watch the demo at the bottom of this post --end helpful plug--).
Word to the wise: do not rely on FedEx, UPS, or the like for delivery confirmations. Why? Too often, shipping confirmations are signed for by a doorman or someone that the delivery wasn't truly intended for. For stronger chain of custody, you want the person who was supposed to get the delivery, confirm the delivery on their own.
Step 3: Query the Host
Ok, this step is out of order, because in reality, you should've talked about the receiving hosting environment BEFORE you agreed to send your data to strangers. You can change that process later, so for now, here are a few questions you should be asking the receiving party:
WHO will have access to the data? You don't need specific names, but you should know if access will be granted to vendors, contract attorneys, junior associates, etc. If a vendor will get a copy, what vendor and what technology will they use?
WHAT tool will be used to host the data? You may think this doesn't matter, but not all discovery tools are created with equal security standards. Once you start asking you'll quickly find out that many brand-name tools don't even encrypt files or passwords. Gulp!
WHERE will my data be stored? A closet? A basement? A data center? A desk? Who knows. It's worth asking. Pro tip: Buy a box of tissues before asking this question. There may be a lot of crying afterwards.
WHAT encryption is used to secure my data? Any at all? Is the data encrypted at rest? When they ship data to vendors, etc. do they encrypt the ship (like above)?
HOW will the data be treated once the case is over? It's all too common for litigation data to stay around for a long, long time. In some cases, that's ok and expected. But if the case is done, for good, what happens to the data? Is it destroyed? Are all copies destroyed? How are they destroyed?
WHO will notify me once the data is deleted? Related to the above, you should know when your data has been permanently removed. Why? So you can update that iron-clad chain of custody document you've been keeping detailed notes on for years. And, so you can reduce your data security risk, because the more copies of your data that exist the greater the potential for a breach becomes.
WHEN will every other law firm, business, and government have the kind of data security best practices that you've developed?
We have no idea. But we hope that by following the steps we've outlined people will start to realize it's a worthwhile effort to start doing, like today. Start now. Just like flossing, deploying better data security practices, especially when it comes to giving others your data in the form of a production, will reduce the chance of heart attack and a hacking attack.
If you liked this post, please share it and help others be better prepared for securely managing production data. You might also like our free white paper:
And if you're interested in seeing a demo of our digital notification product (called Notices), get in touch with us anytime.