By Jason Purviance
Data security should be a primary focus of a tool used to collect data from mobile devices for eDiscovery or investigations. A security protocol based on a security and privacy framework helps provide assurances. Client data must be protected by implementing multiple levels of security, including but not limited to encryption and consistent updates to data protections to address constantly emerging attack vectors. This blog reviews and explains the security features and activities to look for when selecting smartphone software.
If the application runs in the cloud, the cloud data center used by the mobile device collection tool should meet or exceed the certification requirements of the most-requested certifications, such as ISO27001, PCI, SOC, etc. The tool should, at minimum, follow best practices aligned with ISO27001:2013 (now:2022), ensuring operations comply with this standard.
Third-party organizations must verify these certifications. In addition, they should perform penetration tests annually (at the least) to ensure that security protocols keep up with the changing risk landscape.
International Access Policies
The tool should use the International Traffic in Arms Regulations (ITAR) policies set by the US Department of State. ITAR policies are designed to control the export and import of defense-related items, services, and technical data from and to the United States to safeguard US national security and foreign policy interests. These international access policies should automatically restrict access from bad actors and countries deemed high-risk by the US Department of State.
Business Continuity & Disaster Recovery
The framework should be built on a redundant, scalable global infrastructure such as AWS. To proactively prepare for a disaster or cyber-attack, the tool must maintain backups and data versioning, making it possible to revert to a point in time as part of the incident response activities. Additionally, you should be able to request a purge of specified data sets from data stored with the tool or infrastructure. And the provider must deliver a digitally signed affidavit to authenticate these activities.
User & Device Verification
The tool should also have internal policies requiring complex passwords to access internal corporate systems and devices and a regular update cadence. Look for a mobile device collection tool with technologies such as a “one-time-code” pairing process that simplifies the authentication of client devices to data relay.
Ensure that all data stored on the servers is encrypted at rest using the AES-256 encryption algorithm or equivalent. AES-256 is a robust encryption standard widely adopted by government agencies and security-conscious organizations. In addition to encryption at rest, this software should also encrypt data in transit to protect data as it moves between devices and servers. The framework must use at least industry-standard Transport Layer Security (TLS) to encrypt data in transit, protecting data from interception or tampering during transmission.
Internally, the software company should have corporate security policies and best practices in place. Each employee must review these annually and attest to their understanding. Additionally, the company should provide regular information security training or awareness opportunities for employees.
In conclusion, when choosing a mobile device collection tool for eDiscovery and investigations, look for a tool that has a security and privacy-driven framework. Qualifications, third-party testing, international access policies, business continuity and disaster recovery preparedness, user and device verification, data encryption, company policies, and data privacy are all key features to consider. Choose a tool that meets these and additional criteria to ensure a successful eDiscovery process.