You Can’t Secure What You Don’t Know Exists

data photo
Image by Elif Ayiter/Alpha Auer/…./

If you’ve paid much attention to the eDiscovery space over the last months, you may have noticed the same trend that I have. It seems that every other article that I have seen on the topic is mentioning either Cybersecurity, or Information Governance, along with eDiscovery.

This is not a coincidence.

Data breaches have become big news, and the legal industry, rightly, is becoming very concerned with not just the possibility of being breached, but also the possibility that, as part of that breach, the client information they have been entrusted with, will also be breached. No one wants to be the firm that makes the headlines as the one that lost confidential client information. That’s not a good look.

Hand in hand with these concerns though, is another. In order to truly protect your data, you actually have to know what it is, where it is, and who has access to it. As an article in the Chronicle of eDiscovery puts it:

For many years, those of us responsible for data security were only concerned with a direct cyberattack on our own networks. But as cyberattackers get more sophisticated and better funded, we need to be conscious of our role in a far more complex information ecosystem. A good example of this is the Target breach in late 2013. As more information has come to light, we’ve learned that the cyberattackers found a weak link via Target’s HVAC contractor and used its network as the staging site for the attack. If you think about the structure of how eDiscovery work is done, it could have just as easily been a law firm or a legal services provider that provided the entry point.

Here we had a major news story that resulted from Target not keeping track of the various folks who had access, and what they had access to. (At least that’s my guess from the outside.) This is the reason IG is a big part of the security push. Simply put, as lawyers start storing confidential information in a variety of places, on a variety of devices, and sharing it with outside vendors, someone needs to be fully aware of all of the possible points of security failure.

If you don’t keep track of where confidential data and communications live, you can’t possibly keep it secure. Unfortunately, thanks to the proliferation of BYOD policies, cloud storage providers, and outsourcing, most organizations are now playing catch up. Their data is already spread across a lot of potential targets. Figuring out which ones are vulnerable and what data they contain is a challenge, but it’s step one towards increased security.

Do you know where your confidential data is and who has access to it?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.