Expert Panelists

+ Jonathan Wilan 
Partner, Sidley

+ Christopher Wall
DPO and Special Counsel for Global Privacy and Forensics, HaystackID

+ Michael D. Sarlo
Chief Innovation Officer and President of Global Investigations and Cyber Incident Response, HaystackID

By HaystackID Staff

Transcript

Moderator

Hello everyone, and welcome to today’s webinar. We have a great session lined up for you today. Before we get started, there are just a few general housekeeping points to cover. First and foremost, please use the online question tool to post any questions that you have, and we’ll share them with our speakers. Second, if you experience any technical difficulties today, please use the same question tool, and a member of our admin team will be on hand to support you. And finally, just to note, this session is being recorded, and we’ll be sharing a copy of the recording with you via email in the coming days. So, without further ado, I’d like to hand it over to our speakers to get us started.

Christopher Wall

Hi, and welcome everyone. My name is Chris Wall, and thank you, Mouna, for the introduction. I’m Special Counsel for Global Privacy and Forensics at HaystackID. And on behalf of the entire team at HaystackID and Lexology, I’d like to thank all of you for attending today’s presentation. Our discussion today is titled “From Breach to Insight, Incident Response, and PII Recovery.” Today, we’re going to talk about incident response. We’re going to talk about PII recovery and what that means, what it entails, and some of the considerations surrounding that critical component of the broader effort that is incident response. So, I’ll be our guide on today’s discussion, which is part of HaystackID’s ongoing educational series of webcasts that we hold almost on a monthly basis that are designed to provide helpful insights and to help you stay ahead of the curve in achieving your cybersecurity, your information governance, your privacy, and your eDiscovery objectives.

As Mouna mentioned, today’s webcast is being recorded and it’ll be made available for future on-demand viewing. After today’s live presentation, we’ll make the recording and a complete presentation transcript available. It’ll be available on HaystackID’s website. So, joining me today are two really highly respected panelists and leaders in the privacy and cybersecurity field, Mike Sarlo and Jonathan Wilan. We’re really sorry that Sean Belovich, our third panelist, isn’t able to join us because of an unexpected family issue, and in his absence, our thoughts are with him and his family. And I’ll add before we get started here, what has now become a standard disclosure by saying that our panelists today are speaking on their own behalf, and our comments or any views that we may express may or may not reflect the views or the positions of our respective employers or the organizations that we work for. So with that, let’s just take a moment and I’ll let each one of you introduce yourselves. Jonathan, let’s start with you.

Jonathan Wilan

Thanks Chris. Glad to be here. Speaking about a very important topic in the context of cyber incidents and cyberbreaches. I’m a partner at Sidley in the Privacy and Cybersecurity group, where I’ve practiced for the last 20 years, focused on digital risk in all its aspects. Also, I sat on the Sedona Conference Working Group’s Steering Committee for Data Security and Privacy Liability. What I try to do is bring my experience in litigation and disputes and regulatory matters to cyber incidents. [From the first dispute that happens or on the first call we get for a cyber incident], we are thinking about what the company can do to make sure they’re meeting all their obligations and bringing good documentation or evidence-based records of their reasonable response. So that’s generally my role, and I work very closely with folks across our whole team. I look forward to the conversation.

Christopher Wall

Thanks, Jonathan. Mike?

Michael Sarlo

Hi, I’m Mike Sarlo. I’m HaystackID’s Chief Innovation Officer and our President of Global Investigations and Cyber Incident Response. I’ve been in this space for about 15 years, really getting my feet wet and more so as an operations person. I started our Digital Forensics practice and Cyber Incident Response practice. I now work closely with some of our most important clients on high-risk incidents from a cybersecurity standpoint and on large-scale eDiscovery matters. I’m an ENCE and an RCA. I have all the technical qualifications and regularly function as an expert witness when required in various state and federal courts.

Christopher Wall

Great, thanks, Mike. Well, finally, as I mentioned, my name’s Chris Wall. I’m DPO, In-House Counsel, and Chair of our Privacy Advisory Practice at HaystackID. HaystackID, of course, is an eDiscovery, privacy, data security, and forensic investigations firm. My job is to guide HaystackID and our clients through the privacy and data protection thicket as part of cyber investigations, information governance exercises, or traditional discovery. More immediately today, my job is to help guide the discussion with our two panelists here to talk about cyber incident response and recovery of PII as part of that response. And as a housekeeping matter, just as we get started here, this webinar is really designed to help you make the best part of the hour that you spend with us. We welcome your input. We’re a relatively big crowd here. It looks like we’re over 100 registrants. But we want to make sure that the next hour or so is as practically beneficial to you as possible. So we’ll watch, and if you have a question, please drop it into the chat, and we’ll try to address the questions as we go. So with that, let’s dive in. So why are we here? Why are we talking about incident response and PII recovery and what is that? When we look at the security of data, we don’t have to look too far to see how frequent and how pervasive data incidents and cyber breaches are. We have on the screen just four examples. For example, with the Orrick one just announced last month, I guess two months ago now, an $8 million settlement with members of a class who said that their personal information had been compromised in a data breach that affected more than half a million people. So I know that there are a lot of legal professionals on this webinar at least who registered here. For the lawyers on this call, these law firm examples of data security incidents should really be particularly eye-opening. Law firms and legal professionals generally tend to be repositories of some extremely sensitive information, and a lot of that is personal information and bad cyber actors all over the world are beginning to realize that. But beyond the legal practice and just the day-to-day, when we consider our daily activities and the personal detritus, we leave in our wake just living our lives. If you think about all the confidential, deeply personal, and potentially embarrassing information that belongs to you, that information is mostly an easily transferable digital form. Then, you think about all the different places where that information may reside. If we think about all of those things, then you might begin to comprehend the risk that’s out there. And that’s what we’re going to be talking about today.

We’re going to be talking about data risk, we’re going to be talking about data security. Unless you think this is abstract, this data risk and data security ideas some abstract concept…how many of you have received one of these? And I’m just showing this as an example. It doesn’t have to have the target logo up there. How many of you have received one of these? Or maybe one of these? Maybe it looks something like this or maybe it looks like this. It wasn’t in snail mail, it wasn’t in traditional US mail or post, and it came as an email or text. If you’re saying to yourself right now, “No. Not me. I’ve never gotten anything like that.” Well, if you’re saying that, then kudos to you for completely living off the grid for the last 20 years because these are data breaches and data incident notifications, and they’re sent to individuals whose personal information has been compromised.

What we are going to be talking about today is how we get to this point. How do we get to your receiving one of these data breach or data incident notifications? There are three kinds of organizations out there. Those that have experienced a breach. We just showed three examples. Those that will experience a breach. And the third one is those that have experienced a breach and just don’t know it yet. So again, what we’re going to be talking about today is how we get to this point. What leads up to you getting one of these breach letters or the notification of a data leak? What happens in this process from the incident may be a breach, and we’ll touch on that. We’ll talk about that briefly. Through other steps to the point where you as a consumer get notice that there’s been some compromise to your personal information.

All right. So we’re going to kick off here. I’m going to ask our panelists a question. Well, everybody on this call. How many of you are responsible for your organization’s cybersecurity? Mike, you better raise your hand. Come on, at least. So Mike’s in my organization, and that is a trick question, Jonathan. You should have raised your hand, too, and I hope everybody on this call who belongs to any organization raised your hand. Because I hope you all recall the security training that your organization, your company, or your firm asks you to do. Remember that we are all responsible for securing our information. Data security is everyone’s responsibility. But let’s say that you are specifically responsible for overseeing your organization’s security and that you get a call from somebody in IT telling you there’s been a leak. You don’t know how big it is; you just know there’s been a leak somewhere.

So you’re calling to get the number for the plumber, I guess, but it’s a data leak. Where do you turn first? Where do you even start? Jonathan, Mike, where do you even start with this process? All that you know is that there’s been some incident, some potential compromise of data. You don’t know if there’s personal data in there, or company-specific confidential information. Where do you start?

Michael Sarlo

Well I’m going to kick it off to Jonathan, because one of the first things you should do is inform your legal department as well.

Christopher Wall

Kick it to the lawyers. Let the lawyers sort it out.

Michael Sarlo

That’s right. Get the lawyers involved right away. And you should probably go and maybe get sick and take off the next two weeks. That would also be fairly wise if you really don’t want to work that hard.

Christopher Wall

All right. You heard it from Mike, that’s your counsel.

Jonathan Wilan

I’ll really endorse calling your lawyer early. And I think that for many sophisticated organizations, you’ll have an incident response plan that you can break open and have some processes there. You hopefully have done things like tabletop exercises to practice your implementation and refine your implementation of your procedures when you have a potentially significant data incident. But the reality is that no plan will run perfectly from day one. And there will be a lot of quick and important decisions that need to be made that have a legally consequential impact on your entity because there’s a lot of risk around the type of data incident in your example for us. There’s the obligation to make decisions very quickly. Notice there are potential regulatory investigations from industry-specific regulators like NYDFS,the FTC, or local state AGs. There will be regulatory inquiries for a significant incident that will have to be managed.

Christoper Wall

Well, a couple of things there, Jonathan. So, let’s say as you start your analysis of that data incident, maybe you realize that the leak included the secret formula for Diet Coke, TikTok’s recommendation algorithm, or Colonel Sanders’ secret recipe for the older part of the group here. That was secret herbs and spices. That automatically ups the data protection risk. Sorry for the softball wind-up there.

Jonathan Wilan

Yeah, I’ll take this, and then maybe Michael as well. Look, I mean, every incident is not the same, and there are different types of data and different types of sensitive data. So generally, when folks jump on webinars like this, we’re talking about personally identifiable information, PII, or health information that may have requirements under HIPAA. That’s a focus area, and we will talk about that as well. But businesses should not forget, or organizations should not forget that there is also potentially confidential, sensitive, and proprietary information that could be within that 10 terabytes of data. And the risks and processes around how you handle those are very different. You might actually not have an immediate notification obligation under state data breach laws, but there may be other obligations that arise from an incident like that, and they may also just impact your business. So you definitely need to try and establish early, even at the very highest level, what data we are talking about and what risks that poses.

Christopher Wall

Yeah. What data was compromised? Obviously, the focus here is on personal information. Mike?

Michael Sarlo

Look, I mean, I would totally concur. Every incident is different. We’ve seen incidents where real exfiltration of certain tranches of data and work streams involving threat actors is more of a diversion-like tactic around actually getting folks to look away from the theft of critical IP. We have clients who are military subcontractors. We see issues with folks doing business with the government, where CUIs are where we have top-secret materials. So it’s definitely not all about just PII and PHI. The theft of trade secrets element is very real, and it’s a common thread that I think organizations should be aware of. Now, many large-scale organizations are pretty good at securing their IP. They may not be as good at securing their personal data or the data of their customers. And again, we talk about how every incident is different. We get some incidents where really we’re dealing with a lot of employee data. We get some incidents where we’re dealing with a lot of data from an organization’s actual direct like customers, or we get incidents where we are dealing with an organization dealing with many different organizations. Then, we’re also dealing with those third-party organizations and their personal data. Those are particularly when these get complex, as there’s a lot more happening from a frequency standpoint around requests, work products, and deliverables. So it is always very important. We think about staging a matter. The more you know, the better, even if it’s a maybe, and really taking some time to actually talk through the types of data an organization is holding, even if we don’t know that that’s been compromised out the gate. That will put everybody in a better posture to potentially understand that risk immediately.

Christopher Wall

So, if we know what type of data has been compromised, does that help us understand how furiously we need to respond or how comprehensive the response should be?

Michael Sarlo

It does, but it’s not an end-all-be-all, and fortunately, we know this. Every organization thinks they don’t have sensitive data, but they all do. They all have PHI as they get larger. So, what you don’t know is usually what can hurt you. So it’s really important to learn from the data types and what’s before you, but you should also prepare for the worst.

Christopher Wall

A big part of it, too, is maybe you’re not able to determine right off the bat whether personal information was compromised, whether it was just company IP or other confidential information was compromised. I think a big part of that is by looking at what systems were accessed. For instance, we could talk about structured versus unstructured data. Structured data is essentially any data stored in rows and columns like CRM tools, client databases, and unstructured data, such as email or day-to-day operating files. Looking at what systems were accessed or compromised helps us further refine and determine what’s potentially compromised.

Michael Sarlo

This is where forensics is very important out the gate because individual systems as a whole may not be fully compromised. So, as a part of your DFIR plan, you’re usually going to have a series of really good incident response vendors on deck, and this is really a tactical piece of the process to understand what individual pieces of those systems actually have been compromised. Access is one thing. The typical modus operandum of most threat actor groups these days who are looking to extort an organization for usually some type of coin is actually to exfiltrate that data. We saw that ransom is still out there, and we see ransom for sure, but they’re focusing on exfiltrating as much data as they can at the start, right before often actually trying to damage a system, if at all.

Christopher Wall

So I think it’s important for us to focus, again, our focus on this webinar, in particular, is, on PII because we are talking about PII recovery ultimately anyway and acting upon that through notification. But we talked about looking at where that data might be and what data has been compromised. I’ll throw this to you, Jonathan. Let’s say we potentially have a data incident that spans both the US and someplace in the US. We’ll pick California, Utah, Colorado, or Connecticut, one of these states with comprehensive privacy laws and a little bit more refined notification requirements. Let’s say that it happens in California and, let’s say, Ireland. The breach occurs in both places. How does that affect our analysis, particularly with column number two, when we look at timing? How do we go about that? Do we respond to all of them within the same timeframe, or do we take a state-specific or jurisdiction-specific in the case of the EU approach to responding?

Jonathan Wilan

The way it remains fairly…

Christopher Wall

You can object, Jonathan. That was a compound question, and it was a really long question, too, but go ahead.

Jonathan Wilan

Unfortunately, it remains fairly complex. There’s still no US privacy law. So, at the state level, you will deal with different notice obligations, requirements, and timing. They can run as short as 10 days like in Puerto Rico, and summer 45/60 is just as soon as reasonably possible. So you need to understand what those obligations are and if you’re ready to provide notice, you’re ready to provide notice. But you do need to understand where your data comes from and, more importantly, the residents of the individuals who’ve been impacted, which is going to ultimately control what your notice obligations are.

Regarding overseas, we know that if you’re subject to GDPR, you have a very quick 72-hour reporting obligation. You need to make at least initial decisions as soon as reasonably possible. There are a number of very tight deadlines that are industry-specific or regulatory-specific. We noticed that FHA with a HUD in the context of certain businesses just announced the other day a 12-hour notice requirement that is not necessarily tied to just doing a full-on PII analysis but an early notice obligation that they’re rolling out.

Christopher Wall

Jonathan, let’s use that extreme example. Sorry to cut you off there. Let’s use that extreme example. Let’s say that you have a bunch of individuals, that’s a specific number, a bunch of individuals who’ve experienced a breach; we’ll call it a breach. We’ll talk about definitions here momentarily. They’re subject to that HUD regulation, and some of them, you think, are also subject to the GDPR. One has a 72-hour requirement, and another now has a 12-hour requirement. How do you approach that? Do you try to slice and dice them or take the least common denominator, the 12 hours, and try to comply with that one for all individuals involved?

Jonathan Wilan

You certainly need to be mindful if you’re notifying certain regulators and not others. And that’s why these responses need to be carefully coordinated and do require legal input as soon as possible. Really, one of your first calls, as Michael said, should be to an attorney who’s going to help you walk through those types of decisions. So, ultimately, your goal is to meet the legal requirement. But yes, optically, if you’re notifying one regulator significantly earlier than another, that may create some risk. So it’s important that you have a singular team, a centrally managed team making those decisions, carefully tracking them, and ultimately trying to get to the best possible spot to reduce risk.

Christopher Wall

And talk about a little bit, if you could, Jonathan, the risk of neglecting one or more jurisdictions. Let’s say you make notification where you think you need to or where your risk is greatest, but you neglect to provide notification in those other jurisdictions where maybe you determine there’s a lower risk.

Jonathan Wilan

You should keep in mind that a number of jurisdictions do post notices that other regulators and plaintiff’s lawyers are regularly looking at those postings. Significant breaches or incidents will result in public statements and press stories. So, ultimately, these decisions will be in the public eye, and you need to be able to defend what you did, why you did it, and why it was reasonable.

Christopher Wall

Yeah, thanks. So I do want to talk about-

Michael Sarlo

I think more often than not, just real quick, too; I deal a lot with many of the largest insurance carriers in this space who see a wide breadth of incidents. And what we’re seeing, what everybody’s seeing, is there’s a significant rise in the frequency of class actions. There are very savvy plaintiff lawyers who will actually go out to the dark web and download data that’s been exfiltrated. They’ll start to run their own analysis to see who was notified and if they had specific individuals who haven’t been notified in that data set. So they start to talk about establishing a record of not just reasonableness but actually more of a defensible process. It becomes very important as we get into the collation, extraction, and organization of individual PI elements. The landscape really has changed. Arguably, it’s changing every day, but we are seeing just significantly more litigation arising out of these events, as I’m sure Jonathan, you are as well, and you’re advising your clients of the same.

Jonathan Wilan

I am going to echo what Michael said. Yeah, absolutely. Significant cyber matters and data breaches will result in class action litigation, which does create risk. This makes it all the more important that you develop a good record of the steps that you took, a defensible record, as Michael put it.

Christopher Wall

So, we’ve been talking primarily about notification, which is a statutory or regulatory responsibility or obligation. What about our contractual obligations to provide notice? I have a good question here. What about our contractual obligations to notify our insurance carriers? How does that affect our response obligations?

Jonathan Wilan

You absolutely need to build that into the playbook, and it’s not easy. It’s as hard as it’s to keep track of all the regulatory and statutory obligations we just mentioned. If you’re an organization with thousands or tens of thousands of contracts, understanding those obligations is almost harder. So, certain organizations have organized their contracts and used advanced technology, for instance, to understand their obligations around data incident notices. But if our lawyers have reviewed contracts, almost every contract will have a confidentiality provision and may or may not have some specific notice provision. So, you need to be aware of those and build them into your process. And your risk is not only a lawsuit from a contractual counterparty, but it’s lost business, which ultimately can be the biggest impact from these types of events. So, you really need to build that into the process.

Michael Sarlo

This is where a lot of organizations experience churn. They want to understand what is the actual impact. But then there’s this other element: well, should we have notified our actual key business partners and customers? And I think for folks who they breach coaches on the line, the corporate folks, things like that, you’re going to be getting tugged in both directions on this because obviously notifying organizations that haven’t been impacted, it’s also going to damage your relationship with those folks. So it’s a balance between getting enough of a picture to start making those decisions around those first disclosures, even sometimes maybe as opposed to you have been compromised. So we see different things there. I saw a question about notifying your insurers. In this day and age, your insurance carriers are very hands-on when you’re buying cyber insurance and renewing your cyber policies. So organizations have a lot of access to resources, and there typically is a playbook that’s hard and fast as far as how they’ll work with their insurance carrier when a breach happens. They’ll usually have preferred counsel. Some organizations may have counsel that’s not pre-approved. They’ll go through the process to actually get those lawyers approved by their carriers. They’ll sometimes be approved vendors. You want to be careful about who you engage with because you could be stuck with the bill depending on who your carrier is and the type of policy that you have.

We’ve seen some carriers that, even though they offer broad coverage if you stray from their panel and you don’t use specific vendors, they’ll actually reduce your coverage. It’s really important to understand those elements as you go through this because this can be very costly. We typically see, and it goes up and down by 10 bucks every year. The cost of an exfiltrated record from an organization is about $150. In a medical setting, it’s about $450. I may give it or take it, according to the Ponemon Institute. So it’s very costly. The biggest piece of that comes from the legal expense in churn, and there’s an element of lost business in those figures that’s not fully captured there.

Christopher Wall

Well, I want to point out…

Jonathan Wilan

The question’s a good one. You certainly do want to make sure you’re understanding what your insurance coverage is early on. Ideally, you’d understand before the incident where you will go in your insurance stack if you have a significant cyber incident. Some organizations will have specific cyber insurance now; others will be attempting to rely on property or other types of insurance. But your insurance broker and your internal insurance team are undoubtedly part of your response effort when you have a significant matter because, ultimately, the real risk is often monetary once you get through the early days. Insurance is a key part of managing that.

Christopher Wall

We’ll talk about putting together that team and what we can do prophylactically. But I want to point out that that’s not the only contractual obligation we should discuss here. Certainly, contractual obligations are potentially with your insurance carrier or your insurance. But there’s also the extent to which you have sub-processors, or you are a processor yourself, and you have a responsibility to the data controller. So you potentially have a contractual obligation under your data processing agreements that you have. And those will kick in depending on the type of incident that we’re talking about and whether that, indeed, the incident rises to the level that you have to notify those entities, whether it’s the controller, your processor, the person to whom you have an obligation under your DPA or your insurance carrier, whatever it might be.

I want to talk about that definition piece upfront. And Jonathan, you’ve hit this point several times on our call, and I will reiterate it once again. And that’s the need to bring in counsel because, at the end of the day, it is a legal determination about whether a breach has occurred. Because once an incident becomes a breach, then a whole bunch of things kick in. Do you want to talk about that a little bit?

Jonathan Wilan

Absolutely. Look, words matter, definitions are important. The phrase “data breach” has legally consequential meaning. And it’s important not to declare something as a “data breach” earlier than necessary. So, it is important throughout your process to be thoughtful in your language and make sure that the language you’re using represents the facts identified so far. So again, lawyers are good at that. They may be annoyingly good at it sometimes, but for your entire response team, understanding that having an email labeled [Rayline] data breach when you haven’t even figured out what was impacted yet is not a good idea and is not helpful and not necessary.

Christoper Wall

Thanks. And just briefly, since we’re talking about terminology, I want to bring up one more that I’ve heard in this context, and that’s the phrase data mining. And I think it’s really important that folks know that this phrase may be used in this context, but I want to hear from our two panelists here about whether and how it should be used if so. Jonathan, Mike, do you want to weigh in on the phrase data mining in this context?

Jonathan Wilan

Yeah, sure.

Michael Sarlo

Go ahead, Jon.

Jonathan Wilan

I’ll be brief. We’ve talked about this in the past. It’s a good example just because… Data mining is a perfectly good phrase to use. It reflects that in a PII PHI-type brief, a process is designed to figure out what data was impacted, what notice obligations may exist, and what mining the data to get there. But we’ve talked to federal government regulators who suggested that has a different meaning. In fact, statutorily, he defined meaning at the federal level, which is more in terms of gaining insight about individuals and may raise privacy concerns. So, it’s just a good example of how you’d use these phrases thoughtfully, especially as the privacy laws develop.

Christopher Wall

Thanks, Jonathan. Mike, anything you want to add there?

Michael Sarlo

Yeah. Look, I mean, obviously, we hear the phrase like data mining all the time. If you’re in the insurance community, you’re talking to those folks, or if you’re in the DFIR-like community. Those folks are not fully aware of the eDiscovery community. They’re typically going to use the phrase like data mining. What is data mining? It’s a process by which we identify sensitive data elements that might be in a data set. We then link those to individuals or organizations, and the end product is really consolidated, unlike notification lists that tell us for each individual and our organization, usually individual and organization, in the case of third-party breaches. The types of data were found, as well as where it was located and the quantity, because all of those elements can impact your notification obligations. We have biometric data. If we have miners, we start to look state by state. Those individual data elements are very important when we start to think about who to notify and where we need to report.

Christopher Wall

Thanks, Mike.

Michael Sarlo

There’s a whole slew of technology and processes that we use that I know we’re going to talk about probably fairly shortly.

Christopher Wall

We’re going to talk about that very shortly here. For [data mining], I know there’s a statutory definition here in the US. Congress has defined it, but it’s not used in this context. Okay, excuse me. It’s usually used by malfeasers to identify personally identifiable information for nefarious purposes. But under that broad definition, I was at Legalweek in New York City earlier this year and heard somebody refer to eDiscovery as data mining. I don’t know that I would necessarily use that in that context, either. But speaking of eDiscovery…

Michael Sarlo

We typically at HaystackID like to refer to it as cyber-like discovery, and that’s because as we get into more than just the extraction and the notification and that piece of it, there’s a ton of another risk. There’s lost business; there’s often a business sensitivity review of files. We need to understand really more information about the types of data that have been compromised. Be it deal docs or things like that. So, as these incidents get larger, a significant number of work streams look like eDiscovery in the context of a breach that’s not just about PII. So, we like the word cyber-like discovery here at HaystackID.

Christopher Wall

Or PII recovery, which is the title of our presentation. That’s the other thing we refer to it as. But this is just large-scale discovery, right, Mike? Just large-scale eDiscovery, that’s all we’re doing.

Mike Sarlo

No. Definitely not. If you think you’ve experienced sleepless nights and eDiscovery, I can find you even less sleep in a large cyber incident for those uninitiated. Although we think we’ve become pretty good at that, that doesn’t happen as often. And you can expect that before every holiday weekend. You’ll have several threat actors who will release your data, usually about 6:00 PM. And you’re going to be in for a fun weekend where, I think in eDiscovery, we’ve somewhat moved beyond the brutal holiday discovery exercises just due to having a much more sophisticated pool of resources in the marketplace.

Christopher Wall

Well, interestingly, we were talking with an eDiscovery software company recently, and they rolled out a data breach response suite of tools. It makes sense that they’re targeting the eDiscovery industry since this work involves large volumes of data. You’re looking for specific things within that data mining. But words are important, like you said, Jonathan, and how they’re branded makes a big difference. The new functionality is a breach response, which may be accurate if you’re trying to determine if an actual breach has occurred. But this phase of cyber incident response is distinguishable, I think, from eDiscovery that much of the legal industry will understand, at least the US legal industry here, where we’re looking for specific pieces of information. But it’s distinct in a lot of ways. You’re not making legal determinations of what you’re looking for. It is pretty much well-defined what PII specifically is.

You’re not typically making privilege or relevance considerations when you’re looking for personal information. You’re not looking; well, there are no real rules, no case law, and no regulatory direction on how you identify PII that you can recover and act upon. And you’re not making productions to other parties. Technically, I guess the only production you’re making as you identify this PII will be actionable. It will be actionable data that you recover and PII that you recover so that you can notify individuals whose personal information has been compromised. I think that’s the real distinction here, and we shouldn’t lump all of this together even though, in many cases, many of the folks on this call do eDiscovery and participate heavily in incident response like this.

Jonathan Wilan

I will say I’ve looked at this deck before, but you’re reading it here. I want to look at the first bullet a little bit. It is true that you’re not making the type of legal determinations you make via eDiscovery in terms of relevance or looking at whether the document helps with your defense. It’s a piece of information that has legal consequences. But it certainly is the case that, ultimately, you are applying all this information against legal regimes and legal rules that do require legal advice and, ultimately, decisions. So I think some of the sausage baking is a little bit different, but ultimately, there are legal obligations that you’re bumping up your process against.

Christopher Wall

Yeah. I think there’s no legal determination about PII identification that any legal determination you make is made after the completion of your investigation, after you’ve determined the extent of PII that’s been compromised, and as opposed to on each PII component individually. Did I summarize that right, Jonathan?

Jonathan Wilan

Yeah. I’ll take a little different take on it. So, ultimately, each state has a definition of personal information, and something that’s personal information in one state may not even be personal information in another state. So again, that’s coming back to words matter. So I think you may be three review processes identified something that could be PII in some jurisdiction. Then, ultimately, you have to match that up and make a legal determination as to whether the actual criteria have been met in a given circumstance.

Christopher Wall

Thanks. Mike, anything you want to add?

Michael Sarlo

I just want to add that there is a lack of FRCP. We don’t often have a standard of proportionality in these events, and it’s an evolving field where we create a sense of proportionality through repeatability. And we do a lot of these folks like Jonathan do a lot of these. You’re never going to get every drop of PII out perfectly, especially because data is just messy when it’s not coming to you, a nice little database. It’s really important to cast the right net around that risk and to understand how you are building a defensive stopping point that will allow you to convey a reasonable and defensible effort down the line in the event of litigation or continued regulatory inquiries. It is very important because we see cases sometimes. I always like to tell folks that what is really important here is that gigabyte size does not necessarily indicate spend in the same way that we often see in a typical eDiscovery civil litigation matter.

We have had cases where we have had 150 gigabytes of super dense spreadsheet data that were really databases that needed to be combed through, and we spent half a million dollars in human technical time. We have had cases where we had several terabytes and the exfiltrated data set was from an organization that just had really good data hygiene practices, or their data was encrypted. It’s always something that’s really great when you find out when you start to interrogate these datasets. So the spending there was much less. It was 80 grand. Don’t be caught off guard by that. I can’t tell you how often, usually in education and healthcare settings, we find a single spreadsheet in somebody’s mailbox with 80,000 names like socials and their addresses. A single file can be deadly in these. So it’s about getting to those densest pockets of data first and having a process that locates those high-risk data points early on because you’re off and on a very accelerated timeframe, like 60 days from when you start this process too, two, typically when you want to report if nonetheless.

Jonathan Wilan

We’ve had situations where you have a million documents, and of course, it’s going to be the millionth one that has the one spreadsheet with a million pieces of PII. Obviously, technology is key to not having that be the millionth document. And that’s where service providers, vendors, software providers, and consultants like HaystackID can really help. But you also need to manage the expectations of regulators and counterparties of your own clients in terms of what you’re finding because until you’re done, you’re not really done. And that’s one of the lessons from doing an hour of these.

Christopher Wall

Well, that is the question there, guys: What does “done” look like? What is our standard? Do we have an absolute standard? Is it reasonable? What is our standard?

Michael Sarlo

So, we typically rely on many of the fundamentals we’ve learned from utilizing technology-assisted review, measuring the efficacy of individual search terms. We usually are using sampling. We’re working with folks like Jonathan to get to a reasonable margin of error and agree on some of those to know if we’re within those limits. We feel like we’ve done a very good job. And that’s where I think having folks who have been in this industry for some time have seen the technology and have had to argue for the use of technology in a world where there isn’t a sense of sometimes hard fast rules and eDiscovery like protocols, dealing with third parties. I am really thinking outside of the box about how we can bring a defensible process to a lot of new technology and new processes for many organizations. It’s critical when we start to talk about when we are done. You can just sit there forever and be a dead horse, but at some point, we want to be able to measure it and say that we’re done.

Jonathan Wilan

You want to balance off the need to be fast, which is consistent with what regulators and planners would tell us about the need to be perfect. And as Michael said, we’re never going to be perfect. So, while I’m not aware of a specific legal standard that’s developed, I think the federal reasonable inquiry standard is a good start and is an approach that makes sense to ground what you’re doing in some defensible and implementable standard.

Christopher Wall

So Jonathan, for our attendees here who are from GDPR jurisdictions or GDPR-like jurisdictions around the world, would you say that taking that same approach is defensible there, too?

Jonathan Wilan

For me to say, but yes, look, I think every process has to be measured against reasonableness because you’re never going to be perfect. You could look at the documents a million times and still miss something. So you’ve got to do something that will allow you to respond quickly, which can be very important, and it’s got to make sense from a cost and resource perspective.

Michael Sarlo

We see organizations especially at risk when they’re missing basic controls. Jonathan can tell you that if you’re a large organization, it has properly enabled things like two-factor authentication. If we look at the NY-like DFS and settlements they’ve extracted out of organizations, there’s usually a negligence component. So I think being negligent in handling sensitive data somewhat runs parallel and where you have to do more work. Certainly, there are great technologies that we developed kind of, or we didn’t have great tech before. Manual review is really always something we don’t want to be doing, but sometimes you start thinking about manual review. I also think that as an introductory step, we need to have a conversation about the types of data that we’re seeing. Do we have databases? Do we have an HR share? Do we have a ton of healthcare data or patient files? We are definitely dealing with databases, which often are large portions of data that get exfiltrated, especially from technology companies that may be offering a web app where you’re going in and entering your data. A lot of that customer data is sitting nice and structured. These are when the big breaches happen where we say, hey, millions of people have had their data exfiltrated. Usually, it’s a series of large databases. From a data mining or cyber discovery standpoint, those are often easier to handle because the data is well-organized.

Christopher Wall

If you can identify which database or which set of [data]?

Michael Sarlo

If you can identify [it]. Yes, exactly. Unfortunately, you’ll usually have to do quite a bit of work to stand those data elements up outside of your client’s environment. Usually, this isn’t happening live. Often, your clients may still be down, or it just makes sense from a workflow standpoint to look at what we know is actually exfiltrated and was often dropped on the dark web, and we might work off that data. So that’s a piece of the manual review process that sets us up for search. We do this in a couple of different ways. Keywords and regular expressions are effective. They’re typically very broad. We typically may use a combination of that plus AI. AI has come a very long way. We’ve done quite a bit to develop our own tools. We’ve trained to be more effective over time, reducing false positives. We have combined these search strategies, be it AI, keywords, or regular expressions. Tying on the backend of the vetting process, either by term or by category, using statistical sampling is key out the gate to get you to a set of data that might actually need to be reviewed by humans. We’ve talked about manual review here. It’s not uncommon to see review rates between 10 and 25 on documents an hour. And it will become slower if you’re doing a very good job at filtering out those false positives because, theoretically, the reviewers will have to act on more documents. It’s not uncommon for very large spreadsheet files and things like that that can’t be auto-extracted. We have some great technology now that specifically deals with spreadsheets and dense spreadsheets that can run anywhere from two to five documents per hour.

So, the cost of a small data set of 200,000 documents, a decent amount of eDiscovery matter in the cyber discovery and PII extraction worlds, can be massively compounded. It is very important to have an identification strategy that works, isvetted, and is defensible, but also in a way so that you’re really trying to focus on the most dense tranches of data. So density is important because all of us who first started in this have been burned by that millionth and one spreadsheet. I’m so glad you said that because that happened to us when we first entered the space. And you can imagine your law firm partner is upset because they’ve made certain representations to their end client, who then has probably told their board, “Hey, we only have 50,000 individuals here,” then, lo and behold, we’re up to 700,000 now. It’s really important to get to those most dense pockets of data early on, and we have technology that will specifically identify the densest documents so they can be acted on.

Christopher Wall

Well, not just the PII that’s in those. I think the real struggle and the real value that AI brings to the table here is the ability to associate individual PII components with one another. That’s the real value. And that’s frankly the holy grail we’ve been chasing for a very long time now in the privacy sphere. Jonathan, anything else you want to add here?

Jonathan Wilan

Look, I mean, I think…

Christopher Wall

We lost your audio there, Jonathan.

Jonathan Wilan

Can you hear me still?

Christopher Wall

No. Just barely. We’ll just keep rolling here. All right. Well, we have a perfect question. Thank you, Mr. Chow. Thank you for asking that question in the chat there because that is the perfect segue to the last point we want to talk about for our last five minutes or so. And this is, frankly, my favorite part of our discussion. We prepare using the five P rule or the six P if you grew up in the environment I did. That is, the six P rule of proper preparation prevents poor performance. So far, we’ve been talking about the response piece, but we’ve barely touched on preparedness, maybe a little bit. So let’s talk briefly here before we wrap up on how we can be in a good position to respond, keeping in mind that we live in a day and age where everyone has or will experience this incident at some point. It probably starts with having an incident response plan, which Jonathan led us off with here, getting together and putting your plan into effect. If you don’t have a plan, now’s the time to put one in place. It’s never too late. Something in your organization may have been created organically, or maybe you had someone like HaystackID come in and help put one together. But Mike, can you talk about some of the best practices you’re seeing and using stuff like training and leading practices across all industries?

Michael Sarlo

Yeah, so, of course, you and your employees are the first line of defense for any cyber incident. With phishing campaigns and human engineering, we hear stories of people who drop a flash drive in a parking lot, and somebody goes and plugs it in. So really following the rules, being vigilant, being hyper aware of the links I’m dealing with. It’s really, I think for a while for technical people, these types of phishing exercises, you could just tell what it was right away. But with the advent of generative AI and these are looking much more sophisticated, they’re well targeted towards specific individuals in organizations, we’re seeing a lot of fraud, and the size of the fraud is growing, especially just from a single email, email and compromise where that somebody might be directed to send a payment somewhere. So, it is really important to focus on that training element. From a getting-ready standpoint, a lot of organizations are NM 365, Google, and AWS. There are DLP tools that can be utilized to help organizations classify their data, both from just a general cybersecurity standpoint and with their critical IP. But where there’s PII or PHI…

Christopher Wall

You talked about where your data is and how you’re using it, and by classification, you’re talking about what data you’ve got, right?

Michael Sarlo

Exactly. So labeling that data programmatically and through a combination of manual interviews is a great way to get ahead and remediate that data. Organizations keep way too much data. So, I think information governance has been a pipe dream for some organizations for some time. But now, when we start to quantify that risk, I’m like, it’s $150 a doc. We’re seeing many big organizations come online with going through the spend and the process required to do this work.

Christopher Wall

Great catalyst to get us to do what we know we should have been doing. Jonathan, if your audio is back up, we’ll give you the last word here. What other prophylactic measures can an organization take?

Jonathan Wilan

All right. We’ll give it a try. Can you hear me all right? So, I think understanding your data and systems and having a good inventory is important. I think there will be new AI requirements coming on board for a lot of organizations that will require you to understand your data better to meet these new regulations. I also think AI, on Michael’s point, we’ve reached a point where cyber risk has created an incentive for better data management practices, hopefully. However, there is a risk that AI will push back a bit against that, where organizations will want to keep data because we might be able to use it for AI use cases. So, I think finding proper balance as these new AI rules come on board will be very important and hopefully will get us to a place where we can reduce overall cyber exposure and risk.

Christopher Wall

Fantastic. Thank you. And that brings us to the hour. And I think we’ve addressed most of the questions as they came in. But we can certainly make ourselves available. I know I’ll speak for the other two panelists here. We’ll make ourselves available to any participants who would like to reach out and ask questions offline. Jonathan and Mike, thanks for joining me on today’s webcast. On behalf of HaystackID, I want to thank all of you who are participating remotely for joining today’s webcast. We know your time is valuable, and we appreciate you taking an hour out of your day to share it with us. We hope that the panelists’ insights and perspectives that they’ve shared today have helped to enhance your understanding of cyber incident response and the PII recovery process and the role that it plays.

As Mouna and I mentioned at the outset, this webcast is being recorded and will be available for on-demand viewing on the HaystackID website, along with a complete transcript. We also want to give everybody a heads-up about the next HaystackID educational webcast on June 26th next month. That webcast is titled “Setting Your Sales in eDiscovery: Industry Pros Tips for Career Advancement.” So, on that note, stay informed, stay cyber-safe, and make it a wonderful day. Thanks, everybody.

Expert Panelists’ Bios

+ Jonathan Wilan 
Partner, Sidley

Jonathan Wilan is a partner in Sidley’s Washington, DC office and has focused his practice over 20 years on the intersection between legal risk and data. Jonathan has extensive experience in the areas of cybersecurity, complex litigation, investigations, and large-scale compliance technology implementations. Jonathan is a frequent speaker and thought leader on issues related to cybersecurity, information management, and complex litigation. He also sits on the Steering Committee of The Sedona Conference Working Group 11 on Data Security and Privacy Liability.

Jonathan regularly advises clients in the areas of cybersecurity, information governance, and complex litigation, including providing proactive counseling, leading digitally focused investigations, and pursuing or defending related litigation matters. Jonathan received his undergraduate degree, magna cum laude, from the University of Maryland and his J.D., cum laude, from Harvard Law School.

+ Christopher Wall
DPO and Special Counsel for Global Privacy and Forensics, HaystackID

Christopher Wall is DPO and Special Counsel for Global Privacy & Forensics at HaystackID. In his Special Counsel role, Wall helps HaystackID clients navigate the cross-border privacy and data protection landscape and advises clients on technical privacy and data protection issues associated with cyber investigations, data analytics, and discovery.

Wall began his legal career as an antitrust lawyer before leaving traditional legal practice to join the technology consulting ranks in 2002. Prior to joining HaystackID, Wall worked at several global consulting firms, where he led cross-border cybersecurity, forensic, structured data, and traditional discovery investigations.

+ Michael D. Sarlo
Chief Innovation Officer and President of Global Investigations and Cyber Incident Response, HaystackID

Michael Sarlo works closely with HaystackID’s software development and data science teams to deliver best-in-class data collection, eDiscovery, and review solutions that allow legal teams to act on data types typically not conducive to collection, review, or production in the context of eDiscovery. Sarlo works closely with clients on the most challenging and complex regulatory, investigative, and civil litigation matters. Sarlo also oversees HaystackID’s Cyber Discovery and Incident Response Services division. He leads a cross-functional team of HaystackID experts that regularly assist insurers, breach coaches, and their corporate clients when a data breach occurs.

About HaystackID®

HaystackID solves complex data challenges related to legal, compliance, regulatory, and cyber events. Core offerings include Global Advisory, Data Discovery Intelligence, HaystackID Core® Platform, and AI-enhanced Global Managed Review powered by its proprietary platform, ReviewRight®. Repeatedly recognized as one of the world’s most trusted legal industry providers by prestigious publishers such as Chambers, Gartner, IDC, and Legaltech News, HaystackID implements innovative cyber discovery, enterprise solutions, and legal and compliance offerings to leading companies and legal practices around the world. HaystackID offers highly curated and customized offerings while prioritizing security, privacy, and integrity. For more information about how HaystackID can help solve unique legal enterprise needs, please visit HaystackID.com.

Assisted by GAI and LLM technologies.

Source: HaystackID

*Sidley