eDiscovery Daily Blog

• December 9, 2015

A couple of years ago Mandiant reported that 80 percent of the country’s largest law firms have been hacked.  In litigation, you may have to produce your data to one of those firms representing the opposing party.  Here’s how you can protect your organization.

In the Bloomberg BNA article How to Mitigate Risk When Handing Data to Outside Law Firms (written by Gabe Friedman), Aaron Crews, senior associate general counsel and head of eDiscovery at Walmart, explained that a company normally stores all of its data, including its most sensitive items, among vast troves.

“eDiscovery is [really] fraught with a fair amount of risk,” said Crews.  “The gems of your data, the really risk-bearing stuff is kind of hidden among the rest of the data,” he said. “But in the eDiscovery space, you’re hosting a slice of data that has been particularly selected because it has those gems in it.”  Turning those “gems” over to a law firm with inadequate cybersecurity protocols can put your organization at risk.

To protect against a data breach in the context of discovery, some practitioners have begun requiring opposing parties in litigation to sign protective orders. Crews said he asks the opposing side to agree to one of the following three provisions:

1. To sign a protective order attesting that their firm meets certain basic cybersecurity protocols and that it indemnifies his company against any risk of breach.
2. To use a trusted eDiscovery vendor.
3. If all else fails, it must access the data through his own trusted eDiscovery vendor.

Paul Weiner, a shareholder at Littler Mendelson who is national eDiscovery counsel for the firm, said he drafted an order with such protections because the risk and consequences of a data breach during eDiscovery are simply too great to ignore.  He provided a sample of the language in the protective orders that he uses in the article and indicated that, though a protective order requires a judge’s approval, so far he hasn’t experienced any problems or push back in requiring one.

If 2015 is remembered for anything in the legal technology world, it may be remembered as the year of the data breach.  You may not know whether the law firm holding your data has suffered a data breach, but you can require them to adhere to certain basic cybersecurity protocols, either within their firm, within their trusted eDiscovery vendor or within yours.

So, what do you think? Have you considered requiring opposing parties to sign protective orders in your litigation cases? Please share any comments you might have or if you’d like to know more about a particular topic.

As always, thanks to Rob Robinson’s Complex Discovery site for the tip on the article!

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.