Close
Enter your
text here

Security

Brad Jenkins of CloudNine: eDiscovery Trends

This is the first of the 2016 LegalTech New York (LTNY) Thought Leader Interview series.  eDiscovery Daily interviewed several thought leaders at LTNY this year to get their observations regarding trends at the show and generally within the eDiscovery industry.  Unlike previous years, some of the questions posed to each thought leader were tailored to their position in the industry, so we have dispensed with the standard questions we normally ask all thought leaders.

Today’s thought leader is Brad Jenkins of CloudNine™.  Brad has over 20 years of experience as an entrepreneur, as well as 15 years leading customer focused companies in the litigation technology arena. Brad also has authored several articles on document management and litigation support issues, and has appeared as a speaker before national audiences on document management practices and solutions.  He’s also my boss!  :o)

What are your general observations about LTNY this year and how it compared to other LTNY shows that you have attended?

Again this year, LTNY seemed reasonably well attended.  Thankfully, we didn’t have the weather and travel issues that we had the past few years, so that probably helped boost attendance.  And, the Hilton Lobby Lounge was back this year, so that provided an additional location to meet, though most of our meetings were in our suite.  Though I was really busy and didn’t get much chance to attend sessions, I understand that they were very good as always.  I did notice a drop in the number of exhibitors again this year and the exhibit hall did seem to be less crowded.  One colleague of mine who exhibited indicated that the number of leads he received at the show dropped about 30 percent from last year, so that’s consistent with my own observations and those of my colleagues.

For me, LTNY has become as much about the meetings with colleagues and business partners as it is about the show itself.  CloudNine had meetings practically booked throughout the show, with various people including industry analysts, partners and potential partners and clients and prospects.  Because it is the biggest show of the year, most people in the industry attend, so it’s an ideal opportunity to meet face to face and move business relationships along further.  Sometimes, there is just no substitute for in-person meetings to further business relationships and to communicate your message to other business colleagues.

What about general industry trends?  Are there any notable trends that you’ve observed?

Certainly one trend that I have noticed, as others have certainly noticed, is the accelerated consolidation within our industry within the provider community and the growth of investment of outside venture capital firms in our industry.  Just in the past couple of months, we have seen Huron Legal acquired by Consilio (which received a major investment from Shamrock Capital Advisors a few months before that), Millnet acquired by Advanced Discovery, Orange Legal acquired by Xact Data Discovery and Kiersted Systems acquired by OmniVere.  Rob Robinson does a terrific job of tracking mergers, acquisitions and investments in our industry and, according to his list, there have been eleven significant acquisitions and investments in just the past three months!

Another noticeable trend in the industry is the clear trend toward automation within eDiscovery.  You wrote about it earlier this year and, like you, I believe that the age of automation is here.  Some have dismissed the term “automation” as a marketing term, but I can’t think of a better term to describe the transformation of tasks that used to require a high degree of manual intervention and supervision to a point where little, if any, human involvement is necessary.  We’ve seen it for years through automation of review with technology assisted review techniques such as clustering and predictive coding and we have begun to see use of some artificial intelligence techniques on the information governance side.  Now, we are seeing automation of the processing of data to get it into a review platform and cloud-based providers (including CloudNine) automating that process.

Having been in the legal technology industry for many years, I have really seen an evolution of technology offerings in the marketplace.  At the beginning, I saw applications that were originally developed for other purposes being adapted for eDiscovery and those solutions were incomplete.  As the market developed, there started to be applications that were specifically designed for eDiscovery and those solutions were an improvement, but they were designed for isolated processes, such as collection or processing or review, with no automation of tasks.  The next generation of solutions were designed for eDiscovery and designed for task integration, but still adapted for task automation – some of those are the most popular solutions in the market today.  The new solutions – the “fourth generation” technology offerings are not only designed for eDiscovery and designed for task integration, they’re designed for task automation as well.

Many people say that if you want to tell where an industry is heading, follow the money.  In the past several months, you’ve seen providers like Logikcull and Everlaw that emphasize automation receive significant capital investments and, just before LTNY, you saw Thomson Reuters announce a new platform where automated processing is a key component.  It’s clear that big money is being invested in the growing automation sector of the industry.  You can get on the bus, or you can get run over by the bus.  As a provider that has been committed to simplified eDiscovery automation for several years now, CloudNine is on the bus and we feel that we have an excellent “seat” on that bus and are well positioned to help usher eDiscovery into the automation age.

What are you working on that you’d like our readers to know about?

Well, since I was just talking about fourth generation technology solutions, it seems appropriate to discuss how CloudNine has gotten to the point where we are in that evolution.  About 3 1/2 years ago at CloudNine, we looked at our legacy platform that had been in place since the early 2000s and was on version 14.  Our clients were happy with the platform overall, but we realized that if we were going to stay competitive as the market evolved, our legacy platform wasn’t going to be able to support those future needs.  So, we made the decision to almost completely start from scratch and re-develop our platform from the ground up, using the latest technology with an eye toward a truly simplified eDiscovery automation approach.  The platform that you see today via the user interface is just the tip of the iceberg of the overall solution – behind it is a series of workflows to accomplish various tasks.  For example, there are 34 distinct workflows (our CTO and co-founder Bill David calls them “cascading buckets“ that enable the workflows to scale) just in our Discovery Client application that enables clients to upload and process data into our CloudNine review platform.  This modularized approach of putting together re-usable workflows enables us to both scale and adapt as needed to meet changing client needs and positions us well for the future.

We feel that CloudNine is the leader in simplifying eDiscovery automation.  We do this through what we call the 4 S’s: Speed, Simplicity, Security and Services.  Clients, even brand new clients, can be up and running in five minutes (Speed) through their ability to sign up for their own account and upload and process their own data.  We recently had a brand new client who signed up for an account, uploaded and processed 27 GB of Outlook PST files (which amounted to over 300,000 emails and attachments) and culled out nearly two-thirds of the collection via HASH deduplication and irrelevant domain culling – all within 24 hours without ever having to speak to a CloudNine representative!  The ease of use (Simplicity) of the platform through the wizard-based client application for uploading data and a browser independent review module enables our clients to get up to speed with no more than an hour (or less) of training required.

Our approach to Security is unique as well – we operate within a protected cloud, not a public cloud, where the clients know that their data will be located on our servers in a Tier IV data center that is located 5 minutes from our offices.  This data center hosts data for nine of the top Fortune 20 corporations and was instrumental in us being selected over a year ago by a Fortune 150 corporation to host their data.  Finally, what makes us unique are the Services that we provide to support the software and automation – in addition to the software that we provide to help automate the eDiscovery process, we also provide managed services ranging from forensic collection to data conversion to technical advice and eDiscovery best practices and managed document review.  This enables our clients to rely on one provider for all of their services needs – as opposed to software-only providers that would have to outsource those services to a third party.

We believe that the combination of Speed, Simplicity, Security and Services enables CloudNine to provide the simplified eDiscovery automation approach that our clients want.  It’s an exciting time in our industry and CloudNine is excited to be forefront in its continued evolution, as we have been for the last 13 years!

Thanks, Brad, for participating in the interview!

And to the readers, as always, please share any comments you might have or if you’d like to know more about a particular topic!

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Apple in Court Battle Over Access to San Bernardino Shooter’s iPhone: eDiscovery Trends

In a case that pits national security vs. privacy concerns, a federal judge on Tuesday ordered Apple to give investigators access to encrypted data on the iPhone used by one of the San Bernardino shooters, a court order that Apple has vowed to fight, accusing the federal government of an “overreach” that could potentially breach the privacy of millions of customers.

According to NBC News, in a 40-page filing, the U.S. Attorney’s Office in Los Angeles argued that it needed Apple to help it find the password and access “relevant, critical … data” on the locked cellphone of Syed Farook, who with his wife Tashfeen Malik murdered 14 people in San Bernardino, California on December 2.

The judge ruled that Apple had to provide “reasonable technical assistance” (that it had previously “declined to provide voluntarily”) to the government in recovering data from Farook’s iPhone 5c, including bypassing the auto-erase function and allowing investigators to submit an unlimited number of passwords in their attempts to unlock the phone. Apple was given five days to respond to the court if it believed that compliance would be “unreasonably burdensome.”

Apple CEO Tim Cook published an open letter late Tuesday, pledging to fight a judge’s ruling that it should give FBI investigators access to encrypted data on the device.

“We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them. But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone”, Cook wrote.  “The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand.”

Stating that creation of a tool to unlock the iPhone would be “the equivalent of a master key, capable of opening hundreds of millions of locks – from restaurants and banks to stores and homes”, Cook wrote that “[n]o reasonable person would find that acceptable.”  “Opposing this order is not something we take lightly. We feel we must speak up in the face of what we see as an overreach by the U.S. government.”

Yesterday, the Today show covered the dispute as its top story – even before covering the election and Donald Trump (imagine that!).  A link to the video and more on the story is available on the NBC News site here.  The experts interviewed on the show expected to court battle to continue for some time.

So, what do you think?  Does Apple have legitimate concerns or is it their duty to assist the government and create a tool to unlock the iPhone?  Please share any comments you might have with us or let us know if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Most Firms Are More Concerned About Security Threats Than They Were Just Two Years Ago: eDiscovery Trends

If you’ve been paying attention to the headlines at all this year, it should come as no surprise that most firms are more concerned about security threats than they were just two years ago.  But, what percentage of firms and what is their biggest security concern?

The LegalTech News article, By the Numbers: Cybersecurity in the 2015 Am Law-LTN Tech Survey, provides some interesting key stats on firms’ handling of cybersecurity and their top concerns.  Here are some key numbers:

  • 77% of firms are more concerned about security threats than they were just two years ago: In addition, the majority of respondents to the survey indicated that their security concerns have increased over the past year, with none indicating a decrease in concern over the past year;
  • 25% of respondents identified phishing as their perceived biggest security threat to the firm: In addition to the practice where hackers pose as legitimate sites to trick people into providing their credentials, 23% of respondents identified “outsiders trying to break into the data network as their biggest threat, for a total of 48% of respondents where their biggest concern was unauthorized outsider access. 27% of respondents identified a lack of knowledge about their security status as the biggest threat, either a lack of knowledge if data has been compromised (16%) or a lack of knowledge when the firm is under attack (11%).
  • 83% of responding firms have implemented mobile device management software to protect data on BYOD devices: That’s probably a big reason why only 5% of respondents identified “mobile” as their biggest security threat.
  • 31% of firms plan to migrate to Windows 10 in the next year: As the survey indicates, support for older operating systems can dwindle, resulting in a greater possibility of security exploits in those older operating systems (though it’s my experience that the newer systems can sometimes be as vulnerable).

So, what do you think? What do you consider to be the biggest security threat to your firm? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Protective Orders Help Guard Against Data Breaches by Your Opponents: eDiscovery Trends

A couple of years ago Mandiant reported that 80 percent of the country’s largest law firms have been hacked.  In litigation, you may have to produce your data to one of those firms representing the opposing party.  Here’s how you can protect your organization.

In the Bloomberg BNA article How to Mitigate Risk When Handing Data to Outside Law Firms (written by Gabe Friedman), Aaron Crews, senior associate general counsel and head of eDiscovery at Walmart, explained that a company normally stores all of its data, including its most sensitive items, among vast troves.

“eDiscovery is [really] fraught with a fair amount of risk,” said Crews.  “The gems of your data, the really risk-bearing stuff is kind of hidden among the rest of the data,” he said. “But in the eDiscovery space, you’re hosting a slice of data that has been particularly selected because it has those gems in it.”  Turning those “gems” over to a law firm with inadequate cybersecurity protocols can put your organization at risk.

To protect against a data breach in the context of discovery, some practitioners have begun requiring opposing parties in litigation to sign protective orders. Crews said he asks the opposing side to agree to one of the following three provisions:

  1. To sign a protective order attesting that their firm meets certain basic cybersecurity protocols and that it indemnifies his company against any risk of breach.
  2. To use a trusted eDiscovery vendor.
  3. If all else fails, it must access the data through his own trusted eDiscovery vendor.

Paul Weiner, a shareholder at Littler Mendelson who is national eDiscovery counsel for the firm, said he drafted an order with such protections because the risk and consequences of a data breach during eDiscovery are simply too great to ignore.  He provided a sample of the language in the protective orders that he uses in the article and indicated that, though a protective order requires a judge’s approval, so far he hasn’t experienced any problems or push back in requiring one.

If 2015 is remembered for anything in the legal technology world, it may be remembered as the year of the data breach.  You may not know whether the law firm holding your data has suffered a data breach, but you can require them to adhere to certain basic cybersecurity protocols, either within their firm, within their trusted eDiscovery vendor or within yours.

So, what do you think? Have you considered requiring opposing parties to sign protective orders in your litigation cases? Please share any comments you might have or if you’d like to know more about a particular topic.

As always, thanks to Rob Robinson’s Complex Discovery site for the tip on the article!

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

“We Don’t Need No Stinking Badges” – On Facebook: eDiscovery Case Law

If you’re near my age and love movies, you probably love the classic Mel Brooks comedy Blazing Saddles.  My favorite quote from that movie is when the bandido says “Badges?  We don’t need no stinking badges!”*  Apparently, there’s a new trend where people post pictures of their employee badges on social media.  Guess what that leads to?  Hacker access into their employer’s facilities.

According to an article on Forbes.com (Here’s Why Your Employer Gets Nervous When You Post Pictures On Facebook), there’s a new trend on social media where people are posting photos of their new employee ID badges called “badge bragging”.  Not surprisingly, according to Brian Varner, Cyber Security Services at Symantec, this trend can give a cyber criminal enough information to compromise personal or company security systems.

One example he cited involved a person who just started a new job at a prestigious hospital. He posted a photo of his new employee ID badge on social media. With just that photo, a hacker could copy the security bar code and make a fake badge to gain access to various systems. Also, the hacker would know the employee’s full name, department he worked in, his education, and the date he started.

Varner identified a few best practices that included developing a policy for employees that addresses posting images or details about work activities online, making security training a part of new employee onboarding and regular reinforcement of good security “hygiene” with constant communication to reinforce best practice behavior.

It’s amazing the ways that hackers can get personal information these days – avoiding security breaches is more challenging than ever.

*By the way, here’s a little trivia: this is not the first time that quote appeared on film or TV.  Most people think the Blazing Saddles quote is taken directly from the classic (not comedy) movie The Treasure of the Sierra Madre.  But, that quote is a little bit different (“Badges? We ain’t got no badges! We don’t need no badges!  I don’t have to show you any stinking badges!”).

The exact quote actually appeared first in an episode of the sixties TV comedy show The Monkees (the first episode of Season 2 in 1967, 6 1/2 years before it was used in Blazing Saddles).  Maybe Mel Brooks was a fan of The Monkees?  Stump your friends with that little piece of trivia!

So, what do you think?  Does your organization have policies in place regarding information shared by employees on social media?  Please share any comments you might have or if you’d like to know more about a particular topic.

Image Copyright © Warner Bros. Inc.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

In The Era of the Data Breach, Pandora’s Box Could be a Flash Drive: eDiscovery Trends

Here’s an interesting pop quiz for you.  Which option would you pick?

You’re waiting for your train. You spot a flash drive on a bench.

Do you:

  1. Pick it up and stick it into a device?
  2. Leave no stone unturned to find the owner, opening text files stored on the drive, clicking on links, and/or sending messages to any email addresses you might find?
  3. Keep your hands off that thing and away from your devices, given that it could be infested with malware?

Believe it or not, in a recent CompTIA study, 17% of people chose options 1 and 2 – hey, free thumb drive! Wonder who lost it…? – and plugged them into their devices.

According to an article in Naked SecurityCurious people can’t resist plugging in random flash drives, by Lisa Vaas (and by way of Sharon Nelson’s excellent Ride the Lightning blog), CompTIA recently planted 200 unbranded, rigged drives in four US cities – Chicago, Cleveland, San Francisco and Washington, D.C. – leaving them in high-traffic, public locations to find out how many people would do something risky.  Over one in six did.  And, apparently, the younger you are, the more likely you are to do so: 40% of Millennials are likely to pick up a USB stick found in public, compared with 22% of Gen X and 9% of Baby Boomers.

If you think that’s no big deal, in 2011, Sophos analyzed 50 USB keys bought at a major transit authority’s Lost Property auction, finding that 66% of them – 33 in total – were infected.  So, the risk is high.

CompTIA also commissioned a survey of 1200 full-time workers across the US, finding:

  • 94% regularly connect their laptop or mobile devices to public Wi-Fi networks. Of those, 69% handle work-related data while doing so. This isn’t surprising: past studies have found that most people (incorrectly!) think that Wi-Fi is safe;
  • 38% of employees have used their work passwords for personal use;
  • 36% use their work email address for personal accounts;
  • 63% of employees use their work mobile device for personal activities;
  • 41% of employees don’t know what two-factor authentication (2FA) is;
  • 37% of employees only change their work passwords annually or sporadically; and
  • 45% say they don’t receive any form of cybersecurity training at work.

Perhaps more training will improve these numbers, though; you would think not plugging in an unknown flash drive into your device would be common sense.  Apparently, not for everybody.

So, what do you think?  Do you have any of the above habits that leave your data vulnerable?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

It Was Only a Matter of Time Before The Sedona Conference Weighed in on Privacy and Security: eDiscovery Best Practices

When we started this blog over five years ago, privacy and security wasn’t the big topic it is today.  Now, there seems to be a story about a data breach practically every day and privacy is a big issue, especially internationally.  Thankfully, The Sedona Conference® has created a guide to help with this growing issue.

The Sedona Conference Working Group on Electronic Document Retention and Production (WG1) has just rolled out the final release of its new Commentary on Privacy and Information Security: Principles and Guidelines for Lawyers, Law Firms, and Other Legal Service Providers.  As the name implies, it’s a guide for all of us!  I say “final release” because they already rolled out the public comment version back in July and this new guide reflects changes resulting from comments received.  The original public comment version of the Commentary was published in July after more than two years of dialogue, review, and revision, including discussion at several working group meetings.

The Commentary is divided into several sections, including:

  • Section I: A brief Introduction and statement of Principles;
  • Section II: Identifies some of the major sources of a provider’s duty to protect private and confidential information;
  • Section III: Describes a process by which legal service providers may conduct thorough security risk assessments, taking into account the information they possess, the vulnerability of that information to unauthorized disclosures, breaches, loss, or theft, and the way in which each provider may mitigate those threats by adopting a structured or layered approach to protect private and confidential information; and
  • Section IV: Delves into various policies and practices that can address privacy and information security, setting forth processes that can be scaled to the needs and circumstances of an individual legal service provider.

The guide also includes appendices that discuss privacy and security in the Health Care and Financial Services industries.

Of course, the heart of any Sedona Conference guide is its principles – here are the seven principles stated in this guide:

  • Principle 1: Legal service providers should develop and maintain appropriate knowledge of applicable legal authority including statutes, regulations, rules, and contractual obligations in order to identify, protect, and secure private and confidential information.
  • Principle 2: Legal service providers should periodically conduct a risk assessment of information within their possession, custody, or control that considers its sensitivity, vulnerability, and the harm that would result from its loss or disclosure.
  • Principle 3: After completing a risk assessment, legal service providers should develop and implement reasonable and appropriate policies and practices to mitigate the risks identified in the risk assessment.
  • Principle 4: Legal service providers’ policies and practices should address privacy and security in reasonably foreseeable circumstances, and reasonably anticipate the possibility of an unauthorized disclosure, breach, loss, or theft of private or confidential information.
  • Principle 5: Legal service providers’ privacy and information security policies and practices should apply to, and include, regular training for their officers, managers, employees, and relevant contractors.
  • Principle 6: Legal service providers should monitor their practices for compliance with privacy and security policies.
  • Principle 7: Legal service providers should periodically reassess risks and update their privacy and information security policies and practices to address changing circumstances.

Hopefully, these principles will influence providers of legal services to improve their own privacy and security practices.  The PDF guide can be downloaded here and, as always, it’s free!

So, what do you think?  Do you plan to adopt these principles and guidelines for managing security and privacy within your organization?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

One in Three Companies Lacks an Information Security Policy, According to New Study: eDiscovery Trends

According to a new cybersecurity study, despite improvement in several areas, one in three companies still lacks policies for information security, data encryption and data classification.

As discussed in Inside Counsel (Majority of companies lack policies for info security), Protiviti, a global consulting firm which has served over 60 percent of Fortune 1000 and 35 percent of Fortune Global 500 companies has just released its 2015 IT Security and Privacy Survey, which aims to address whether organizations’ efforts are translating into effective policies to secure the “crown jewels” of organizations.

The survey, which gathered insights from 708 Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, IT VPs and directors and other IT management professionals, assesses security and privacy policies, data governance, data retention and storage, data destruction policies, and third-party vendors and access, among other topics.  48 percent of respondents work for organizations mainly in North America with $1 billion or more in revenue.

Other key findings:

  • Only 28% of respondents indicated that their board of directors had a high engagement and level of understanding with respect to information security risks, down from 30% in 2014 and only slightly higher than “don’t know” respondents at 25%;
  • Only 66% of companies had a written information security policy (WISP) and slightly more than half of responding companies (55%) had a social media policy;
  • Despite considerable recent press coverage of cybersecurity and data breaches, only 23% of respondents indicated significantly more interest and focus on information security, down from 32% last year;
  • For those companies where the respondents did indicate a high engagement with respect to information security risks, they indicated a reasonably high level of confidence (0 on a scale of 1-10) in their organization to monitor, detect and escalate potential security incidents by a well-funded attacker (as opposed to 6.5 for those companies without high board engagement in information security).

This is just a sampling of some of the key findings.  Like last week’s survey that we covered on eDiscovery, this survey report is free!  The full survey is available here with a handy-dandy one-page infographic of the survey results also available here.

So, what do you think?  Do any of these results surprise you?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

This Study Says Two-Thirds of Law Firms Still Have No Staff Devoted to Information Security: eDiscovery Trends

Not surprisingly, a major “hot” topic at ILTACON earlier this month was cybersecurity.  Stories about data hacks are abundant, with recent notable hacks including this one and this one, and you may not even know if the law firm holding your data has ever suffered a breach.  A new study, introduced at ILTACON earlier this month, aims to shed light on security assessment practices of legal organizations in North America.

The 2015 Study of the Legal Industry’s Information Security Assessment Practices was developed by Digital Defense Inc. (DDI), in collaboration with ILTA’s LegalSEC Steering Committee.  It aims to help law firms evaluate their individual information security practices, as well as to examine the state of security in the legal profession as a whole.

There were over 150 participants in the study, with Chief Information Officers and IT Managers collectively accounting for 63% of those participants.  Of the firms that participated, 83% identified the top area of practice as Litigation, followed closely by Corporate, Labor & Employment, and Real Estate, all over 70%.

Some key findings of the report include:

  • 66% of organizations surveyed have no staff devoted to Information Security;
  • Employee Negligence and Phishing/Vishing Attacks rank as the highest information security concerns within firms;
  • Many organizations are performing services to combat employee negligence, with 78% performing Information Security training for employees;
  • Approximately 70% of respondents conduct Vulnerability Scanning assessments and Penetration tests, a significant increase (15-20%) from 2014;
  • However, 63% of respondents do not have a Vendor Management Evaluation process in place.

The 24-page study includes: 1) a breakdown of participants (in terms of title, practice areas, firm size and geographic representation), 2) information on firms’ information security programs (including strategy, budget allocations and resource management), 3) information security concerns and products/services used to address those concerns, 4) information security standards, policies and training programs and even 5) a glossary of terms (do you know what “vishing” is?  I didn’t).

You can download a free copy of the study here.  For more information about ILTA’s LegalSEC initiative, click here.

So, what do you think?  Are you surprised by any of the study results?   Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

NIST Issues Draft Guide for “Securing Electronic Health Records on Mobile Devices”: eDiscovery Trends

As we’ve discussed previously, stolen health records are worth a lot in the black market and that was underscored when health insurance provider Anthem announced in early February that it had suffered what appears to be the largest breach ever in the health insurance industry, affecting about 80 million people.  Now, the National Institute of Standards and Technology (NIST) has released a draft guide that might help, at least with regard to securing electronic health record on mobile devices.

On July 23, the National Cybersecurity Center of Excellence (NCCoE), a division of NIST, released a draft of its first cybersecurity practice guide – Special Publication 1800-1: “Securing Electronic Health Records on Mobile Devices”, designed for health IT professionals to use to bolster security for the use of mobile devices in the health care industry.  As discussed in the press release issued by NIST, “Medical identity theft already costs billions of dollars each year, and altered medical information can put a person’s health at risk through misdiagnosis, delayed treatment or incorrect prescriptions.  Yet, the use of mobile devices to store, access and transmit electronic health care records is outpacing the privacy and security protections on those devices.”

The draft guide was developed by industry and academic cybersecurity experts, with the input of health care providers who first identified the challenge. The center then invited technology providers with relevant commercial products to partner with NIST through cooperative research and development agreements and collected public feedback at multiple steps along the way.

The draft guide is comprised of five sections, as follows:

Each section is downloadable separately as a PDF, or you can download a .zip file of all volumes (4.82 MB), plus manifest and template files referred to in SP 1800-1c, from this page.

The comment period will run through September 25.  You can submit comments on the guide through the form on this page or download the spreadsheet template from that page to collect feedback and email the worksheet to HIT_NCCoE@nist.gov.

As I discussed on Monday, potential data breaches can still happen the old fashioned way, via stolen mobile devices.  I was glad my laptop was encrypted when it was stolen last year.  Hopefully, this new guide from NIST can help medical professionals to secure their mobile devices and protect against data breaches on those devices.

So, what do you think?  Do you think this new guide will reduce the number of data breaches within the medical profession?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.