By: Cassandre Coyer
Nowadays, being the target of a cyber breach is not only catastrophic to one’s reputation, but it has also become incredibly expensive. Is asking e-discovery providers for indemnification provisions enough to ensure clients’ data is safely stored?
Threats of cyberattacks have not only made legal professionals more wary—especially as legal teams in firms and in-house are increasingly the target of cyber hackers—but it has also changed their relationship with vendors.
Indeed, as legal professionals now have to rely on vendors, such as e-discovery providers, to securely store their clients’ data, discussions on where the responsibility should lie in case of a data breach have grown more complicated.
While more legal teams are turning to their e-discovery vendors with requests for indemnification clauses in case of a breach, e-discovery providers suggest that financial security is only one part of the solution. Without thorough security audits and upstream precautions, indemnifications don’t tell a lot about vendors’ ability to safely store data.
Instead, providers argue that mutual indemnification clauses make more sense in most cases, especially as clients’ mistakes, such as a weak password or clicking on a phishing link, have many times opened the door to cyber breaches.
To be sure, it’s not only cyberthreats that have been behind the push for e-discovery vendors’ indemnification. As the transition to the cloud shifted the security burden away from the customer to the provider, it boosted the appetite for indemnification provisions.
But Shana Simmons, chief legal officer at Everlaw, noted that the focus on indemnification is revealing of the legal industry’s misconceptions about the cloud’s security.
“This focus on indemnification or liability caps among firms and legal departments or lawyers, I think, reflects almost an incomplete understanding of the cloud in itself,” Simmons noted. “So I want to separate on-prem solutions from the cloud, because one of the greatest advantages I see for customers of cloud server solutions versus on-prem is that they get the most recent version of the solution, which means it’s been patched.”
Now, it seems that requests for indemnification clauses have become quite common in conversations between lawyers and e-discovery vendors.
But how broad these provisions are or what they cover depends on many different factors, from the other types of coverage involved in the process, to the jurisdictions the vendors and clients are operating in, to the types of data involved, said Daniel Bonner, director of client solutions at Level Legal.
“So it’s important as you think about indemnification to assess what sort of data sources are at issue, what data does the client have on their systems, what particular obligations and security measures are appropriate for those data types?” Bonner noted. He added, “As you start talking about indemnification, there’s not a one-size-fits-all clause that would make sense.”
At Level Legal, Bonner noted that they have settled on a mutual indemnification clause—sharing the responsibility with the customer.
“If we were to indemnify both the client and the law firm from all potential claims, liability breaches, anything like that, that may satisfy them, but it leaves us holding the bag for all sorts of things that could happen upstream that were improper or illegal or unethical,” Bonner said. “So, what if the client was storing data they shouldn’t have access to? What if the law firm directed the data collection team to the wrong source? There are things that don’t make sense to indemnify upstream for those reasons.”
Ultimately, e-discovery vendors agree that indemnification clauses should only be one part of the conversation. And as cyberthreats have exponentially grown in numbers, most legal teams are now asking more questions beyond requests for indemnification, Simmons noted.
“What I’ve seen is a spike of what I think is the right approach, which is very long security questionnaires, folks wanting to review our audits, folks expecting more certification—and that’s actually what I expected to see,” she said, adding, “we do have occasional folks pushing us on indemnification and liability caps, but I think once the business gets involved or their CISO gets involved, the conversation starts to shift a little bit.”
Going forward, as the industry continues to navigate in a field mined with cyberthreats, Bonner suggested more of these conversations should be happening.
“In addition to indemnification language and making sure that’s sufficient for all parties, I would recommend the clients pursue information about vendors’ information security certifications,” he said. “The indemnification, it’s a financial cure. … Even if you had a vendor that agreed to indemnify you, are they the right vendor? Do they have the adequate information security policies and practices and procedures? Are their teams trained? How robust is their InfoSec environment? Have they been certified? One without the other is useless.”
Of course, while indemnifications don’t actually protect against any cyberattacks, they do offer clients some financial protection. But this added financial pressure could end up affecting prices for e-discovery services, Simmons argued.
“If lawyers are going to start insisting on broader indemnification clauses related to data breach, I think a CSP [cloud service provider] should be and will be more receptive to a balanced and narrowly tailored one that is limited to data breaches that are caused by a violation of law, for example,” Simmons noted. “But we should know that if a CSP starts to give more on these, it will impact the economics of the deal. The more unbalanced risks a CSP takes on, the more it will cost to create and secure the product and the more the product will cost.”