Are Digital Signatures Enough For Secure eDiscovery?

06 September 2022 by Ross eDiscovery digital-security

Takeaway: Digital signatures are a virtual lock-and-key system you can use to authenticate and protect important documents. But they’re only one component of secure eDiscovery. So, law firms should also explore other security tools like VPNs, multifactor authentication, user roles/permissions, and in-app production sharing.

Digital signatures are virtual identifiers you can use to authenticate important documents.

Digital signatures are a great way to certify that you (and only you) created/reviewed a document. That’s because they’re irreplicable virtual identifiers unique to a single person/entity – similar to a driver’s license or passport. The underlying tech is complicated but essentially uses a mathematical algorithm to create and encrypt the equivalent of a ‘digital fingerprint’ that you can embed in important documents. And this makes online interactions more transparent – building trust between businesses, vendors, and customers.

Digital signatures are more than standard electronic signatures, though.

Digital signatures do three important things. First, they authenticate a document and its source. Second, they protect the document from further changes after being signed. And third, they confirm who signed the document. So, they’re much more thorough than electronic signatures (i.e., e-signatures), which are an umbrella term for any type of electronic verification. (The simplest version of an e-signature would be a scanned copy of a physical pen-and-paper signature.) Regular e-signatures are a quick way to verify agreements and approvals – for instance, when someone in HR approves an employee’s time off. But digital signatures verify and protect high-security documents signed by people like compliance officers, regulators, auditors, and judges. They offer the type of advanced options (e.g., a clear audit trail) you’d need for contracts, insurance forms, tax documents, intellectual property documents, classified data, and more.

Behind this technology lie encryption techniques borrowed from advanced cryptography.

Digital signatures are built around principles you’d find in advanced cryptography – i.e., the secure communication methods that spies have been using for decades. (Crypto means ‘hidden’ and graph means ‘writing’.) So, cryptographic encryption is a huge part of creating digital signatures. Specifically, it means creating jumbled-up ciphertext that only the sender and recipient know how to encrypt and decrypt.

The first step in the process involves creating a simple hash function.

A hash function (or simply, ‘hash’) is a string of numbers and letters unique to a particular piece of electronic data (e.g., emails, documents, images, etc.) Your software uses an algorithm to generate a hash so specific that it’ll change if you alter even a tiny part of the source file (e.g., if you alter a single letter in a Word document). Common hashing algorithms include the Secure Hash family (SHA-1, SHA2, & SHA-256) and Message Digest 5 (MD5).

After creating this hash, your software encrypts it to set up a lock-and-key system for your data.

Software developers use hashes frequently – for instance, to check if an uploaded file has been reassembled properly after chunking. But digital signatures go beyond merely hashing, by creating cryptographic ‘keys’ for their hashes. These include a public key that anyone can access online and a private key that only the sender knows. The sender ‘locks’ the file using the private key, while the recipient ‘unlocks’ it using the public key. And the digital signature software facilitates all this locking, unlocking, and key-sharing. So, if someone tampers with the file at any point, its encrypted hash value will change, alerting the recipient when they try to unlock and decrypt the file.

Note that this level of security is vital for processes like eDiscovery, where compromised data can ruin a review.

eDiscovery primarily deals with business documents and emails, so we need to know that we’re reviewing authenticated documents. And digital signatures are a legally binding way of guaranteeing this. Further, they come with timestamps, so third parties can’t falsify timelines. (These timestamps also make finding and retrieving archived files easier.) Lastly, digitally signing things is quicker and more cost-effective than scanning, printing, and/or FedExing documents, as law firms traditionally would do.

But digital signatures are only one aspect of eDiscovery security. Here are some others.

Digital signatures sensitize us to how crucial security measures are for eDiscovery. But they’re only one of many security tools we can use to protect eDiscovery data, and here are examples of others.

1. Virtual private networks (VPNs) help secure your internet connection.

VPNs mask your internet protocol (IP) address, creating a secure and encrypted connection even when using risky internet options like public WiFi. They create a protected ‘tunnel’ through which you can safely send and receive data without any chance of interception by cyber criminals, internet service providers, government agencies, etc. Further, it helps you remain anonymous while online – for instance, if you’re researching a client’s medical condition and don’t want anyone to track your searches. (Note: Using ‘incognito’ mode for private browsing won’t keep you this anonymous.) Learn more about VPNs.

2. Multi-Factor Authentication (MFA) keeps hackers away from your data.

The best eDiscovery providers run their applications in the Cloud instead of on your computer. And you’ll access them online via your web browser. This signing-in process gives hackers a chance to crack your password, though, and that’s where MFA can help. Here, you’ll need multiple bits of information to verify who you are while logging in. For example, you’ll first enter a password, which will trigger the software to send an authentication code via SMS or a reliable ‘authenticator’ app (like Google Authenticator). So, you’ll need both your password and your cellphone (with the authenticator app) to log into your software. Learn how eDiscovery applications set up MFA.

3. Assigning user ‘permissions’ and ‘roles’ will limit who sees what.

eDiscovery applications like GoldFynch let you allot multiple access levels to team members, giving people as much (or as little) freedom as they need. For example, Level 1 users can only search/review data and generate reports/productions. Level 2 users have these privileges, plus the freedom to rename/delete files and modify tags, productions, and reports. Level 3 users have the further privilege of adding/removing users and changing their roles, while Level 4 users control everything – paying subscription fees, adding/deleting cases, and more.

4. In-app ‘production’ sharing prevents unintended data leaks.

Your data is most at-risk when leaving your eDiscovery software, and this makes it especially vulnerable when you share productions. That’s why the latest generation of eDiscovery applications have in-app sharing options. So instead of sending entire productions out to people, you’ll share links they can click on to view productions from within your application. This way, you can invalidate a link at any point, revoking access rights if you mistakenly share productions with the wrong person. Learn more about sharing productions.

If you’re looking for eDiscovery software with built-in security measures like these, consider trying GoldFynch.

GoldFynch is an eDiscovery service designed for small and midsize law firms. It’s compatible with any VPN service you currently use and has all the essential security tools you’ll need, plus the following bonus features:

  • It costs just $27 a month for a 3 GB case: That’s significantly less than most comparable software. With GoldFynch, you know exactly what you’re paying for: its pricing is simple and readily available on the website.
  • It’s easy to budget for. GoldFynch charges only for storage (processing files is free). So, choose from a range of plans (3 GB to 150+ GB) and know up-front how much you’ll be paying. You can upload and cull as much data as you want, as long as you stay below your storage limit. And even if you do cross the limit, you can upgrade your plan with just a few clicks. Also, billing is prorated – so you’ll pay only for the time you spend on any given plan. With legacy software, pricing is much less predictable.
  • It takes just minutes to get going. GoldFynch runs in the Cloud, so you use it through your web browser (Google Chrome recommended). No installation. No sales calls or emails. Plus, you get a free trial case (0.5 GB of data and a processing cap of 1 GB) without adding a credit card.
  • It’s simple to use. Many eDiscovery applications take hours to master. GoldFynch takes minutes. It handles a lot of complex processing in the background, but what you see is minimal and intuitive. Just drag-and-drop your files into GoldFynch, and you’re good to go. Plus, you get prompt and reliable tech support.
  • Access it from anywhere, and 24/7. All your files are backed up and secure in the Cloud.

Want to find out more about GoldFynch?