Countering insider threats in eDiscovery

Electronic discovery (eDiscovery) is a process that involves identifying, collecting, analysing, reviewing and releasing information that is often confidential information or even crucial to the operation of your organisation.

Data derived for eDiscovery, whether for litigation or regulatory compliance, is unique in that it contains specific information requested by another entity (such as a court or regulator) to resolve a legal matter.

Because the uncontrolled disclosure of this information can be particularly damaging, it requires a focused set of process controls to prevent unauthorised insiders from accessing and deliberately or inadvertently releasing it.

Due to the sensitive nature of the electronically stored information (ESI) involved in eDiscovery, you need to ensure its safety and avoid it being lost or falling into the wrong hands. Implementing the following steps can help.

Vet your personnel

According to a recent survey of corporate security officials sponsored by Nuix, 93 per cent of respondents claim human behaviour is the biggest threat to their organisation’s security.

Organisations should scrutinise employees and business partners at regular intervals to make sure you can trust the people who have access to the company’s critical value data. This entails running background checks which may include previous employers, references, criminal records, credit checks, and verifying professional licenses, certifications, and degrees or accreditations.

It is equally important to define the key stakeholders who will take part in the eDiscovery process, clearly defining each individual’s roles and responsibilities. This assigns accountability and establishes a baseline for determining when someone is attempting to operate out of scope.

Educate employees on insider threats

Establishing and enforcing an insider threat awareness training program for employees and business partners will promote an organisational culture that is less likely to allow insider threat activities to go unnoticed. This programme should explain:

  • Which activities are acceptable and prohibited while using the organisation’s assets and infrastructure
  • What duty employees have to report violations of organisational policy
  • What rights the organisation has to monitor and collect any information or activity that occurs on its computing assets and network infrastructure.

Your organisation should update and reinforce this information through mandatory annual awareness training for all employees. You should also provide specific training for eDiscovery personnel on the potential vulnerabilities during the discovery lifecycle to ensure they properly handle ESI and understand the risks of unwanted disclosure.

Map your environment

Knowing where data is stored will help you identify and secure all locations that contain or provide access to ESI, define the data owners and enforce their accountability to control data access and integrity. Therefore, the first step in securing critical value data is creating an overview of the organisation’s computing environment, outlining where your information ‘crown jewels’ are stored. This could be on workstations, email servers, file shares, collaboration systems, portable storage, or mobile devices.

Secure your data collections

The preservation and collection stages of eDiscovery place data at significant risk. As a result, this process must be executed by vetted individuals, use forensically sound methodologies and be fully documented to provide continuity and accountability.

Once you have properly collected, documented, and accounted for the targeted data, you should store it in a dedicated, secure data repository. You should then limit and monitor access to the data, and ensure that the hardware, software, and operating systems that comprise the secured repository are updated and patched regularly to decrease vulnerabilities. If you don’t need to disclose critical value data in a particular matter, don’t collect it in the first place.

Implement access controls

A pragmatic approach to limiting access to ESI reduces the risk of insider threats. You can implement this by establishing permissions based on roles, job functions and the sensitivity of the information. You can also put in place enterprise-wide technical controls - such as disabling portable storage device usage for people who have certain job roles - and placing physical controls such as security access cards to enter areas of the organisation where you keep eDiscovery-related ESI.

Limit exposure during the discovery process

The discovery process involves numerous phases of establishing the facts of the collected data and reducing the volume to relevant data sets. This process typically requires carefully honed criteria, filters and analytics such as keywords, date ranges and file types.

If the work product of developing these criteria or culled findings were disclosed or accessed, this would give opposing counsel a significant advantage. Thus it is important to carefully handle the documentation behind your processing efforts to mitigate the insider threat as well as to maintain accountability. You should make sure to retain copies of image files and the original evidence in a secure central repository, and treat all copies of ESI the same way you would original evidence.

Know your electronically stored information

An important aspect of ESI commonly overlooked by an organisation when considering insider threats is the ‘sum of parts’. Organisations typically evaluate the sensitivity of ESI based upon its current contents, state and location on the network.

It is not uncommon for low-value ESI, when combined with other low-value information, to result in critical value data. However, due to the ESI’s relative low value, it is typically less regarded, secure, access-limited, and scrutinised. For these reasons, the seemingly low value ESI is a common target of malicious insiders. You will need considerable ability and foresight to identify and appropriately safeguard information that presents this risk.

It is every organisation’s responsibility to operate with due diligence and safeguard all critical value data with which you have been entrusted. The discovery process by its nature involves searching and compiling data that is sensitive and important. As such, you must protect it diligently. But no single technical solution or policy will result in a successful defence.

Instead, creating a holistic approach to potential insider threats, before and during the discovery process, can ensure that data collected remains secure and ready to support the organisation’s legal requirements.

Michael Chance, Director, Business Threat Intelligence and Analysis, Nuix

Image source: Shutterstock/Andrea Danti