Historically, data protection for business has been an obstacle to eDiscovery — at least as far as email is concerned. Email encryption tools that allow your workers to communicate securely can also interfere with search functionality, complicating the eDiscovery process. By adding encrypted search and Google Vault eDiscovery support, Virtru has overcome a major obstacle, and ensured organizations can be prepared for litigation without compromising security.
Requirements of the eDiscovery Process
Discovery is the stage in litigation where organizations are required to share certain kinds of data with the opposing party. As part of that process, organizations must identify, preserve and sort through records to determine what may be relevant to the case. Organizations must undergo a similar process for criminal and regulatory investigations and (in the case of government organizations) Freedom of Information Act (FOIA) requests.
Because most modern organizations use digital means to communicate and work, this stage typically focuses on the collection of Electronically Stored Information (ESI) — a process called eDiscovery. In the eDiscovery process, organizations are required to preserve data such as emails, as well as metadata such as author and recipient identity, time and date information and audit logs.
Organizations will use factors like keywords, author and date range to identify potentially relevant data, which is then protected with a legal hold, so that it can’t be altered or destroyed. Next, they must analyze the data to remove anything that’s not relevant — for example, documents that fit the search criteria but have nothing to do with the case.
Finally, the eDiscovery process requires the organization to securely store the information, code it based on its relevance to the case and (in some cases) convert it into another format. The process will vary based on jurisdiction and other factors, but it always has the same essential components — the organization needs to be able to find, compile and share information while ensuring adequate business data protection. This is usually easier said than done.
Data Protection for Business — Encryption Requirements
Your duty to keep data secure doesn’t start and end with the eDiscovery process. Government and private sector organizations are under increasingly strict regulatory pressure to encrypt and protect personally identifiable information, business secrets, financial data and other confidential info. Encryption is either explicitly mandated or implicitly required to meet standards of data protection for business across industries.
Some industries have extremely specific technological requirements. For example, CJIS compliance sets minimum standards for encryption strength and requires other controls like multi-factor authentication. But technology-neutral compliance requirements like HIPAA can be every bit as strict. Although it’s not technically required, failing to use encryption in healthcare can (and often does) lead to multimillion dollar fines. No matter what the compliance regime, encryption is key.
But installing software alone doesn’t ensure data protection. For businesses, the biggest challenge is ensuring that workers, clients and partners are able to use encryption and other security features correctly and consistently. Any time data is stored in an unsecured location or sent using an unencrypted protocol, that data is vulnerable.
Even minor mistakes or risks can lead to leaks. For example, if a law office sends an unencrypted email containing sensitive data, a hacker could intercept it, stealing sensitive information and potentially compromising litigation — and you wouldn’t even know. Unfortunately, the eDiscovery process itself can create can create added risks.
Encryption Has Traditionally Interfered With the eDiscovery Process
eDiscovery requires organizations to give reviewers extensive access to protected data. Internal reviewers needs to be able to search through both current emails and documents, and archived data by a wide range of criteria. These documents then need to be gathered in an encrypted cloud storage drive or other secure location where other reviewers can examine them in detail and process them. Then they must be transferred securely to opposing counsel, the FOIA requester or some other party (either as a file or a printed copy).
The problem is client-side encryption — the type used in email encryption — isn’t readily searchable (or at least it hasn’t been historically). In client-side email encryption, the sender encrypts the data before sending it across the Internet. This keeps the message safe from bad actors who may intercept it in transit, ensuring only the recipient can read it.
But it also means that the service provider doesn’t have access to the plaintext (i.e., the unencrypted content). So, if you encrypt your Gmail messages with a typical client-side encryption technique, your company won’t be able to search through the text of it during the eDiscovery Process.
Secure client portals are searchable, but they have their own problems. They’re hard to use, and even harder to get customers and partners to use, which means they often don’t really provide data protection for business. Inevitably, a lot of data goes through email, where the company can either encrypt it (leading to the same problems) or send unencrypted email that is vulnerable to hackers.
Portals also can also greatly complicate communication. If a doctor works with a billing agency, a private office and a hospital, for example, they could be forced to use three different portals, each requiring its own ID and using its own interface. Faced with this much added complexity, many users give up entirely.
To be sure, you can use email encryption and successfully complete the eDiscovery process — even without email search capabilities. A well-thought-out technology policy and encryption key management strategy, combined with good labeling and tagging can help identify emails. But in many cases, encryption and other forms of data security have made the eDiscovery process more difficult, time-consuming and expensive, and posed heightened legal risk from missing data.
How Virtru and Google Vault Data Support the eDiscovery Process
Google Vault is a powerful eDiscovery tool, which provides good data protection for business off the shelf. It allows admins to search emails, chats and files throughout their domain, place holds to stop relevant information from being destroyed or changed, export documents and even audit user access.
The problem is, Google Vault can only see what Google can see. Up until recently, if an organization added a secure email service application on top of Gmail, Vault would archive the encrypted emails — and then you’re pretty much back where you started.
Now, Virtru’s Google Vault eDiscovery Support allows businesses to have the best of both worlds, with encrypted search. When users send a message with Virtru Gmail encryption, their Virtru server automatically creates tokens containing words from the email. An administrator can search for keywords, identify potentially relevant emails and decrypt messages within Vault.
Encrypted messages stay protected (and search tokens are encrypted as well) so neither Virtru nor Google can read them. However, they can still be identified, read and exported as necessary by an authorized administrator, greatly simplifying the eDiscovery process. Organizations can continue to benefit from Virtru’s strong, client-side encryption without the technical challenges this would normally pose to the eDiscovery process.
Check out our Complete Guide to Email Encryption for G Suite to learn more about how Virtru keeps your Google domain secure without compromising functionality.