What Is SOC 2 Type 2 and Why Does It Matter in Litigation Response?
What Is SOC 2® Certification?
SOC 2 Type 2 certification is the gold standard in keeping ediscovery data secure.
Ediscovery often involves a company’s most sensitive, important internal information. If that information is hacked, shared with unauthorized users, or unintentionally modified, it can destroy not just the case that it was collected for, but the entire business. SaaS providers that are SOC 2 Type 2 certified meet detailed and stringent requirements that are designed to safeguard that data.
The American Institute of Certified Public Accountants (AICPA) established its System and Organization Controls (SOC) assessments to measure the internal controls that a business uses to protect information. There are three levels of SOC reports denoting different types of assessments and reports.
SOC 1 reports measure a service organization’s internal control over financial reporting. These reports assess how well a business protects its customers’ financial statements.
Both SOC 2 and SOC 3 reports evaluate how well a service organization’s controls ensure compliance with the AICPA’s Trust Services Criteria. SOC 3 reports are written for general distribution; they omit in-depth descriptions of how the organization actually manages information. SOC 2 reports, on the other hand, are very specific and detailed. As a result, their distribution is limited.
There are five Trust Services Criteria that an organization can be evaluated on. These principles are:
- Security (protection of information and systems from damage or unauthorized access)
- Availability (reliability of customers’ access to information and systems)
- Processing integrity (completeness, validity, and accuracy of the organization’s data processing)
- Confidentiality (protection of designated confidential information)
- Privacy (limited collection and use of personal information)
An organization might be evaluated on one or several of these criteria.
Type 1 and Type 2 Reports
SOC 2 reports come in two types. Type 1 reports evaluate how well the organization’s system is designed to comply with the specific Trust Services Criteria being assessed. These reports consider only a moment in time and the theoretical suitability of the organization’s controls.
Type 2 reports, on the other hand, go further. They assess both the suitability of the organization’s design controls and also the operating effectiveness of those controls. Type 2 reports require evaluation over a long period of time, generally six months to a year.
SOC 2 Type 2 Is the Highest Standard for Ediscovery
In ediscovery and litigation response, companies must trust vendors and service providers with their most critical, confidential information. Loss of information or a security breach can result in crippling monetary sanctions and reputational damage.
SOC 2 certification allows companies to have confidence that the service organizations they trust with information have designed their systems to adequately protect that customer information. Type 2 certification demonstrates that those controls actually work in the real world, over an extended period of time.
In short, a vendor or service provider with a SOC 2 Type 2 certification is tested and proven.
When it comes to software-as-a-service (SaaS) providers, businesses should ensure that both the provider’s data hosting and application processing systems have obtained SOC 2 Type 2 certification. I
SOC 2 certification evaluates a service organization’s controls and the operating effectiveness of those controls to protect customer information. SOC 2 measures controls with respect to any of five trust principles: security, availability, processing integrity, confidentiality, and privacy. Type 2 certification tests those controls over an extended period of time, generally six months to a year.