Do You Know Where Your Data Is?

Back to Blog Posts

Discovery requires taking sensitive and privileged data out of the systems where it normally lives, consolidating it into one place, and turning it over to a vendor — which leaves many legal professionals wringing their hands about security. You want to feel that your vendor cares as much about the security of your data as you do. 

All too often, a corporation’s data spans across processing engines, analytics suites, service providers, software providers, and an internal document management system with each of your outside counsel. This stitched-together, shaky conglomeration (“affectionately” known as the Frankenstack) makes trying to figure out where your corporation’s data is and who has access to it more complicated than tracing a bank transaction in a bad ‘90s action movie.

Let’s break that down a little more.

“Clear and Present Danger”

Corporations rarely rely on a single law firm for all their disputes, and most law firms work with multiple legal technology vendors. Even if a corporation has direct relationships with discovery vendors, they often have a panel of multiple vendors running different software and varying storage solutions. 

At any given time, this means a corporation could have data at half a dozen law firms and twice as many legal technology vendors and “subcontractors” who in some way touch their data. If you factor in the combination of internal on-prem and cloud solutions with the litany of third-party solution providers and their own versions of Frankenstack, you are left with a problem of truly monstrous proportions. 

How secure is the redaction tool that uses an API to port into the ediscovery vendor your law firm has picked? When did your law firm last update the security around their document management system? 

With over 100 law firms reported data breaches in 2019, it’s critical for in-house teams to evaluate whether or not to pass information through their law firm for discovery purposes, as well as the number and types of vendor relationships they’re willing to work with for security purposes.  

“Mission Impossible” data security challenge with the status quo vendor relationship 

The status quo of having multiple vendor relationships (or letting outside counsel control vendor relationships) means tracking where data lives, who has access to it, and ensuring it’s securely stored. This can cause pain points from annoying multiple logins to integration nightmares.  

In fact, each disparate part stitched together into your tech stack (early case assessment tools, processing and analytics platforms, redaction tools, etc.) amplifies your organization’s potential risk — not to mention wastes time and creates a lack of transparency regarding program optimization.

How does all this make it challenging to maintain data security and traceability? Glad you asked. 

  1. Data on the move (shifting between systems) is a major risk for both data security and integrity. You have no idea if the systems integrate well with one another or what happens to the data between each as data moves in and out (risking your data integrity). Each system requires its own upkeep and timely patching to mitigate the risk of a breach. 
    But what about “cloud” technology providers? Don’t they mitigate these risks? Not so much. Many “cloud-based technologies” operate through similarly complex stacks of integrated technologies — using virtual machines with disparate software solutions in a virtual environment. As a result, the same scaling, interoperability, and cross-compatibility issues remain. 
    For some context, according to a 2019 survey of 340 information security professionals, 27% of organizations worldwide and 34% in Europe reported that they had been breached because of unpatched vulnerabilities (to the tune of $3.86 million per breach).
  1. Each organization involved in your technology stack likely has its own integrations and technology stacks. However, this means you likely can’t see, let alone report, who has access to your users’ information or how long it’s going to be stored. Under the GDPR and newer regulations in various states, corporations have an obligation to provide reports to those from whom they collect data regarding who the company has shared information with, how long the data will be retained, and more. The penalties for failing to comply with those obligations can be severe. 
  1. As time passes and technology ages, you’re not only dealing with the attrition of those in the know on how to run these platforms, you’re also facing an increasing age of the infrastructure your data lives on. 
    How many law firms have the budget or knowledge to migrate their data to the most up-to-date hardware every few years? Do they even know how old their shared drive, intranet, or document management system is? As hardware ages or software stops being supported, the risk of system or hardware failure increases. This is amplified if and when a component of a vendor’s tech stack reduces its support of a specific tool or if the solution is sold off as part of an M&A action (think Adobe sunsetting Java). 
    Likewise, hardware has a set time of effectiveness, and as you reach the terminal point, organizations must decide whether to invest in new hardware to host legacy data in a legacy platform in lieu of investing in newer cutting-edge solutions. The cost might simply outweigh the benefit for many companies — to your detriment.

Ultimately, each system your data passes through makes it harder to comply with privacy regulations and increases the risk of a data breach incident. 

It’s “Independence Day”

There are ways to free your legal team from the worry and risk associated with layered vendor relationships and the need for data to pass through many hands in order to handle your disputes. DISCO offers an integrated technology stack in which the components are purpose-built to work together in a cloud-optimized way — eliminating the need to send data to your outside counsel or multiple vendors, giving your company full insight and control. 

Here are just a few of the ways DISCO’s integrated platform at your control can increase security and make privacy regulation compliance that much simpler:

Single-source: Eliminate the need for data to pass through many hands and many pieces of software throughout your matter. With DISCO’s data management suite, your legal department or IT team can load data directly into DISCO and then provide access to your outside counsel for review. From there, DISCO automatically begins a processing and analytics workflow (including de-duplication, email threading, and creating family relationships) that gives you and your outside counsel workable data all from within a single, secure platform.

The DISCO data management suite gives you all the control you are used to with on-prem solutions in a single, cloud-native platform at blazing fast speeds. 

Secure (while still cutting-edge): Moving to an integrated and cloud-optimized approach like DISCO means that maintenance of each component no longer falls on your already-spread-thin IT team, and your entire discovery solution is safer from a data integrity and cybersecurity standpoint. Seamless interoperability between the component parts and true integration reduces the exposure of data on the move — one of the most vulnerable points in the data life cycle. 

At the same time, operating in an integrated platform means timely updates run by the DISCO team as they are released, instead of waiting weeks or months for IT to install them. This ensures you are constantly using the best and most efficient version of DISCO while minimizing the exposure to cyber-breaches.

We are also able to take full advantage of the stringent security provided by Amazon Web Services (AWS) — one of the world’s leading technology companies, whose primary value proposition is centered around security. Above and beyond the security provided by AWS, DISCO has strict internal security controls and policies in place, validated by industry-leading third-party certifications, that further protect our clients’ data. 

Powered by the most advanced cloud platform and infrastructure available to ensure security and stability, DISCO is built for the discovery challenges of today and beyond in two specific ways.

First, DISCO provides insight and control. Removing the need to send data to outside counsel, ediscovery vendors, or service providers makes it easier (and reportable) to trace where your data lives and who has access to it. This not only makes compliance with privacy regulations easier, but it also provides your team with insight into the users accessing your data, the workflows employed, and ultimately makes analyzing and optimizing efficiencies in the discovery process possible. 

Furthermore, DISCO moves fast. Because we innovate at the pace of the industry, you do not need to budget for additional hardware or software. You get a more nimble ediscovery program that adapts as the market does.

It’s not as hard to escape “The Matrix” as you might think

Take advantage of the benefits of integrated cloud-optimized solutions to mitigate the painful challenges of a piecemeal approach to ediscovery. There is a much better option for creating an ediscovery ecosystem. 

Learn more about how DISCO can help mitigate risk and empower your team to take control of your discovery. 

Subscribe to the blog
Caitlin Ward

Caitlin Ward is a product marketing manager at DISCO. She has more than a decade of experience leading ediscovery initiatives and advocating for the adoption of legal tech as an attorney. Since joining DISCO, she focuses on helping lawyers innovate to overcome their ediscovery and case management challenges.