In a cyber incident response, data must be scanned for Personally Identifiable Information (PII) and Protected Health Information (PHI) to determine if a data breach of protected data has occurred. Data breach review of a business email compromise presents unique challenges that go unmet when utilizing the traditional ediscovery software used for litigation reviews. I recently got together with Brian Evans, an expert in litigation technology, to discuss 9 key differences between data breach and litigation reviews. Here's what we came up with:
The primary goal of a data breach review is to find PII and PHI that is protected under a regulatory requirement, while a litigation review’s goal is to find information responsive to a discovery request. A data breach review may also include searching for other sensitive information, such as trade secrets, confidential information, state or defense secrets, or embarrassing information. For a data breach review, utilizing common litigation approaches like search terms and regular expressions results in enormous false positives to review and, based on case studies, will miss key documents containing reportable data.
A cyber incident may not be a data breach. When a cyber incident occurs, a determination must be made regarding whether protected data was exposed. This data breach impact assessment must be swift and reasonable in order to comply with regulatory notification requirements. If it is determined that no personal information was exposed, then the costly exercise of identifying who has been affected by the breach, public announcements, and the regulatory notification process can be avoided. In a litigation review, a similar process called early case assessment is designed specifically to find hot documents relevant to a particular case to reduce the volume of documents for review, as opposed to finding all reportable data.
Most cyber incidents with data breach require very rapid notification timelines due to insurance, contractual and regulatory requirements, normally 30 to 60 days from the date of incident detection. Perkins Coie’s excellent Security Breach Notification Chart calls out Timing of Breach for each state. The investigation phase to determine the scope of data requiring review often takes several days to weeks to determine the sources needing review, leaving only days to a few weeks (at most) to complete review and notification lists. In contrast, the scope and timing of litigation reviews can be negotiated with the opposing side under FRCP Rule 26(f) conference.
4. Review Staff
In contrast to a litigation review, attorneys are not required to make nuanced legal or privilege calls during a first-level data breach review. Reviewers with experience in cyber-related matters can quickly determine if a document contains sensitive information. Whether or not that information is reportable is later determined by an attorney.
A litigation review delivers a list of relevant documents corresponding to issues that tell a story. In contrast, a data breach review compiles a de-duplicated list of all affected individuals, their affected protected data elements, and contact information. This list provides information for the attorney to make decisions on reporting obligations by jurisdiction and is also used in the notification process itself. Just a few documents in a data breach review (e.g. monthly coordination of care or HR reports) can contain billions of affected elements that must be added to the list, consolidated, and cross-referenced with the source document.
Certain document types require special handling in a data breach review. For instance, image-based or handwritten documents (i.e. mortgage, tax, health care, employment, and financial) are rich in protected data that can’t be cut-and-pasted or otherwise extracted programmatically. The sensitive information contained in many of these images is not easily searched. Unless a litigation review targets these types of images, they are culled out before ever reaching the review team, or ignored entirely during the review itself.
Litigation review requires regular and timely reporting of certain metrics to gauge progress, accuracy, and totals of relevant or privileged information found. Data breach review requires much of this same reporting, but also requires on-demand sensitive data reporting of the numbers and types of protected elements found for each jurisdiction. These sensitive data reports are closely monitored so attorneys may change the scope of the review depending on the contractual, regulatory, and business reporting requirements. Insurers also require timely reporting of the scope and progress of the incident as part of their policy.
8. Cost Factors
Pressures to reduce costs are common in both litigation and data breach reviews, but what used to be acceptable in terms of costs for a data breach response has quickly changed to reflect much greater cost reduction pressures from both clients and insurers. The reasonableness for both cost and timing pressures continues to evolve, but is often at odds with the regulatory requirements and needs. As such, each response may have a different risk/cost calculation depending on several factors that will affect the scoping of both identification and review goals.
Data breach and litigation reviews are both grounded in defensible ediscovery standards, but workflows and outcomes are different. How and when to apply technology-assisted review capabilities differs dramatically between a data breach review and a litigation review. New technologies designed for the end-to-end data breach review workflow address the unique pain points of a data breach review, detecting protected data quickly and automatically resolving the list of affected individuals to provide faster and more accurate decision making on potentially reportable data.
Canopy’s Protected-Data Discovery system is proven to help teams achieve much higher accuracy and faster review speed with less effort. Who says you cannot improve on all three: better, faster, and cheaper? To schedule a demo of Canopy’s Protected-Data Discovery technology, please contact us.