Data Breach Review – What is It, Who Does It, and What to Watch Out For
As noted in the Overview of this series, if an investigation into a breach indicates that personally identifiable information (PII) or protected health information (PHI) was involved, a data breach review is required.
The Data Breach Times turned to Joanne Shields to describe the process and issues. Joanne is the Director of Data Breach Review for Legal Outsourcing 2.0 and splits her time between the US and India. She is responsible for all phases of data breach review and is the primary point of contact for data breach clients. Prior to joining Legal Outsourcing 2.0, Joanne spent the last 6 years in India managing, training, and overseeing data breach teams. She has been the Data Breach Director for teams of 500+ reviewers at various Indian offices for companies such as Epiq, Integreon, and UnitedLex. She has trained staff in all areas of data breach review, including HIPAA, FERPA, GDPR, and PIPEDA, as well as all types of industries such as health care, financial, insurance, education, and many others.
The following interview has been edited for length and clarity.
Data Breach Times (DBT): What is involved in a “data breach review?”
Joanne Shields (JS): Once the forensics team finishes their analysis of the data that was breached, a dataset is created that will consist of the documents within the breached data that may contain PII/PHI. This is then sent to the review team for document-by-document review to determine if any PII/PHI is present and to extract the relevant PII/PHI for notification.
DBT: Is a data breach review something that all breach victims need to do?
JS: All companies, regardless of size, are required to notify affected individuals/companies that their data may have been compromised. Primarily this is done by reviewing documents to identify information. There are cases where, with the approval of a court or Secretaries of State, a company is allowed to do a universal notification to all their customers that a breach has occurred without doing a review of documents.
As an example, a few years ago when T-Mobile was breached, they were given approval to make a blanket notification. As a T-Mobile customer, I received a text message stating that the breach had occurred and any further steps I needed to take to protect my PII.
DBT: Are outside firms usually hired to do the data breach review?
JS: Yes. Data breach review requires a highly trained team that looks at individual documents and is trained to find individual PII/PHI. The team includes computer science experts who can deploy scripts and use AI to ensure quality and speed up the process.
DBT: How does the data breach review team know what kinds of personal or protected health information to look for?
JS: The only information a review team knows at the beginning of a review is the type of business that was breached which will give an indication of the types of documents they are likely to review. For example, documents from a breach of a financial institution will generally be limited to PII such as SSNs, bank account numbers, driver’s license information, etc., whereas a breach of a medical institution can include sensitive PHI data such as medical provider names, diagnoses, prescription information, insurance information, as well as PII.
DBT: Different states and different countries may have different regulations about what is considered personal information. How does the data breach review team know whether to identify IP addresses, email addresses, or other elements?
JS: Prior to the team beginning the review, a detailed list of instructions is prepared by the breach coach based on discussion with the client. The type of information that needs to be identified is governed by the laws and regulations in the location of the breached entity (individual/business) and not the physical location of the breached business.
That last point is worth emphasizing. Regardless of where your business is located, the state laws of the state(s) where affected individuals reside determine the notification requirements. Federal laws may impose additional requirements.
DBT: I understand that software like Canopy, Watchtower AI by Evolver or Relativity automates the process of finding to-be-targeted information. So why does it take some firms so long to complete the data breach review? I read breach notification letters that suggest that some reviews take many months. Why? Are they not assigning enough people to the review or is there some other explanation?
JS: I can’t speak for other firms, but when a review comes in and we know the document count and the due date, we use this information to determine the size of the review team. The review platforms that we use can assist us in identifying the “hot” documents that may contain the PII/PHI we are required to capture, but we need to review the documents themselves to understand the size and/or complexity of the documents. Large documents with many pages, handwritten documents, large spreadsheets with free text fields, and documents with over 50 entities can increase the time it will take to perform a review.
DBT: If entities outsource data breach review, what do they need to know to help them pick a reliable data breach review service? What questions should they ask potential review firms?
JS: #1 is accuracy and completeness. If something is missed during a review and it is later discovered that a person/company should have been notified, the breached company may be subject to fines from the attorney general where the entity is located. Alternatively, if an entity is notified multiple times for the same incident due to the review team failing to merge all relevant information into a single entry, the insurance company may refuse payment because of the cost of each individual notification, which is generally between $1-$2 per notice sent.
#2 is speed. Since notifications have a legally mandated timeline, the review generally has a date for delivery that is non-negotiable.
#3 is cost. Since the insurance company usually pays for the review, costs must be kept low. This is why most companies use review teams in low-cost countries such as India. But when a company picks a review provider based on cost rather than accuracy, there is the possibility that the review will be done with untrained, cheaper reviewers who produce inaccurate results.
If the organization that hired the review provider does not perform some type of quality control to identify inaccurate results, this could result in inaccurate notification. If these inaccuracies are discovered later by a regulator or even by an individual who was impacted and not notified, this could result in a very large fine for the breached company.
DBT: Does a data breach review firm have to have licensed lawyers who are familiar with all U.S. federal breach-related laws, state breach laws, and GDPR or other non-U.S. laws for entities that do business outside of the U.S.?
JS: No, because it is the data breach coach who determines what the review team should do. The data breach coach is a lawyer.
DBT: Can you say a bit more about the protocol in terms of how specific the instructions are for a data breach review?
JS: The protocol (instructions for review) is provided by the Breach Coach based on the laws and regulations that apply to the data of the business that has been breached.
DBT: Can you give us an example of an actual data breach review disaster that you know about?
JS: At this point in my career, I have been involved in 1,000+ reviews and have had to address various disasters, both large and small. Large disasters usually result from the misidentification of information on large spreadsheets with hundreds or thousands of lines. This can go both ways, such as identifying entries as PII when they are not, thus adding thousands of lines to the final deliverable, or misinterpreting the column headers and marking a document “Not Relevant” when PII/PHI is present.
But the biggest disasters are the incidents where someone decided they didn’t need to do a data breach review and people weren’t notified when they should have been.
DBT: Once the data breach review is completed, what happens?
JS: The data breach review team sends the results of the review to the Breach Coach. The coach takes the information and forwards it to the notification provider.