Peer to Peer: ILTA's Quarterly Magazine
Issue link: https://epubs.iltanet.org/i/1439196
30 P E E R T O P E E R : I L T A ' S Q U A R T E R L Y M A G A Z I N E | W I N T E R 2 0 2 1 essential to either develop an internal data breach mitigation process or hire an outside vendor that can provide customized processes and has the expertise and resources to effectuate them. If you choose to include review and notification procedures for third-party businesses and a review to identify internal confidential data, it is important to determine whether you will conduct them concurrently or in succession, and, if concurrently, whether you will have a single team review the documents for all three categories simultaneously. To help make this decision, first evaluate the scope of each individually. If the relevant statute or regulation imposes an aggressive and strict timeline within which individual data subjects must be notified, you may not have the flexibility to implement a contemporaneous workflow. First steps in determining the size and timing of the required effort can include running the data through an appropriate screen that is targeted to capture names, addresses, birthdates, Social Security numbers and other personal identifiers like eye color, height, weight and, of course, olfactory information. Olfactory information? Yes, you read that correctly. The CCPA includes "olfactory information" as a category of personal information. What this means exactly is unclear, but presumably it is something that would come up in the context of someone smelling really good or really bad (or, perhaps something more specific, as in the case of Charlie McKenzie's ex-girlfriend Pam from the movie So I Married an Axe Murder – he broke up with her because "she smelled like soup"). Think of your screening and review for data breach remediation as discovery for an internal investigation with external ramifications. You want your search terms to be broad enough to identify a vast majority of personally identifiable information, but narrow enough that the resources required to complete the review do not go beyond the bounds of reasonableness. For example, it is probably not a reasonable expectation that your vendor review 100 million documents out of an original set of 110 million. At the same time, it is probably not reasonable to merely do a spot check. Also, as in a discovery review, using a standard review platform and setting up a coding panel to tag PII types and capture text will be invaluable for fulfilling your reporting requirements later and providing further documentation of your process. In addition, you can distinguish between documents that have sensitive or nonsensitive personal information, a step that will be extremely helpful in identifying which individuals require notification. If you decide that it is wise to notify commercial entities such as vendors, business partners and corporate clients, you may choose to run a data breach screen that will target documents containing account numbers, personnel cell phone numbers, confidential/ proprietary information and a list of known entities. Some of this will overlap with personally identifiable information, and some of it will be unique to a "business terms" screen. Again, there is value in using a discovery review tool so that you can code documents based on the type of information they contain. Because these documents may contain PII as well, there can be a significant time and cost-savings to a single review team reviewing them for both purposes concurrently. Reviewers skilled in data breach reviews should be able to manage identifying both personal and business information. Finally, depending on the scale of the breach, it is likely prudent to review the compromised documents for your organization's own confidential, proprietary or otherwise commercially sensitive information or anything that would cause a reputational risk to the company if made public. There are different ways this can be accomplished. One method is to run a single confidential information screen based on the types of documents in the breached servers or in the possession of breached custodians. Another is to run a separate screen for each server based on department or for each custodian based on F E A T U R E S "Think of your screening and review for data breach remediation as discovery for an internal investigation with external ramifications."