The Need for a Cyber-Specific Approach for Effective Breach Notification

The eDiscovery review processes, and its players, have long been documented, defined, and understood. Comparatively, the approach for Cyber Incident Response (CIR) is newer and quickly getting the definition and attention it deserves. Despite the growing clarity of differences, many still believe shoe-horning the eDiscovery Reference Model (EDRM) into the world of cyber breach response is sufficient. That is an incorrect, and potentially risky assumption.

The major differentiating factors influencing a cyber specific approach are knowing the players, understanding the end goal, and ensuring the requirements of the output. When all three factors are thoroughly considered, the delineation between an eDiscovery and a cyber incident process is clear.

1. Knowing the Players It is vital to implement a strategic process

It is vital to implement a strategic process that understands and takes into consideration all the players that touch, contribute, and support a breach response. This can include all or some of the following: breached individuals, end clients, counsel or breach coaches, insurance companies, forensics teams, platform providers, review teams, and notification and monitoring vendors. All participants must be on the same page to ensure clients and impacted parties are reassured, counsel is confident, and regulators are satisfied. For example, an experienced data mining team will know that jurisdictional requirements need to be discussed well before other partners’ processes can be finalized. An effective project management team can coordinate the parties, guide everyone through multistage workflows, and communicate effectively on topics from sample protocols to post notification vendors. An attentive review team can identify worker’s compensation claim data in a self-insured organization and quickly prioritize its elevation knowing a change from a PII/PHI focus to a HIPAA focus is necessary. It is to everyone’s advantage to work with an experienced cyber partner that can accommodate an expansive portion of the CIR process to lower risk, ensure accuracy, and achieve cost savings.


2. Understanding the End Goal

The eDiscovery world is focused on, and rightfully built around, the formulation of concepts gleaned from context and connections within datasets. Everything from searching and population establishment, to deposition and trial preparation depend on an analytical, legal approach. Focused on options/answers applicable to a thematic need of litigation or regulatory response, the eDiscovery model uses data to DEFINE the end goal. In contrast, the CIR process focuses on content and is only tangentially impacted by the context of legal constructs. It is important to understand that the end goal already exists within the identified dataset. As a result, it is imperative that the approach is technologically sound and advanced enough to identify and then REFINE the raw elements into a clean notification list. Client data must be mined/reduced in a manner appropriate for CIR, not eDiscovery. To accomplish this,the review technology must allow for complex and ever expanding datapoints with varying levels of association. Following that, the Reviewers themselves must be trained, to spot the differences between a medical record number or social security number and further be able to mark it accordingly. Finally, the resulting Consolidated Entity List must be prepared for use by either an internal or an external notification team.


3. Ensuring the Right Output

On occasion, an eDiscovery review team is required to remain behind and create a privilege log. Containing the reasoning and a brief description of the content and the privilege being asserted, a privilege log is tedious, exacting work requiring an additional organization of documents from a review population. Adding unpredictable time and expense at the end of the review process, it usually involves heavy legal consultation and direction. The form is dictated by the arguments of counsel and stated designs of the court. Outside of error or additional ruling and review, once completed it is rarely reformed. Conversely, the Consolidated Entity List (CEL) required at the end of every cyber review contains ALL the relevant data points from every entity and can run well into the millions of entries. All workflows should take this into consideration as the final CEL presents the most concise and accurate list for notification. Additionally, the CEL is often revised several times post release due to the supplementation or supplanting of data by the end client. A client may ask for employee numbers to be included. A client may have a listing of addresses for certain entities that needs to be incorporated into an updated consolidation. Breach counsel may have a list of social security numbers to separate employees from customers that must be notified. Finally, beyond any truly final version of a list, there remains the actual notification and similar support such as call centers and credit monitoring.


In conclusion, any truly effective approach to cyber incident response is not merely as an exercise beyond eDiscovery, but one that should be considered wholly apart. For organizations like Integreon with a resume of over 16 million documents and almost a billion entities, it is apparent that having a unique process and approach to cyber is essential. A recommended CIR approach is one that has been vetted and honed by years of experienced cyber professionals, supports continuous improvement, and is flexible enough to allow a customizable output supporting accurate and timely notification.

Lee Marler

Director and Subject Matter Expert – Cyber Incident Response (CIR) at Integreon