Lawyers could sit around the campfire for weeks, telling horror stories of confidential documents that got loose during discovery—everything from sensitive personal information leaked during document dumps to privileged communications that never got flagged and to entire productions just disappearing in transit.
Those scary stories to tell in the dark have human error or ignorance as their main monsters, but some villains are scarier, like the ever increasing number of hackers and cyber criminalswho are actively targeting attorneys as one-stop shops for incredibly sensitive information.
Mea culpas and clawback orders can follow inadvertent disclosures, but we also know there’s no way to take the cream out of the coffee, so to speak. (Or “put the toothpaste back in the tube.” Or “unring that bell,” if you prefer. You get the idea.)
When that data has been stolen by a hacker or made available by a data breach—well, there’s little chance of ever “clawing it back.”
The amount and sensitivity of data changing hands during discovery should have every producing party and esq. a little jittery when hitting send on a discovery disclosure. And that’s where protective orders come in. Here’s how they work, how to get one, and how to make sure it’s enforced.
Protective Orders 101
Federal Rule of Civil Procedure 26(c) allows parties to request a protective order to prevent “annoyance, embarrassment, oppression, or undue burden or expense.”
Such orders can be used to specify the terms (including time and place or the allocation of expenses) for the disclosures, prescribe discovery methods, and limit those who may be present while the discovery review is conducted.
A party or any person from whom discovery is sought may move for a protective order in the court where the action is pending... The court may, for good cause, issue an order to protect a party or person from annoyance, embarrassment, oppression, or undue burden or expense…
-FRCP Rule 26(c)
These orders typically cover the treatment of confidential and highly-confidential documents—how those documents are designated, who can access them, and how to challenge such designations—but their use isn’t limited to confidentiality. Protective orders can also provide important data- and cybersecurity protections as well.
Why Data Security Matters in eDiscovery
The first step to obtaining an adequate protective order is understanding the risk. Data is most at risk when it’s on the move, and eDiscovery by its very nature is the movement of incredible amounts of data from one party to another, often via multiple intermediaries.
Discovery repositories are particularly ripe targets for hackers. After all, these contain not only information worth litigating over, but also information that has already been culled of the junk. That’s why some experts posit that hackers are already targeting not just law firms, but the discovery process in particular.
Attorneys and firms must make “reasonable efforts to prevent the inadvertent or unauthorized disclosure” of client data, and must understand “benefits and risks associated with relevant technology.” And when law firms are dealing with everything from trade secrets and personal information to information deemed confidential under various statutes and regulations (to say nothing of their own internal client and firm data), the risk of inadvertent disclosures or hacks becomes all the more apparent.
Protective orders can act as important controls on how data will be transferred and accessed, if it is to be disclosed. Think of it this way: a protective order can keep you from having to transport loads of cash (your data) from one bank (or party) to another; and it can also make sure you’re transporting it in a Brinks truck with armed guards, rather than in the back of a pickup truck driven by your least reliable buddy.
Think of it this way: a protective order can keep you from having to transport loads of cash (your data) from one bank (or party) to another; and it can also make sure you’re transporting it in a Brinks truck with armed guards, rather than in the back of a pickup truck driven by your least reliable buddy.
An effective eDiscovery protective order can create access controls, including password protection, viewing restrictions, and encryption for data and documents subject to disclosure, as well as create the rules for data retention, destruction, or return. Perhaps most importantly, protective orders can even limit vendor and other third party access to and treatment of eDiscovery data.
So, what should your protective order contain? The exact contours of an order will depend on the specifics of your matter and data, but some key considerations include:
- Access controls
- Response and reporting procedures in case of a breach
- Retention and destruction policies
- Compliance with information-protection laws such as HIPAA
- Compliance with industry standards (ISO, NIST, SOC, etc.)
- Application to vendors and other third parties
Keeping Cybersecurity in Mind During the Meet and Confer
You know you need a protective order. Now how do go about getting one? In federal litigation, FRCP 26(f) is probably going to require you to conference with opposing counsel to identify an eDiscovery issues and create a discovery plan. (Your state courts may have similar requirements.) This is a great opportunity to understand your opponent’s level of sophistication and commitment when it comes to cybersecurity and data protection during the discovery process. You’ll also have the chance to advocate for a discovery plan the provides the most protection for your client’s data.
Come prepared to discuss data protection strategies, including robust security and privacy policies, response and reporting policies, and encryption during data transit and rest. Keep in mind any additional parties and counsel in complex litigation, as well as any and all outside vendors that will be employed in the collection, preparation, and production of documents and data. And come to the discovery conference with a proposed protective order in hand.
The Key to eDiscovery Cybersecurity Controls: Reasonableness
But just having a model protective order doesn’t mean it will be accepted or enforced. After all, even the best procedures in the world are meaningless if they’re not followed. As eDiscovery expert and consultant Craig Ball notes, “Requesting parties will sign these orders because—let’s be frank—requesting parties will agree to almost anything if they believe it will get them “the smoking gun.” But that information will then be treated as it always is: insecurely. How can you avoid that outcome?
The key to a proper cybersecurity approach in eDiscovery is to seek reasonable data protections, which take into account the sophistication of the parties, the types of information and data at issue, and the consequences if something goes wrong. Reasonable protective requests are much more likely to be accepted by both opposing counsel and the court as an initial matter, and to be complied with later down the road.
Considering the amount of data at play in modern litigation, and the cybersecurity risks that come with accessing, processing, and transferring that data, it’s hard to imagine not having a protective order in place to ensure that data is not leaked or hacked.
Click here to learn how Logikcull protects your data during the discovery process.