9 Differences between Data Breach and Litigation Reviews, Part 1
30 June, 2020

9 Differences between Data Breach and Litigation Reviews, Part 1

In a cyber incident response, data must be scanned for Personally Identifiable Information (PII) and Protected Health Information (PHI) to determine if a data breach of protected data has occurred. Data breach review of a business email compromise presents unique challenges that go unmet when utilizing the traditional ediscovery software used for litigation reviews. I recently got together with Brian Evans, an expert in litigation technology, to discuss 9 key differences between data breach and litigation reviews. See what we came up with in part one of this three-part post.

1. Identification

The primary goal of a data breach review is to find PII and PHI that is protected under a regulatory requirement, while a litigation review’s goal is to find information responsive to a discovery request. A data breach review may also include searching for other sensitive information, such as trade secrets, confidential information, state or defense secrets, or embarrassing information. For a data breach review, utilizing common litigation approaches like search terms and regular expressions results in enormous false positives to review and, based on case studies, will miss key documents containing reportable data.

2. Assessment

A cyber incident may not be a data breach. When a cyber incident occurs, a determination must be made regarding whether protected data was exposed. This data breach impact assessment must be swift and reasonable in order to comply with regulatory notification requirements. If it is determined that no personal information was exposed, then the costly exercise of identifying who has been affected by the breach, public announcements, and the regulatory notification process can be avoided. In a litigation review, a similar process called early case assessment is designed specifically to find hot documents relevant to a particular case to reduce the volume of documents for review, as opposed to finding all reportable data.

3. Timing

Most cyber incidents with data breach require very rapid notification timelines due to insurance, contractual and regulatory requirements, normally 30 to 60 days from the date of incident detection. Perkins Coie’s excellent Security Breach Notification Chart calls out Timing of Breach for each state. The investigation phase to determine the scope of data requiring review often takes several days to weeks to determine the sources needing review, leaving only days to a few weeks (at most) to complete review and notification lists. In contrast, the scope and timing of litigation reviews can be negotiated with the opposing side under FRCP Rule 26(f) conference.

In the next blog post, we will cover three more key differences between Data Breach and Litigation Review: review staff, deliverables, and images.


Canopy’s Protected-Data Discovery system is proven to help teams achieve much higher accuracy and faster review speed with less effort. Who says you cannot improve on all three: better, faster, and cheaper? To schedule a demo of Canopy’s Protected-Data Discovery technology, please contact us.


  •   June 30, 2020
  •   Ralph Nickl, Brian Evans
  •   Data Breach
  •   Reading Time 3 min
  • Share on: