When I read this article, I thought “well, of course”. But not everybody realizes the potential malware threat that transfers of data for eDiscovery purposes could bring. This article from Legaltech® News provides an important warning for those who don’t realize it and an important reminder for those who do (but might inconveniently forget).
In their article E-Discovery Could Be the ‘Biggest Pathway’ for the Spread of Malware, written by Frank Ready, the author notes that the large-scale data transfers integral to eDiscovery production “may be inadvertently opening up additional pathways for cybercrimes inside the legal ecosystem.”
“I have absolutely seen discovery production that has included ransomware toolkits and spread from law firm to law firm to law firm engaged in a particular piece of litigation. I have seen that, I have responded to that sort of incident,” said Christopher Ballod, an associate managing director in the cyber risk practice at Kroll.
It’s not dissimilar to the risks that infected pieces of virtual evidence and other documents can pose to court IT systems. But while both law firms and court systems alike scan outgoing or incoming documents for potential cyber risks, e-discovery productions can potentially entail a lot more ground to cover.
Kenya Parrish-Dixon, general counsel and chief operating officer at Empire Technologies Risk Management Group, noted that eDiscovery and M&A deals are two of the only reasons why law firms would be sending very large volumes of data back and forth.
“E-discovery is every day for everybody. Law firms all day, every day, back and forth. Firms sending data to vendors. Vendors sending data to law firms. Firms sending data to each other. And everybody is sending data to the federal government,” she said.
But it’s not just the frequency of the transmissions involved that makes e-discovery what Parrish-Dixon termed “the biggest pathway” for the spread of malware. Human error and apathy are also major contributors.
Some firms, for instance, may be neglecting to scan outgoing productions for viruses before sending it to opposing counsel. “Very few people bother to do that because what do you care if you’re sending malware to someone else? You had it. It probably infected your environment. You don’t want to know as it’s leaving that your environment was infected, so people don’t scan on the way out,” Parrish-Dixon said.
The article notes that “with e-discovery data continuing to pass through so many hands—clients, law firms, opposing counsel, providers—the possibility that malware could eventually penetrate that cycle remains.”
What a wonderful world this would be if we all kept our malware licenses up to date with the latest protections. While that Sam Cooke song doesn’t contain the lyric “Don’t know much about malware” (maybe it should) and everyone having current malware protection wouldn’t completely eliminate the issue, it would certainly greatly reduce it. And, because Kenya correctly notes that many parties don’t scan outgoing productions for viruses, the data received from any outside party should always be virus-scanned coming into your environment (whether centralized or remote) before proceeding to do anything with it. That should always be the first step in dealing with produced data. Even if you know the sending party or are even expecting the data transmission, that data transfer may contain infected data that is being sent unknowingly. Protect yourself.
So, what do you think? What does your organization do to protect against potential malware in data transmissions? Please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.