eDiscovery and Data Breaches

Posted by Mark Greisiger

A Q&A with Carolyn Purwin Ryan of Cipriani & Werner and Larry Brown of Epiq
When used in the wake of a data breach, eDiscovery tools can help companies manage their legal and regulatory risks through the inventory of compromised sensitive information. At the Net Diligence Cyber Risk Summit, we spoke to Carolyn Purwin Ryan of Cipriani & Werner and Larry Brown of Epiq about how these technologies help companies improve both incident response and litigation readiness.

How is eDiscovery effective following a breach event?
LB: In a breach event, you need to have an understanding of where the data is, what you’ve been storing and then have to the right tools to apply to that data set, whether you’re doing a targeted search or using broad terms.

CPR: When an incident occurs and an attacker gains unauthorized access to an email inbox, a company must then ask what kind of information is in its inboxes. Is it PHI? PII? Does your company store driver’s licenses? Social security numbers? Depending on the type of data, it’s going to be subject to different state and federal notification laws and regulations. With so many eDiscovery vendors on the market, they all offer different tools and technology, including artificial intelligence that can assist in the process of data mining and e-discovery. We work with the vendors to develop keywords that will help them uncover data that would trigger notice.

What technologies are typically involved in eDiscovery? How can companies distinguish between them when choosing a vendor?
LB: The technologies cover a broad spectrum and we’ve really seen them advance. Of course, artificial intelligence is very big. In a breach response, as opposed to litigation, there is a lot less tolerance for any kind of error. What we’ve been seeing in the marketplace is a lot of off-the-shelf proprietary technology but it’s hard to know what is happening behind the black box and know if that is going to work in every situation. Not all data sets are the same. Data is generated in different ways and it’s compressed in different ways and you’re going to come up with errors. Our company is agnostic as far as technology—we look for the best technology for the specific data set and keep a lot of arrows in our quiver, if you will.

Are there any tactics that might increase efficiency and reduce the time/costs with manual human review?
LB: As Carolyn mentioned earlier, it’s important to know which regulations are applicable. You need to know your system and your data. It goes back to litigation and incident response readiness as a company. You need to have a plan and a data map and an understanding of where everything is so that when that incident actually happens, you’re not wasting time fishing around. For us, that means spending 20 to 30 minutes up front talking to the client and the operational team, whether that’s the Breach CoachÒ or others to lay the groundwork, to understand their technology and their data so we can reduce their data set.

CPR: Some of it is simply having the right keywords, keeping in mind the scope of the data stored. You need to look at yourself as a company and ask whether you really need to store certain types of data and for what period of time. We have dealt with companies where hackers gained access to data from an employee who worked at a company for 15 to 20 years and had information about clients from the same time span, which they didn’t need to hold that long. If you store PHI, also be aware of the applicable state and federal rules that require storage of medical records for a certain amount of years. You can always reduce cost associated with e-discovery by limiting user’s access to data. Implement protocols but also acknowledge that people are human and may not always abide by them. And in some cases, you’re going to still have data that requires some manual review. For instance, if you have EINs that are nine digits which are the same as an SSN. Another example is JPGs or signatures that are not searchable. These are cases when AI is not going to see the difference and you will need quality control.

What are some other challenges associated with eDiscovery?
LB: The reality is that most people use their work email box as a file cabinet to store attachments and all kinds of personal data. When you magnify that across a company it becomes very challenging to inventory. When the data is not mapped up front, the harder it is for us to move quickly, particularly if it sits with a third party.

CPR: Be cognizant of deadlines. Data mining and e-discovery takes time. It is integral to keep mindful of notification deadlines to individuals, Attorney Generals and other regulators. In addition, it’s not just that employees don’t always know where things are but they don’t always have the education to understand the importance of the eDiscovery process. For instance, if you don’t have addresses for notification that’s going to slow down your timing as well—is the plan to use a company to track them down or is that built into your eDiscovery process? If you only have a week, it’s important to know. It’s very important to have these conversations up front.

In summary…
We want to thank Ms. Purwin Ryan and Mr. Brown for their insights into this important topic. As the steady increase of cyber/privacy data breach events creates more class-action litigation, we can expect to hear more about the eDiscovery process and the importance of having trusted knowledgeable experts to perform the often granular required tasks of preparing for litigation.