Nickl and Evans on the Differences between Data Breach and Litigation Reviews
Ralph Nickl, CEO of Canopy Software, an EDRM Partner, and eDiscovery expert, Brian Evans, recruited by Lighthouse after over a decade at Norton Rose Fulbright, are publishing a three part series entitled, 9 Differences between Data Breach and Litigation Reviews. While many believe that eDiscovery systems and processes can be leveraged for data breach reporting without changes, Ralph and Brian give us the benefit of their experience in both domains.
For a data breach review, utilizing common litigation approaches like search terms and regular expressions results in enormous false positives to review and, based on case studies, will miss key documents containing reportable data.
Continuing their three part series, Nickl and Evans compare the personnel required for a review, with the first pass focused on identifying protected information, and attorneys focusing on deciding whether the information is reportable.
Deliverables are different between breach and litigation reviews:
A litigation review delivers a list of relevant documents corresponding to issues that tell a story. In contrast, a data breach review compiles a de-duplicated list of all affected individuals, their affected protected data elements, and contact information. This list provides information for the attorney to make decisions on reporting obligations by jurisdiction and is also used in the notification process itself.
Reporting, cost factors and technologies, while similar, have different use cases and timelines, according to Nickl and Evans:
Litigation review requires regular and timely reporting of certain metrics to gauge progress, accuracy, and totals of relevant or privileged information found. Data breach review requires much of this same reporting, but also requires on-demand sensitive data reporting of the numbers and types of protected elements found for each jurisdiction.
[Post updated to reflect Part II and Part III]