As the number of cybersecurity breaches continues to rise, The New York Times is reporting that major corporations are requiring their law firms to increase security and then prove they did so.
Aditi Mukherji on FindLaw’s Free Enterprise suggests that small business owners should consider adopting this same tactic, especially with vendors. Mukherji reminds everyone the Target hackers breached the chain's security systems by using electronic credentials stolen from a vendor, adding such breaches also put the company and owner at risk for legal liability.
Requiring a vendor to show proof of cybersecurity is one way to hold the vendor accountable, says Mukherji, as well as ensuring reliability and consistency in overall online security efforts.
Here are some practices Mukherji says must be addressed immediately:
Distribution: Be sure the vendor isn’t putting sensitive files on portable thumb drives or emailing documents to unsecure iPads.
Networks: Find out if vendor computers are linked to a shared network in countries like China or Russia, where hacking is prevalent.
Access: Determine how many people have access to sensitive information; the greater the number, the bigger the risk.
Proof of vendor cybersecurity should be one facet of a larger security plan that extends to other business relations, Mukherji advises.
E-discovery is one of the most controversial tasks in civil litigation today. As the amount of electronically stored information has skyrocketed, smart plaintiffs are seeking to require corporate defendants to preserve, search and produce every bit of data that is reasonably calculated to lead to the discovery of admissible evidence. And if corporate defendants fail to do so, plaintiffs stand ready to prosecute sanction motions that can reach hundreds of thousands of dollars.
The growth of ESI, together with plaintiffs’ growing sophistication in aggressively seeking e-discovery and courts’ willingness to sanction non-complying defendants, has put pressure on corporate defendants to preserve and produce electronic data. Estimates suggest that discovery costs now entail up to 50 percent of total litigation costs.
Corporate defendants should be on the lookout for ways to reduce the risks and burdens of e-discovery obligations and lower e-discovery costs. To address the issues, corporations have focused on reducing the amount of electronic data generated, using specialized e-discovery software, and hiring specialized e-discovery vendors—even introducing new legislation to address the issue. These have all proved inadequate.
One of the more recent, and perhaps overlooked, tactics to reduce e-discovery risk is to use contract provisions to address e-discovery issues and establish discovery protocols before litigation ensues. Part I of this article will outline some of the issues facing a corporate defendant considering including such provisions in their contracts. Part II will discuss the enforceability of e-discovery contract provisions.
BENEFITS OF CONTRACTUAL PROVISIONS
Proponents of e-discovery clauses argue that they have the potential to reduce the burdens of e-discovery for not only commercial litigants but also courts. Such clauses could benefit corporate defendants by reducing preservation and production costs. Moreover, contracts will, at least in theory, establish a more predictable discovery framework that reduces the risk that a corporate defendant will take a misstep and face sanctions. Courts will benefit from the greater predictability afforded by contractual provisions, which may result in fewer discovery disputes between the parties. Thus, courts will be able to devote less time managing discovery matters, which currently take up a large portion of their docket.
Whether the efficiencies imagined by the proponents of contract provisions will ultimately be realized still remains to be seen. While it is certainly true that well-drafted contractual language may afford more predictable e-discovery than the current Federal Rules of Civil Procedure, it is not necessarily the case. As we all know, it is difficult, if not impossible, to draft a litigation-proof contract clause. Corporate defendants relying on these provisions may find themselves fighting just as many—if not more—battles in court but just under a different set of rules. Moreover, despite the parties’ best intentions, if courts ultimately refuse to enforce these provisions (an issue addressed below), corporate defendants risk finding themselves in a much worse position than if they had followed the established law.
CONTRACT PROVISIONS FOR E-DISCOVERY
There are several issues that a corporate defendant should consider addressing in e-discovery contractual provisions. They include:
1. Specify when a party’s duty to preserve evidence begins.
Under the Federal Rules of Civil Procedure and case law interpreting the rules, a litigant’s duty to preserve evidence begins when it reasonably anticipates litigation. This somewhat murky standard has generated confusion and a great deal of litigation. Thus, a corporate defendant may consider including a provision that specifies more precisely when a duty to preserve evidence begins. For example, the parties could agree that there is no obligation to preserve evidence unless and until the other party makes a written request to preserve specified evidence. Or the contract could go further and require the opposing party to specify precisely which types of evidence, such as email, that a party must preserve.
2. Specify the types and sources of data to be preserved and searched.
Under the current rules, corporate defendants may be required to search many different types of ESI, including e-mails, Word documents, PDF files, spreadsheets, PowerPoint presentations, audio and video files, text messages and Internet and social media postings. This information can be found in numerous places including current active systems, archival storage and on individual user’s laptops, smartphones or tablets.
There are three different ways that parties can contract to limit the type and sources of data to be preserved. First, the parties can agree to limit the number of custodians. Second, the parties can agree to limit the type of ESI to be searched and produced. For example, the parties can agree not to produce e-mails prior to a certain date or not produce text messages at all. Finally, the agreement can limit the sources to search. For example, the parties can agree not to search for information on data warehousing or archival storage systems as these sources are likely to replicate data found on active systems.
3. Include fee and cost-shifting provisions.
Under the federal rules each party is generally required to pay for their own costs of production. To limit those costs, a corporate defendant should consider a provision to shift the costs of searching or producing e-discovery to the opposing party. Alternatively, fees could be shifted to the other party to deter excessive discovery requests or litigation. For example, the parties could agree to shift fees if one party challenges the enforceability of the e-discovery provisions in the contract or seeks to compel greater preservation, collection or production beyond what was specified in the contract.
4. Limit the availability of discovery sanctions.
The fear of discovery sanctions, whether monetary and/or evidentiary, is what drives much of burden and cost of e-discovery. Parties should consider including language that would preclude sanction motions so long as a party relied in good faith on contractual provisions. Other suggestions would include limiting sanctions to situations in which one party knowingly and intentionally violated its discovery obligations or acted with bad faith.
To remain on the top, companies must anticipate the “next big thing.”
Facebook, which came late to the mobile device craze, appears to be trying to avoid its past mistake with two recent forwarding-looking acquisitions. According to a Reuters story posted on its website by Alexei Oreskovic and Malathi Nayak, the latest move involves Facebook’s plan to acquire Oculus VR Inc., a maker of virtual reality glasses for gaming, for $2 billion. This comes after its $19 billion deal for messaging service WhatsApp.
Oreskovic and Nayak say many in the industry believe wearable devices could represent the next big platform shift. Google Inc. is already testing Google Glass, a stamp-sized electronic screen mounted to a pair of eyeglasses, and last week it announced plans to develop computerized wristwatches. They also say Sony unveiled a prototype for a new virtual reality headset accessory for its Playstation 4 games console at the annual Game Developers Conference in San Francisco.
According to the story, Mark Zuckerberg, Facebook cofounder and chief executive, says virtual reality technology could become the next social and communications platform. Zuckerberg reportedly isn’t interested in turning Facebook into a hardware company and says its software and services would continue to serve as the underlying business, possibly realizing revenue from Oculus devices through everything from advertising to sales of virtual goods.
The Oculus deal is expected to close in the second quarter, marking the company's second multibillion-dollar acquisition since mid-February.
E-discovery has become a tricky and complex process for attorneys. While automated review can be a good option, Huron Legal Managing Director Nathalie Hofman, who advises law departments and firms on document review, says there are still times when linear review is the better choice. In a recent Eye on Discovery piece on the company’s website, Hofman did an internal Q & A with Robert G. Kidwell, member of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo. The interview offers legal professionals some guidelines on when to use, and not use, automated review.
Kidwell advises against using automated review in instances where there are complex issues or similarity between identically responsive documents. On the hand, he says it’s very helpful in a situation where you have a very broad subpoena or other discovery obligation and “it’s basically an ‘all business documents’ request.”
He discusses an instance in which the issues separating a responsive document from a nonresponsive one were not that clear-cut to allow pure semantic logic to distinguish between the two. In the end he says human input was necessary to determine what the dispute was about, the types of documents that might be relevant, etc., adding that this proved to be faster and more effective than the automated method which he also employed.
Another tip, he says don’t discount the usefulness of search terms in automated review.
At the end of the day, Kidwell says both forms of document review remain relevant; although powerful, automated review is not a panacea.
When hackers wanted to break into an energy company’s network, they targeted computers at the company's outside law firm in London using a so-called watering hole—a website that lures employees in order to deliver malware to their computers.
In today’s hack-happy atmosphere, the story serves as a cautionary tale for law firms and their client companies everywhere.
Infosecurity magazine, a U.K.-based global online publication for information tech and security professionals, said the hacking in late February was part of a broader ongoing attack, dubbed “LightsOut,” on energy companies. LightsOut hackers seek to install remote-access tools and intelligence-gathering malware that could potentially be used to knock out an energy grid, it said.
The article didn’t name the energy company targeted, but said the law firm was Thirty Nine Essex Street, which has an energy law practice. Alastair Davidson, a spokesman at the law firm, confirmed to CorpCounsel.com on Thursday that the attack occurred.
“It was a fairly sophisticated attempt involving redirection,” Davidson said. That means a firm employee clicks on a link that allows malware to be downloaded onto the employee’s computer in order to redirect it into a client company’s computer system.
It worked, briefly.
Davidson said, “A website was compromised for less than 24 hours,” the attack was thwarted and certain precautions have been taken. He declined to elaborate.
Researcher Chris Mannon said on a blog called Zscaler that an attacker runs diagnostic checks on its victim’s computer to make sure it can be exploited. The diagnostics show up in an administrator’s log and can be used to identify an attack on a system, he explained.
After the diagnostics check out, Mannon said the attacker delivers a malicious payload “from the LightsOut exploit kit.”
Another blog cited by Mannon offered details about what companies hackers wish to exploit. This blog credited a threat researcher at Cisco Systems Inc. for listing the targets as:
An oil and gas exploration firm with operations in Africa, Morocco and Brazil.
A company that owns multiple hydroelectric plants throughout the Czech Republic and Bulgaria.
A natural-gas power station in the U.K.
A gas distributor located in France.
An industrial supplier to the energy, nuclear and aerospace industries.
Various investment and capital firms that specialize in the energy sector.
News reports over the past year have alleged links to Russia, China and Iran in attempts to hack into energy systems around the world.
As for this particular law firm attack, Mannon warned, “The victim site is no longer compromised, but viewers should show restraint and better browsing practices when visiting.”