December 13, 2021 Caleb King
Data Breach Review
Data breaches cause significant legal tangles. All organizations in the digital age have a responsibility to their staff, partners, and customers to protect their sensitive information. If an organization fails to live up to that responsibility, a single data breach can put hundreds or thousands of people at risk.
Data breach reviews are similar to, but not the same as, traditional litigation data reviews. Traditional litigation discovery and data breach reviews are intended to examine a large amount of data to see what's legally relevant. However, that's where many of the similarities end. Keep reading to learn how data breach reviews and litigation document reviews differ and how to approach them correctly.
What Is a Data Breach Review?
Data breach reviews, sometimes called PII/PHI reviews, are an essential part of recovering from a breach. These reviews are a cyber incident response intended to scan potentially breached data for Personally Identifiable Information (PII) and Protected Health Information (PHI). These two types of data are protected, which means that companies subjected to a data breach of PII and PHI must take specific actions or face legal ramifications.
Data breach reviews are primarily intended to determine whether a specific breach has actually compromised any PII or PHI. However, even if it's proven that a breach couldn't have compromised data that's protected by regulations, a data breach review can still be performed. The review can assess the breached information and judge whether it contains:
- Confidential information
- State or defense secrets
- Trade secrets
- Embarrassing or private information
This is an invaluable process for any company facing a significant leak. The organization can identify anyone they need to contact regarding the breach of their private information to adhere to the law. It can also mitigate damage from the loss of other data unprotected by general regulations but covered by specific contracts. Performing a data breach review lets the organization be proactive instead of reactive.
The Differences Between Data Breach Reviews and Traditional Litigation Reviews
PII/PHI reviews and traditional litigation reviews are similar but not the same. Both processes are about finding relevant information in an extensive dataset for legal purposes. Beyond that, the two processes diverge:
Type of Information
In a litigation review, the reviewers are seeking specific information. They're looking for data and documents that support and prove their case's narrative, not a complete overview of every message and document related to the subject at hand.
Meanwhile, a data breach review is both broader and narrower. This type of review targets particular kinds of information but on a much wider scale. While a litigation review can begin with searching a dataset for specific keywords, data breach reviews must go further.
Timeline of Search
Unlike litigation reviews, a PII/PHI review has to operate on a short timeline. Data breach regulations and contractual requirements typically demand that organizations notify people whose PHI or PII has been leaked of the breach within 30 to 60 days from when the breach was noticed. The precise timeline for notifying people about data leaks is different in each state, but it's still much quicker than a litigation review's timeline.
Reporting Requirements
Both types of reviews require regular reporting to provide updates about how the process is going. However, data breach reviews have stricter reporting requirements because they are explicitly reacting to a known breach. Typically, a data breach review must provide on-demand, sensitive data reports so the attorneys involved can adjust the scope of the review as necessary.
Deliverables
Deliverables are where the two types of reviews differ most. A litigation review should deliver a collection of documents relevant to the litigation, preferably tailored to present a coherent narrative.
Meanwhile, a data breach review actually processes the data uncovered. The review should deliver a list of the people and organizations whose data was affected, what information was affected, and how to contact them.
Staff Requirements for Data Breach Reviews vs. Traditional Litigation
There's more to reviewing documents in a breach than the information involved. The data needs to be reviewed by someone to judge whether it's truly sensitive or not. This is another area in which litigation reviews and data breach reviews differ.
During a litigation review, the review staff must be qualified attorneys. These attorneys need to make calls about legal matters and privileges during even the first-level review. The entire review process relies on the attorneys' expertise to judge whether information is relevant, important, and safe to share.
This is partly because litigation reviews are more time-consuming than data breach reviews; the staff must be highly qualified and prepared to make significant decisions with every document they review.
A data breach review doesn't require the same amount of legal nuance. While first-level reviewers should be experienced in cybersecurity and data privacy requirements, they don't need to be attorneys. A PII/PHI review staff member usually doesn't need to make legal or privilege calls like a litigation reviewer.
Instead, they determine whether each breached document or data source contains sensitive information and leave the determination regarding whether it's reportable to second-level reviews. This means that a data breach review team can mix attorneys as second-level reviewers and cyber experts as first-level reviewers.
The Differences and Similarities of eDiscovery Technology
Both litigation and data breach reviews rely on eDiscovery technology. Many technologies fall under the eDiscovery umbrella, and a good system makes use of all of them. The fundamental technology requirements of both reviews are the same. They entail:
- Databases that support extensive data collections
- Security measures to maintain privacy and prevent data leaks
- Methods to search and sort through the collected data
These three elements allow the attorneys involved to access the data and review it for relevancy while keeping the information involved safe.
Furthermore, as more organizations and individuals adopted digital communication, the discovery process had to adapt. Alongside the technology itself, eDiscovery gave rise to an electronic discovery reference model, or EDRM. This model provides a framework for anyone performing any kind of discovery with digital data. High-quality eDiscovery technology will be built to conform to EDRM.
However, the way eDiscovery technology is used for traditional ligation discovery and data breach reviews looks quite different. While a litigation discovery can make heavy use of filters, regular expressions, and automated searches, PII/PHI reviews need a more personalized touch. The risk of missing a relevant document is much higher, so it helps to have a team of qualified reviewers performing more individualized searches. While data breach reviewers still make use of technology, the human touch is essential.
The Differences and Similarities of eDiscovery Technology
There's a world of difference between litigation document and data breach reviews. Organizations that have suffered a data breach must ensure that they perform a complete, accurate review of the breached data or face significant legal consequences. Managed Review can help.
Managed Review offers dedicated data breach review services built to fulfill the requirements for any organization facing a breach. With a team of qualified reviewers and the eDiscovery technology to keep data safe, we can help organizations meet their notification deadlines and remain in good standing. Learn more about how Managed Review can help organizations achieve their data breach review accurately and on time today.