On average, about one in every five employees leaves their job every year. For the legal industry, annual attrition can be much higher, according to a study by the Association of Legal Administrators, with annual staff turnover ranging from a low of 24.1 percent to a staggering 66.5 percent.
When it comes to eDiscovery and document review, people can come and go even more quickly, with reviewers accessing data for as briefly as just a few weeks or days. When an employee leaves, will they take access to your firm’s sensitive data with them?
Having the correct tools and processes to “deprovision” employees, or remove access to software and data, upon their exit, means that you can easily protect your data when attrition occurs. But, conversely, failure to utilize your tools or follow established processes can be disastrous.
Anecdotally, while working on a large-scale project there was a grim processional on the Tuesday following a long weekend. The management team, in no mood for jokes or pleasantries, handed out new passwords to all of the staff of attorney-reviewers. The staff were told not to ask too many questions about why the changes were being made, and given explicit instructions not to change these newly issued login details.
As we came to find out, a disgruntled former employee had logged into the eDiscovery platform remotely, and used the platform’s inherent technological batch coding capabilities to un-code and then re-sort thousands of documents. On the employee’s exit removing her access to the review site was completed swiftly—removing access to the review tool was overlooked. While software’s remote login functionality was known to the client firm, it had not been broadcast to the attorney reviewers and therefore not considered a particularly prescient risk by IT staff.
The exiting employee’s little stunt set the project back by over a month, requiring manual re-review of the work that had been done at a significant cost to the firm. Put more succinctly, the minimal likelihood that something could happen doesn’t mean that it wouldn’t since, case in point, it just had.
In general, hacking includes both “traditional” breaches from external actors, as well as unauthorized access to a system. Indeed, 34 percent of data breaches involve internal actors. Controlling who has access to what, when, and altering that access when roles change is essential to mitigating risks associated with employee turnover. Here are some security controls that should be considered.
One common misconception about system access is that it will automatically demise (as is the industry jargon) on its own. However, unless manually revoked by the system’s administrator, a password/system access could remain intact in perpetuity.
With cloud-based software, access and user roles can typically be changed in seconds, with an administrator resigning roles, closing accounts, or changing access permissions as needed, so that when someone leaves a project, their access can be removed simultaneously.
Indeed, law firms should take action when an attorney who previously had access to a case, whether via an eDiscovery system or through other digital accesses, is removed from the case but remains at the firm. Far too often potential confidentiality or insider abuses of sensitive data occur because a corporation relied on an “honor system” to ensure that even if a lawyer shouldn’t access old cases, that didn’t mean that they couldn’t. This simple reconciliation by the system administrator/firm itself can provide a lot of benefits in the battle against the misuse of data.
For those using third-party vendors for eDiscovery, leaver reconciliation may require several more steps. A vendor may have its own policies in regards to leaver reconciliation, but certainly may not have timely notification from the hosting law firm as to who those leavers are and certainly not why the employee is no longer employed there. This information escalation gap from the law firm to the service provider can create the exact type of non-technological breach described above. To counteract this, a best practice for the administer could be to embed an escalation for those leavers from the client into the contract.
Historically, the only way to ensure deprovisioning was to physically remove access to the device (i.e. laptop, tablet, etc.) and then remove access from the ground up.
Since cloud-based solutions were designed to be controlled from decentralized points, even if a full time, contract, or remote employee still has their company-issued access device, the data restrictions come from the cloud solution “downward.”
Another risk is that end users are given override or governance controls (whether they know it or not), which exceed the scope of their needs. A good platform will allow administrators to assign the necessary, and only the necessary privileges based on the system administrators’ needs, across a variety of user categories.
There are times where a user needs plenary access and times where information either should or must be restricted from viewing. Your eDiscovery platform should have its own data security protocols, and there are steps that a firm can take to minimize its own risks.
Law firms, whether in discovery or within their own internal databases, could engage in a degree of data categorization that exceeds simple privilege/nonprivileged, categorizing client data based on the risk that it poses (ex. M&A, healthcare, etc.). This could include data encryption for external transmission, as well as secondary approvals for those case files with additional privacy requirements.
Both as a policy and as a control, password rotation mitigates unauthorized access to databases or servers simply by making it more difficult to guess a user’s password. The risk still remains that, when challenged to rotate passwords, people will use derivations of the original password (ex. “login1” becomes “login2”). A stronger approach is to require two-factor authentication (“2FA”) for user access.
2FA mitigates the risk of an automated credential stuffing attack, where a bot might input those known password variations, trying one iteration after another, by requiring a secondary authentication factor beyond just the password. This added layer of authentication, often delivered through a mobile app like Google Authenticator, makes it even less likely that a hacker or rogue employee can manipulate their way into the system.
2FA helps prevent unauthorized access during review and upon access, as the authenticator can also be revoked, terminating access.
Frequently, many of these info security changes are documented in a policy but not actioned, or not actioned effectively. While it's recommended to designate a steward to oversee these changes (both by name and by title, should the named steward leave), there has to be a measure of the actioning of the policy.
The ultimate path to IT success is to have those new security controls tested periodically by audit and or IT staff. As a matter of best practice, independent fail-safes—either multiple, autonomous internal auditors or third parties—are needed because they bring a measure of impartiality to the process to validate that the controls are effectively designed and operating.
Again, relying on anecdotal evidence, one firm detected that its terminal equipment was being stolen and sold on eBay. While this is somewhat common, the firm responded by deputizing an IT staffer to label and scan all of the firm’s affected tech on a periodic basis.
As it turned out, that IT staffer was the one stealing that equipment all along. Had a second pair of eyes been involved, the scheme would likely not have continued for so long.
With the right policies and procedures in place—and the right tools to make implementing and complying with those policies—protecting access to your discovery data during employee turnover can become a simple and regular part of your discovery process.