Responsibility For Data Privacy Does Not Pass With Custody: What Service Providers’ Security Audits And Certifications Mean For Corporate Counsel

Monday, November 18, 2013 - 16:38

Visit any business-data-related website and you will find at least one article on the efforts of international hackers to infiltrate U.S. corporate networks to steal both intellectual property and personally identifiable information. While IT departments of potential targets are making concerted efforts to protect data on their networks, they have no control over it once it leaves the security of the corporate firewall. Litigation and investigations generally necessitate the transfer of valuable data to external service providers. So, how can corporate counsel support their IT departments and ensure that data is protected when they pass the custody over to an outside organization? They can turn to neutral, third-party verification of the security protocols that the hosting company has put into place.

The two most common verification processes are SSAE and ISO. They consider various aspects of the security protocols and complement each other.

SSAE 16 SOC 1 Type 2

SSAE (Statements on Standards for Attestation Engagements) is a verification of the systems and controls implemented by the service company. The company being investigated must provide a written assertion to the CPA firm conducting the SSAE 16 engagement, then prove those assertions.  That company can choose to include any aspects of its systems in the assertion. As an e-discovery data processing and review hosting provider, Complete Discovery Source’s assertions related to client data. This included client data handling, hardware management, network access security, and change management.

Client data-handling procedures are extremely important in e-discovery, not only for data security and privacy purposes, but also for certification of data integrity and authenticity. So, this was an important aspect of the testing for CDS. By including our chain-of-custody, data-loading, handling and storage protocols in our assertion and ultimate attestation, we can support our clients’ certification of the accuracy of a production in an “Affidavit of Completeness.”

Since attorneys access our e-discovery document review tools, Nytrix CIYTM and Relativity®, via a web-based connection, we wanted to verify the security of those access points for our clients. Therefore, we included security protocols for our web-servers and firewalls in the review. We did not limit the review to client access points, but extended it to server access by internal staff. That helps us to illustrate to clients the effectiveness of our virtual ethical walls, when needed, i.e. we can demonstrate our ability to limit access to case data within our network, based on the client an employee is supporting.

The final aspects of our SSAE 16 process looked at hardware and software change management. By reviewing these sections, a client can easily understand the protocols that affect up-time. No matter how secure the system, if data aren’t available to the client’s legal team when needed, they are of no use. With the SSAE 16, CDS is able to verify that it can support its up-time claims to help clients meet their document review and production schedules.

The time period of the report is also an important consideration. CDS selected the Type 2 review, because it verifies compliance with assertions over a period of time, rather than for a cherry-picked perfect day. The auditors reviewed activity reports and logs on all activity included in the assertions for a six-month period. Going through this review helped us to standardize our processes and gives our clients peace of mind about our ongoing commitment to their data security.

Since the SSAE 16 can be based on any process within an organization, it is important to verify what the service provider has included in its attestations. A verification of practices related to personnel data by the human resources department is no reflection on the company’s handling of client data. Before transferring custody of their data to an outside service provider, corporate counsel should verify that the potential vendor has included key client data security protocols in its SSAE 16 report.

ISO 27001

Whereas SSAE 16 is the validation of management assertions, ISO is a certification of a company’s alignment with established benchmarks. The certification process is longer and more rigorous than the attestation process and requires a larger financial commitment. That is why so few e-discovery service providers have attained ISO certification. After a twelve-month process, in March of 2013, CDS received ISO 27001 certification for its Information Security Management System.

The auditing CPAs reviewed our policies and procedures for 172 benchmarked controls and our compliance with those P&Ps. This extensive review covered eleven domains with sub-sections encompassing subjects from our security policy management direction to actual physical security. They tracked our data handling from the point we take possession—even checking our processes for pickup and delivery of media. This list is an overview of the eleven Information Security Management System domains that are included in the ISO 27001 certification evaluation:

1.     Information security policy
2.     Internal organization & external parties
3.     Responsibility for assets
4.     Employment
5.     Building and infrastructure security
6.     Operations
7.     Access control
8.     Information systems
9.     Information security incidents
10.  Business continuity
11.  Compliance with legal requirements

Because our performance was compared to benchmarks, we were able to identify areas for potential improvement. As the CTO, I appreciated this empirical testing because it gave us an opportunity to compare our processes to best practices as defined by the security industry. As a result of the ISO certification process, we made several improvements in our security protocols.  One example — our couriers now use secure pouches to transport media and the data is always encrypted for transport. We have eliminated the risk for a data breach if the courier encounters an event during media transport. Another example — we now have an information security management committee. The goal of this committee is to ensure that CDS is keeping data security and privacy at the forefront of our business activities. It meets quarterly to review all of the areas covered by our ISO certification, to verify compliance, to identify issues and to recommend improvements. We have committee members from across the company who act as the eyes and ears for our information security and risk management initiatives.

Risk mitigation is an important benefit for both CDS and our clients. For instance, the U.S. Department of Health and Human Services’ HIPAA Omnibus Final Rule clearly places the responsibility for data privacy and confidentiality on the "covered entity," the data owner, even as the data move downstream through outside consultants. These rules have implications beyond the medical industry, as most corporations have some medical information (think employee accident reports) on their networks. The Omnibus Final Rule places the responsibility for disclosure of breaches by subcontractors, on the covered entity. Of the need to report data breaches or face penalties, the Omnibus Final Rule says,

A business associate shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known,[emphasis added] to any person, other than the person committing the breach, who is an employee, officer, or other agent of the business associate . . .

So, if the business associate is unaware of the breach, but would have known of it with an effective breach monitoring program, the client faces the risk of enforcement actions. Selecting a service provider with the internationally recognized ISO certification provides strong assurances that data breach monitoring protocols are in place and are actively being implemented.

The ISO certification can simplify your vendor vetting process as well. Recently, a financial institution scheduled a conference call with our technical team to discuss data security for a highly sensitive upcoming case. In the meeting invitation, they allotted a full hour to getting their questions answered. As the meeting began, I informed all present that CDS’s Information Security Management Systems are ISO certified. They had no further questions. What might have taken sixty minutes for six people took less than five minutes. These are the stories that prove the ROI of this process for us and for our clients.

This certification has also made our IT department more efficient. All of our processes are documented; employees are trained on and follow standard protocols for all security and data-handling activity; everything is trackable and duplicatable; and our information security management committee has become the eyes and ears for data security. These efficiencies translate to lower overhead and lower prices for our clients. ISO is a three-year certification, but the certifying entity performs spot audits to verify our continued compliance. All employees are aware of the potential for these spot audits, so they take personal responsibility for their role in maintaining data security and privacy.


There is one other form of third-party verification for data security. This is the Federal Risk and Authorization Management Program (FedRAMP). It is a new, government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. To date, only nine corporations have attained FedRAMP authorization. This process is more extensive and expensive than the ISO certification. CDS has made the commitment to move forward toward FedRAMP authorization and is FedRAMP pending.

Corporate Counsel

While general counsel would prefer to focus on the corporation’s business-related legal matters, they are often drawn into peripheral areas. These busy professionals need tools to help them refocus on their main tasks. SSAE and ISO are just such tools. These third-party verifications were designed to take the burden of security system analysis off the end client and place it in the hands of objective experts. By using these verifications to vet e-discovery service providers, GCs can support their IT departments’ efforts to maintain data privacy and security when it transfers custody outside the corporate firewall.

Nyi Htwe is Chief Technology Officer of Complete Discovery Source, a leading eDiscovery company headquartered in New York, with offices nationwide. In this role since 2004, he is responsible for the company's technical vision and leads all aspects of technology development including infrastructure, security, data technology, software, and analytics research. He holds degrees from City University of New York in both Economics and Computer Science.

For more information about this article, please email Gary Bendel, COO, at