PII & PHI Data Breach Review

Data breaches happen when information from a company is accessed or leaked without authorization. Such breaches are dangerous for businesses and consumers since they involve various data types, including personally identifiable information (PII), financial information, personal health information (PHI), competition information, legal information, intellectual property data, and more. When this information gets leaked or misused by malicious third parties, it can damage lives and reputations and leave individuals at risk of identity theft.

Consumer and business PII and PHI are particularly vulnerable to data breaches. To protect this vital information from being accessed and misused, companies need to conduct data breach document reviews to gather a list of people and businesses whose personal information has been leaked. Companies can then use this list to comply with breach notification laws. Read on to learn more about PII/PHI review.

A data breach review is a type of managed document review.

Data breach reviews focus on finding individual and business PII and PHI information in the breached documents. This makes them different from other types of document review projects, such as litigation reviews and due diligence reviews, which focus on identifying information responsive to the client’s protocol.

Data breach reviews may also involve locating other sensitive information, such as:

• Trade secrets
• Embarrassing personal information that doesn’t fall under PII and PHI
• Running quality control checks.

Data breach reviews are conducted much like other types of document review projects. However, there are some key differences as well.

Organization

Like other document review projects, data breach reviews involve a team of review attorneys led by a project manager, who monitors the project to see if the reviewers are on the right path. To ensure the reviewers are identifying the right information according to the client’s protocol, the project manager will:

• Identify keywords and perform searches to see if the team missed any PII, PHI, or other potentially sensitive information
• Provide corrective coaching to reviewers so any misunderstandings are remedied as quickly as possible
• Create new tags and flags based on the client’s requirements so the reviewers can categorize different types of sensitive information
• Run quality control checks during the project and after the project has been completed to ensure the final results meet the client’s needs

Technology

As with other types of document review, data breach reviews require the use of eDiscovery platforms such as Relativity.

Depending on how many names and other PII and PHI data points are in the documents, the review team may also have to use other tools such as Microsoft Excel and Google Sheets to compile the list of affected individuals and businesses.

Review Lawyers’ Responsibilities

Unlike other forms of document review, document review lawyers on data breach projects don’t have to cover quite as much detail. Specifically, in litigation review projects, reviewers have to see if the documents they’re reviewing are relevant to the legal issue at hand and whether they are privileged. However, in data breach projects, the review team only needs to identify:

• If the documents they’re reviewing contains sensitive information such as PII and PHI
• What kind of PII and PHI may be in the documents

Like litigation reviewers, data breach reviewers will be looking at email chains, PowerPoint presentations, and other text-heavy documents to determine if there’s any sensitive information. They will also have to manually look through image-based documents, such as scanned health care and HR forms, which can’t typically be extracted or located, even using eDiscovery tools such as Relativity.

Deliverables

In a litigation review, the project manager will deliver a list of documents that are relevant to the litigation issue at hand. In addition, the project manager will give the client a de-duplicated list of all individuals and companies affected by the data breach, including:

• Their full names as extracted from the documents
• Their contact information
• Their affected protected data points
• What jurisdiction (i.e., state and country) each affected individual or business is in

The list will then be given to the client, who will then use the list to comply with breach notification laws. In most jurisdictions, this means providing affected individuals and businesses with written notice of the breach.

Timing

Document review companies will work quickly to start and finalize data breach review projects. That’s because most data breach reviews operate on short timelines due to contractual, regulatory, and insurance requirements.

Perkins Cole’s Security Breach Notification Chart, for instance, shows us that most states require companies to provide affected consumers, clients, and other parties with written notice of a data breach 30 to 60 days from the date of incident detection. Since the review team needs around a week or two to determine the scope of data that needs to be reviewed, that leaves the document review lawyers anywhere from a few days to around three weeks to complete the data breach review.

In contrast, other types of document review, such as litigation reviews, don’t need to be finished as quickly. Under Federal Rules of Civil Procedure Rule 26(f), the timing and scope of litigation reviews can be negotiated with the other party or parties.

Reporting

Like litigation review, data breach review requires constant and timely reporting of metrics to evaluate the progress of the PII and PHI discovery process. As the review team builds the list of names of affected individuals, the project manager will review the information for accuracy. They will also monitor observable trends to determine if the scope of the review needs to be changed to better suit the client’s needs.

At Managed Review, we offer seamless solutions for data breach review. As with our other services, our data breach reviews are scalable and tailored to your needs — regardless of complexity, budget, review platform, duration, team size, or schedule.

With our transparent staffing model, we can create and deploy teams of experienced reviewers for you. Our advanced mobile apps and AI-powered hiring platform will ensure that our handpicked, vetted reviewers are the most productive and suited to the task at hand. If you need to review documents in other languages, for instance, we can assemble a suitable team from our active pool of more than 1900 foreign language document review lawyers with fluency in more than 100 languages. What’s more, our reviewers can review on-site or remote, depending on your needs and preferences.

Additionally, we at Managed Review utilize superior technology and seasoned professionals to provide you with a secure, budget-friendly, and consistent review process. Our Project Managers will coordinate, plan, supervise, and report on every step of your data breach review project to make sure you can meet your deadlines on time and that all PII, PHI, and other vital data points have been accurately captured. If you need more information about the review process, you can also look into our team leads, who are available to serve as an additional pair of eyes and ears on the review platform or floor.

Managed Review can help your organization’s law firm or legal department take on document review projects of any timetable, size, or budget. We provide legal staffing, e-Discovery solutions, project management, and more.

In addition to data breach reviews, we also conduct the following types of document review projects:

• Second request and due diligence
• Foreign language
• Investigations and subpoenas
• Litigation and arbitration
• Privilege review

To find out more, contact us for more information. We’ll get back to you within a day.