Legal Tech: Cloud and Security Considerations for e-Discovery

Vendors who routinely deal in the storage of sensitive information have invested significant money and resources in security. Major cloud-based e-discovery solutions such as RelativityOne are built on the Microsoft Azure cloud or comparable cloud servers. Most corporations now require some form (or multiple forms) of security certifications such as SSAE 16, certain HIPAA requirements, as well as ISO, to name a few. These certifications can cost organizations tens of thousands of dollars per year to obtain and maintain.

Cloud providers like Microsoft and Amazon spend over $1 billion a year on security research and development and have huge teams dedicated to ensuring network security. Even the most security-focused law firm can't hope to meet that level of investment. When you opt for cloud-based e-discovery solutions, you get to take full advantage of that advanced security without having to invest in it yourself.

One of the hot-button topics regarding public cloud services is how the service provider can access the raw data. Larger corporate clients need assurances that their data is safe and private, even from the company that is hosting the files, the databases and the user credentials. For example, in the Microsoft cloud, a technology called Customer Lockbox is used, which gives the client complete control over whether a support engineer can ever touch its data. RelativityOne has a similar lockbox, as well as granular permissions that allow the customer to not only say that support can access the environment, but what, specifically they are allowed to access.

Beyond the compliance and customer lockbox issues, it is also important to understand the granular parts of the cloud solution. This is not just a question of access vs. non-access. What is the management platform that your network and security administration staff will have access to so they are able to define specific rules and controls and define the needs for access? Are there predefined roles in the system that you have no control over, or can you decide per screen, per field, per checkbox in the application what a user can get to? Not only should your solution have the ability to make these changes, but also the ability to audit these changes, especially in the event of some type of breach.

Security in cloud-based applications, although it can be enhanced, still does not entirely take the place of an overall security strategy. Even if all the data in the cloud or in your application is secure, if users are able to download or retrieve information out of the cloud, your on-premises or overall security strategy needs to account for this. If the cloud is locked down sufficiently and controls are in place but the application allows you to download to locations that aren't secure and encrypted, the data is no more secure than if it lived in the on-premises environment. Therefore the functions of the application and how data is made available for use need to be analyzed and sufficiently tailored to your compliance requirements just like when you weren't in the cloud.

A question that comes up often in corporate security RFPs is “When and where is your data encrypted?” The only acceptable answer is everywhere. For a cloud solution to be considered a valid option, data should be encrypted at rest, in transit and at every endpoint. This should be a typical question whenever you are considering any type of cloud solution, but especially an e-discovery cloud solution.

Scalability

One of the greatest advantages that cloud-based storage has over on-premises storage is scalability. When you use on-premises storage, you must have a fairly good sense in advance of how much storage you will need — not just now, but in the long run. If you run out of storage, you have to scramble to add more servers. Perhaps worse, though, is if you overestimate how much storage you'll need. In those situations, you're stuck paying a lot of money for storage you aren't actually using.

Cloud-based storage, on the other hand, is infinitely flexible. When you use a cloud-based e-discovery system from a SaaS vendor, the vendor's entire system is at your disposal. When you need more storage or processing power, you simply increase your subscription plan and pay a little more. If your project shrinks unexpectedly, you can scale back to just the amount of storage you need, saving money in the process by no longer paying for unused storage.

Accessibility

Like almost everything else in the digital era, the legal profession has become mobile. Lawyers no longer do all their work from their offices — they expect to work wherever they are, whenever something needs to get done. Because they depend on the firm's internal security measures, on-premises e-discovery systems often can only be accessed at the office or through specific remote access protocols. The story is very different for cloud-based systems. When e-discovery is hosted in the cloud, employees can access it anywhere, and on any device, as long as they have an Internet connection. In addition to making things more convenient for employees, this also makes it much easier to coordinate geographically dispersed review teams.

Cloud-based systems also tend to be less susceptible to interruptions caused by power outages or natural disasters because they have a more robust and less centralized backup system. SaaS vendors can manage necessary system upgrades and updates in a way that minimizes disruption to your project as well. On-premises interruptions are much more difficult to control.

Many cloud-based systems also have mobile apps that allow users to collaborate in the cloud, review documents in the cloud and manage their application from their iPad or tablet. The ability to make a responsive call on a document, shift resources around or simply catch up on the status of a project from the comfort of your couch and your mobile device can give any user the type of accessibility needed to stay productive.

Cost

At the end of the day, many technology decisions at law firms come down to a question of cost. Spending for on-premises vs. cloud-based e-discovery software differs greatly. Conducting e-discovery with on-premises solutions requires a much larger capital investment upfront in crucial hardware like servers and backup drives, as well as IT staff to support and maintain the system. Investing in the on-premises infrastructure necessary to securely store e-discovery data is an ongoing expense and not an insignificant one. It often requires IT buy-in for purchase and support, but even in today's world, many IT departments still do not understand the advanced hardware requirements for e-discovery. Many IT departments still operate their e-discovery infrastructure on the same oversubscribed hardware used for regular infrastructure, causing performance issues that are only seen by the IT departments.

In contrast, most cloud-based e-discovery solutions are provided on a software as a service basis with a monthly subscription. The SaaS provider makes the initial investment in systems, servers and IT staff. As the subscriber, the law firm takes advantage of that infrastructure already in place, simply paying for necessary services as they are used. Subscription-based services allow firms to stay competitive with the most cutting-edge technology, but without the often prohibitive investment of capital.

The Takeaway

While most of the considerations outlined above point to a likely industrywide shift toward cloud-based e-discovery, each firm still needs to consider its own specific circumstances before proceeding with a given project. If your firm is one of the few that has already significantly invested in on-premises servers, security and support staff, in-house e-discovery solutions might continue to be the right answer for the time being. As compliance and new regulations continue to mount, however, you may find that keeping all of it secure can easily double or triple your costs through not only employing the various security measures, but paying for audits as well.

There's a good reason more and more firms are making the move to the cloud. Between reduced investment in infrastructure, enhanced security and increased scalability and accessibility, cloud-based storage solutions offer benefits over traditional on-premises e-discovery solutions that might just be too good to pass up. So, if you are like many firms or corporations and have not made the necessary investment for on-premises solutions or are looking to cut expenses in these areas, you should strongly consider making the switch to cloud-based e-discovery. Just because you've always done your e-discovery in-house in the past, that doesn't mean you have to continue down that path in the future.

*****

Stephen Ehrlich is the CIO at The MCS Group. With over 20 years of experience in the area of information technology, he oversees all technology operations for MCS.