Data breach is on the rise
According to the Identity Theft and Resource Center, there was a record high of 1,579 data breaches in 2017, and this number was an increase of 44.7 percent from the prior year. The majority of the breaches occur in the business category, followed closely by those in the Medical/Healthcare industry. While data breach cases are not handled in the manner of typical litigation, companies must be aware that they must actively seek to minimize and manage their legal risk for failure to timely notify individuals that their information has been compromised.
The role of information governance
In speaking with Dan Rogers, a Managing Attorney at Special Counsel who works extensively in the field of data breach, he opined that the trend for data breach cases are not centered around the development of new security software, but rather on advising clients on data security and information governance. Information governance is the policy by which organization and its employees safeguard electronically stored information (ESI). Many companies now have cyber security policies that insure against costs related to damages from third party lawsuits, payment fraud, and business interruptions.
Unfortunately, some companies are not aware of the need for more intensive data security until a breach occurs and it is too late. Specialized software can encrypt sensitive data to prevent theft, however hackers or malware can make these measures useless. Companies are now looking to employ specialists whose sole concentration is to make sure that the types of data stored are sufficiently de-identifiable. Simply put, instead of identifying a patient or employee by social security number, a company can use specially created patient or employee identification numbers to track individuals. This ensures that even if the data is obtained fraudulently, the information cannot be used to cause harm or theft.
Data breach policies in eDiscovery
Inadvertent data breaches can also happen in the realm of eDiscovery. Currently the following regulations are applicable to eDiscovery production:
- The Family Educational Rights and Privacy Act
- The Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry (PCI) involving credit card number disclosure
- Fair Credit Reporting Act
- Fair and Accurate Credit Transactions Act
This means that legal practitioners must be aware that producible documents may contain either protected health information (PHI) or personally identifiable information (PII). The challenge is to then make sure that all documents containing this information are redacted and labeled appropriately before production is made to the opposing party. Since the majority of managed reviews are those in which the documents are completely ESI, the risk is twofold in that the practitioner must safeguard the integrity of the data collection process as well.
Defending against a data breach
Special Counsel is uniquely poised to handle these risks from beginning to end. We have a specialized and dedicated team of IT professionals trained to ensure safe and secure data collection, reviewers trained to appropriately identify PHI and PII and apply redactions, and customized workspace for data breach cases that was created to capture and create reports for timely notifications. Learn more, take a look at our service offerings and reach out to your local branch consultant.