Last month, TrialWorks, which hosts the electronic records for thousands of law firms in America, fell victim to a ransomware attack. As a result, lawyers have already had to request extensions on filing deadlines. The data breach may have been caused by a disruption to Outlook service. The incident highlights the hazards of relying on cloud based records. TrialWorks allows firms to retain ownership of data. Its Uptime Practice not only allows for the hosting of data, but also software. Microsoft Office; Exchange; and SQL server are included. Law firms need not have servers on their premises. In order to function well, 512 KBs per second per user are required. TrialWorks’ case management software is among the most widely used in the legal industry, but its recent troubles highlight broader vulnerabilities in the legal world.
LITIGATION SUPPORT TIP OF THE NIGHT
The views expressed in this blog are those of the owner and do not reflect the views or opinions of the owner’s employer. All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information. This policy is subject to change at any time. The owner is not an attorney, and nothing posted on this site should be construed as legal advice. Litigation Support Tip of the Night does not provide confirmation that any e-discovery technique or conduct is compliant with legal, regulatory, contractual or ethical requirements.
New tips for paralegals and litigation support profesionals are posted to this site each week. Click on the blog headings for better detail.
- Oct 9, 2019
The UK's G-Cloud programme is a digital marketplace where British government agencies can acquire cloud computing services. The UK has a 'cloud first' policy which requires that agencies purchase cloud based IT services, unless the alternatives are cheaper. The current framework agreement, G-Cloud 11, bans providers from disclosing confidential information without written consent, and information can only be disclosed to the cloud service provider's staff to the extent that it is necessary under the agreement. The supplier has to notify the government agency about security breaches immediately. Unless the law provides otherwise, data has to be deleted 7 years after the framework contract ends. The framework includes a separate schedule addressing the processing of data.
Providers listed on the G-Cloud are not required to have a specific cyber security certification, but the National Cyber Security Centre's Cyber Essentials Certification is recommended. This advises organizations to use a firewall; two factor authentication; Windows Defender to protect against malware; whitelisting (having an admin restrict installed applications to a pre-approved list); and use applications that allow for sandboxing - or the running of the software in an isolated environment with limited access to network data.
In June 2019, FedRAMP, the Federal Risk and Authorization Management Program, issued guidelines for cloud service providers, FedRAMP Marketplace. CSPs can be categorized as having one of three statuses:
1. FedRAMP Ready - a third party assessment organization attests to a CSP's capabilities and a report is accepted by FedRAMP.
2. FedRAMP In Process - CSP working on FedRAMP authorization with the Joint Authorization Board or a federal agency. In order to get to this stage, a Security Assessment Plan (SAP) and Security Assessment Report (SAR) must be prepared. Security package materials have to be uploaded to the OMB MAX document repository, and kickoff meeting with the JAB must be held. The in process status cannot be held for more than 12 months.
3. FedRAMP Authorized - in order to get authorization, the CSP must submit monthly deliverables to the JAB. A provisional authority to operate letter (P-ATO) signed by the CIOs of the Department of Defense; Department of Homeland Security; and the General Services Administration will allow the CSP's status to be updated to authorized.
The FedRAMP Marketplace is a sortable database of CSPs. Notable businesses in the legal technology field that are in the marketplace include:
Box (Authorized)
CDS - Complete Discovery Source (Authorized)
DocuSign (Authorized)
EverLaw (In Process)
Exterro (In Process)
Slack (Authorized)
Smarsh (In Process)
VMware (In Process)
(Pretty nice feather in CDS's cap!)
