[author: Tom Morse **]

A cyber security incident is a stressful and frightening event for an organization’s team. When it comes to putting cyber plans in place, organizations need to prepare for the worst-case scenario since it is no longer a matter of if a breach will occur, but when a breach will occur. Not only do policies need to be in place for preventing breaches, it is also helpful and reassuring to have a broad outline of the steps an organization’s counsel will take to analyze and remediate the problems caused by the incident. Below are tips on how to best handle a cyber incident privacy review, from the beginning of the incident to notification and after.

Determine the scope of the incident

When an incident occurs, every organization’s first concern is (and should be) business continuity and data integrity. The next priority must be identifying whose personal data was potentially affected. In cyber incidents occurring on structured data, this can be an easier task, as reports can be pulled from databases or HR systems to create the notification list. However, when unstructured data is implicated – whether in a business email compromise or ransomware incident – getting to the bottom of who needs to be notified can be a more difficult task.

The first stage in these unstructured data scenarios is to identify the overall scope of the incident – what data was accessed and must be searched for potentially sensitive data. In this phase, in-house attorneys and/or outside counsel typically work with data experts to determine what the threat actors accessed and what types of information is in that data.

Define Personal Information (PI)

Before beginning the cyber review, the team much understand what they are looking for. This means defining both the trigger for capture, and what must be captured in the presence of that trigger. Counsel has multiple considerations when delineating what qualifies as PI within this data: which laws and regulations apply to the organization and the individuals’ PI; what needs to be extracted versus what can be identified with a yes/no flag, and what will need to be communicated in the notification letter. For instance:

• If the organization is a medical provider or is a “business associate” of a medical provider, the Health Insurance Portability and Accountability Act (HIPAA) broadens the scope of an individual’s health and medical information that qualifies as PI;
• If the organization is a school, FERPA (Family Educational Rights and Privacy Act) adds an individual’s educational records to PI;
• If the organization does business in North Dakota or if individuals in the data are potentially from North Dakota, an individual’s date of birth qualifies as PI;
• If the organization does business or is located in the European Union, GDPR (General Data Protection Regulation) significantly broadens the scope of PI.

Determine which documents could contain PI

Once counsel defines PI for the exposed data set, they should work with their client and outside providers to decide which documents within the data are likely to contain PI. To make this determination, counsel must understand the typical types of content included in each of the exposed locations. A data processing provider can run searches across the text and metadata, like using the search terms “social security number” or expressions like ###-##-#### to get a view into the content. Counsel should also analyze the file names and file types of non-text documents to determine whether they are likely to hold PI. These steps refine the review population and help the team create a timeline and budget for the eyes-on review.

Review the documents to find and record PI

Once the population of documents requiring review is identified, data is extracted to create a notification list. For these unstructured data matters, counsel often works with a review provider to effectively and efficiently capture this information. Counsel communicates the decisions about what constitutes PI in this matter, the relevant triggers, and any other significant information to the review provider. In most cases, the review teams must work within a short timeframe, which means that upfront planning, document sampling, and constant communication between counsel and review teams is imperative.

Create the notification list

After the team completes the document review, counsel and the review provider consolidate the recorded entries into a list of individuals, with contact information and all identified PI for each individual.

In this data normalization and de-duplication phase, the team identifies unique versus duplicate records: which recorded entries apply to the same individual and which might be for different individuals with similar names. For instance, the team may need to decide whether a Jennifer Smith on one document with a financial account number and a Jennifer Smith with a social security number on another document should be consolidated or left as separate entries. To accurately consolidate the entries on the notification list, counsel should choose a provider with effective and defensible processes created specifically for this type of de-duplication.

Analyze Notification List

With the notification list in hand, counsel and the organization work to identify the various data subjects’ relationship with the organization. For example, are they employees, clients, or contractors? Counsel also determines which laws and regulations are applicable. The type of exposed PI, the location of the organization, and the current address of the affected individual can all dictate whether that data subject needs to be notified, what type of notification (e.g., direct mail, public notice) the individual must receive, and how detailed the letter must be.

Notification and post-notification services

Counsel shares the final notification list and instructions with a notification vendor who validates exposed social security numbers and researches contact information for the individuals with exposed PI. They send mailings to the individuals with contact information, set up a call center to address inquiries from notified individuals, and establish credit-monitoring services (if required).

Notice to regulators

Depending on which laws and regulations apply, counsel might need to notify regulators in the early stages. However, at this point, counsel usually notifies state, federal, and other privacy law regulators that the organization has been the victim of a cyber incident and informs them of the steps taken to notify exposed individuals and remediate potential damage.

Final steps

While notification and follow-up might be the final steps, from time to time, individuals contact the call center asking for details about their exposed PI. In those situations, counsel coordinates with the client and vendors to locate and deliver the requested information or the PI’s source documents.

Companies are often caught off-guard when they find that they are the victim of a cyber incident. As with other potential crises, it is best to start thinking about a response strategy before the event occurs. Knowing what to expect can help relieve some of that stress. It is important to develop a response plan, including identifying potential partners in the process, before an incident hits. A good response plan can quickly and efficiently answer these questions: (1) how will the situation be resolved, (2) who will oversee each step, (3) what personal information resides on the network, and (4) where does that data live. The best tip for cyber response review, then, is to take some time to think about these issues before the event occurs, to allow for a more methodical and comprehensive response.

**Tom Morse, senior review manager at Epiq. Tom is a licensed New York attorney with over seven years with Epiq and four years in their Cyber Incident Response group.

[View source.]