As a result of well-publicized breaches and persistent and evolving hacker activity, commercial entities widely recognize the need to protect customer data, nonpublic corporate information, and other sensitive information.
Companies spend significant amounts of money on information security because data breaches are costly—not just from a financial perspective, but from a reputational one as well. The current average cost of a single data breach is $3.86 million, which has increased 6.4 percent from 2017 (Ponemon Institute, 2018 Cost of Data Breach Study: Global Overview). Among the major direct and indirect costs breached entities incur are notification costs, customer turnover, customer acquisition activities, and the effect on reputation. Accordingly, companies continue to invest heavily in data security for their own networks and to redouble their efforts to secure company assets wherever they may reside. These efforts include bolstering data security program requirements for third-party vendors and insisting on enhanced undertakings from those third parties in the event of a cybersecurity intrusion.
Yet in the context of litigation, parties continue to hand data to an adversary with little to no control over what happens to it thereafter. This potentially exposes companies to the very risks they have worked so hard to minimize.
Against a backdrop of recent corporate, government, and law firm breaches, parties are left to rely on a patchwork of private agreements, U.S. sectoral laws and regulations, and the comprehensive scope of the European Union’s General Data Protection Regulation (GDPR), if applicable, to govern data protection. And parties must contend with an evolving standard for “harm,” inconsistent breach notification standards, and the prospect of serious reputational harm in the event of an actual breach.
While there is little current scholarship in this area, the Sedona Conference has established working groups that are considering ways to address data security in a variety of e-discovery contexts (e.g., breach and disposition of data).
This article traces current regulatory protections, discusses current practices for data protection in discovery, addresses the role of third-party vendors in discovery, and offers suggestions for how parties can leverage existing mechanisms to protect sensitive information as it is produced during discovery.
Current Regulatory Protections
A proliferation of federal and state data protection statutes, regulations, standards, and guidance has blanketed the United States in a patchwork of data protection mandates. This fragmented approach to U.S. data security and data privacy has resulted in even the most stringent measures being limited in their jurisdiction, and in measures that sometimes collide with overlapping requirements. Recent proposals at the federal level for a single, uniform standard for data breach notification have received attention. But at the same time, some major cities are considering proposals to define and regulate data breaches at a municipal level.
Unlike the patchwork of data protection laws in the United States, the GDPR in the EU, which took effect in May 2018, provides one set of data protection rules for personal information across all member countries. The GDPR is unprecedented in its scope—it applies to any personal data controlled or processed by an EU company, as well as to any non-EU business that processes EU citizens’ personal data. Thus, U.S. companies that conduct business in the EU and process data of EU citizens now are subject not only to myriad U.S. federal and state laws but also to the GDPR.
In between these competing approaches, current regulation provides minimal guideposts for navigating data protection in the discovery process. So while federal, state, and international laws impose various obligations on companies to secure sensitive data under their control, even if not in their immediate physical possession, there is little authority that specifically governs data security in the context of civil discovery. More precisely, the gap exists where parties are legally obligated to share potentially sensitive information with adversaries and other parties to the action, to be dissected and potentially used against them in open court.
Existing Tools Can Help Protect Information Once It Leaves a Party’s Control
An attorney can more easily fulfil his or her professional responsibility to maintain client confidences when the confidential information is in the attorney’s possession, or even in the possession of an attorney’s third-party vendor. But production of this information to an opposing party poses a conundrum. The Model Rules of Professional Conduct impose on attorneys a duty to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
Because a party is best positioned to implement data protection measures before it produces sensitive information, lawyers should be armed with a plan to negotiate these protections before the discovery process begins. Much of this is uncharted territory—the Federal Rules of Civil Procedure don’t specifically address data protection in discovery. Government investigations may offer translatable practices, as they often mandate certain data delivery standards as a baseline for the protection of sensitive information in transit. Yet there is a lack of guidance on maintaining the security of sensitive information at rest.
Faced with the duty of confidentiality and the lack of formal guidance, attorneys must leverage existing litigation tools to protect client information once it leaves their control. In particular, two existing tools in the Federal Rules of Civil Procedure can be used to plug these gaps: Rule 26(c) protective orders and the Rule 26(f) conference.
Rule 26(c) protective orders provide parties with an opportunity to mold the discovery process and set terms for how data will be handled. Cybersecurity awareness has increased exponentially in recent years, due in part to significant data breaches at prominent law firms, companies, and various agencies of the federal government. Civil litigants have increasingly looked to Rule 26(c) orders to protect of sensitive information that is turned over to adversaries. Litigants routinely seek adequate assurances from adverse parties regarding protection of the confidentiality of data produced in discovery.
A party can specify its expectations in the Rule 26(c) order. For example, the order can include provisions requiring password protection and encryption of data in transit and at rest, with potentially minimal incremental costs to either party. Similarly, undertakings regarding the secure destruction or return of sensitive information after final resolution of the action are relatively low-cost provisions that can be added to Rule 26(c) orders. Parties can also consider provisions for a notification plan in the event of a breach.
However, parties often use a discovery vendor or even multiple vendors. Information is now not only transferred from one named party to another in discovery, but also from party to vendor, from vendor to party, and so on. A party can use contractual mechanisms to ensure that its own vendor has adequate safeguards in place, but a party and its counsel have little visibility into the security posture of an opposing party or its vendors. Parties should consider this information asymmetry and prospective vulnerability, and proactively address it through Rule 26(c) orders.
Rule 26(c) orders are currently the only mechanism to seek adequate, reasonable assurances, not only from opposing parties regarding their own safeguards for confidential information, but also regarding the safeguards for confidential information used by opposing parties’ vendors. Additionally, given the many differences in state, federal, and international law, parties should also consider defining what constitutes a breach, when notification of a breach must occur, and what the notification must include. Fortunately, parties have an early opportunity in the discovery process to discuss data protections and address their concerns about data security—the Rule 26(f) conference.
Rule 26(f) Conference
The Rule 26(f) conference is a mandatory and important step in the civil litigation discovery process. During the Rule 26(f) conference, parties must meet and consider a number of essential issues, including the development of a proposed discovery plan. The 2006 amendment to Rule 26(f) directs parties to specifically discuss discovery of electronically stored information.
Because the Rule 26(f) conference is mandatory, it is frequently seen as a mere formality—a necessary, but not always productive, step in the discovery process. However, in the absence of rules regarding data security, the Rule 26(f) conference provides an important forum for discussion. Accordingly, parties should be prepared with a plan well in advance to ensure that the conference is productive. The committee note to the 2006 amendment recognizes the importance of early preparation, stating, “When the parties do anticipate disclosure or discovery of electronically stored information, discussion at the outset may avoid later difficulties or ease their resolution.”
As part of Rule 26(f)’s directive to discuss electronic discovery, parties should be prepared to discuss Rule 26(c) orders to address data protection in the context of opposing counsel and third-party vendors. This provides the first and best opportunity for a party to litigation to negotiate data protection measures—including how an opposing party’s vendors will safeguard sensitive information and when to require notification of a breach—and to ensure that they continue to meet their obligation to safeguard client confidentiality for data in transit and at rest.
Parties should use the Rule 26(f) conference and protective orders as tools to seek more explicit representations regarding data security during the discovery process. While breaches will still inevitably occur, the Model Rules require only that attorneys make “reasonable efforts” to prevent unauthorized disclosure of client information. Parties should be able to meet this obligation by leveraging the federal rules and viewing them as fluid and adaptable tools that can be applied to ever-changing circumstances.
Government investigations generally involve an imbalance of negotiating power that can limit a party’s ability to gain the protections more readily obtainable in civil litigation discovery. That said, the federal government is subject to certain data security standards and regulations, and it has a significant interest in maintaining the security and confidentiality of the information it requests. Both factors should provide peace of mind to responding parties, up to a point. Recent breaches serve as a reminder that no institution can fully protect itself from cybersecurity threats.
Some agencies, such as the SEC and CFTC, have adopted data delivery standards to protect data in transit and facilitate the secure storage of information at rest by accepting data in a specific format that is easier to process and load into a secure repository. But it is far from clear that all government agencies have implemented similar data protection standards and communicate certain of those standards to responding parties before production.
A responding party, therefore, should proactively initiate the discussion about how best to securely produce information to the government investigator and then use best practices when transmitting information to the government. It is unrealistic for parties to expect much, if any, visibility into specific agency data protection measures, but parties can take steps to maximize the protection of sensitive information.
By proactively broaching the subject of data protection in the context of cooperation with a particular request, a party can demonstrate its good-faith efforts to provide the government with the requested information, but in a way that minimizes the risk to sensitive information and protects any applicable privileges. Handled appropriately, a party may be able to signal its respect for the investigative process and increase its credibility before the investigative staff while still protecting sensitive information. If nothing else, the responding party will have the facts to demonstrate that it has taken steps to reasonably protect its sensitive information.
There are additional methods to protect data in the course of government investigations, subject to mutual agreement. Parties might explore the possibilities for redaction, de-identification, and anonymization for sensitive data that is not crucial to the matter, for example. Where particularly sensitive information is requested, parties could propose to produce it in self-contained and self-sufficient instances of hardware and software configurations, with specific access controls and other security controls agreed upon in advance by the parties. These arrangements are unusual, but special circumstances may warrant their discussion.
Third-Party Vendors Are a Critical Link
Third-party discovery vendors often host a repository of sensitive information on behalf of a company or law firm. Each additional vendor creates a new risk for data security compromise, particularly as information is transmitted between parties, and then as information resides outside the information owner’s immediate control.
In both civil litigation and government investigations, parties are increasingly likely to retain vendors to help manage and perform discovery-related activities and support expert analysis. Many law firms have robust internal data security procedures but lack standardized procedures for assessing vendor security. According to survey responses from a panel discussion at the 2018 ALAS Cybersecurity Conference, only 35 percent of attending firms had standardized procedures to assess vendor security (ALAS Loss Prevention Journal, Summer 2018). If only one-third of firms have procedures in place to assess the security of their own vendors, how many have implemented procedures to assess opposing party vendor security?
Standards-setting organizations such as the National Institute of Standards and Technology (NIST) encourage companies to evaluate key security processes and include security terms and conditions in vendor agreements. Companies invest time and money to vet their vendors (including their law firms), yet gaps remain in their ability to conduct due diligence on opposing counsel’s vendors, or even joint defense counsel’s vendors in actions where there are multiple defendants receiving discovery. A company’s routine vendor selection process for any third party with access to company systems or information should include due diligence of the vendor’s security posture as well as specific contractual obligations regarding minimum data protection standards and prompt notification of any cybersecurity event that impacts company data.
As organizations like the Sedona Conference begin to generate thought leadership on data security during discovery, parties bear the responsibility of managing this minefield through dialogue and agreement. Before the threat of litigation or investigation arises, companies should:
- Ensure their information-security policies and procedures are updated and contemplate the kind of data transfer, storage, and use involved in discovery and investigative contexts.
- Review their incident response and business continuity plans to assess the extent to which data security incidents involving third-party vendors are relevant and incorporated into these plans.
In the context of litigation and investigation specifically, parties should:
- Prepare and plan with counsel to protect their sensitive information.
- Be aware of applicable federal, state, and international laws to identify and comply with data protection and notification requirements.
- Discuss basic security standards and breach notification obligations for any entity that will handle sensitive data in the course of discovery.
- If necessary, seek protective orders from courts to safeguard this information, and consider negotiating a requirement that others use the same standard of care and level of protection that they use to protect their own sensitive information.
In the longer term, parties may seek changes to the Federal Rules of Civil Procedure to specifically address data security in discovery, establish certain minimum thresholds for protection, and provide for consequences for bad faith or recklessness on the part of a receiving party. In the meantime, however, parties should protect themselves using existing mechanisms and be proactive about discussing protections early and often throughout the litigation and investigation process.