Know the regulations, stop relying on manual PII document review, and deploy the right technology for the job to ensure you can find compromised PII and notify faster and easier.
Data incidents are the new normal. According to USA Today, several data breaches in 2018 topped the list of some of the biggest of all time affecting billions of individuals and costing companies “tens of millions of dollars.”
What’s most worrying, however, is not the size of the data incidents, but the rate at which they occur. The number of data breaches was up nearly 20% higher in 2018 than in 2017 and this year has already seen several announcements around significant data breaches within the financial industry. One legal service provider we talked to went from zero data breach cases just two years ago to more than 200 last year.
Meeting the new regulatory and corporate standards for locating compromised personally identifiable information (PII) quickly and notifying customers is likely one of the most difficult and costly challenges facing both in-house incident response teams and legal service providers. Here’s why and what to do about it.
#1. Know the PII regulations.
With GDPR officially in effect across the EU as of May 2018, corporations are required to notify a supervisory authority within 72 hours of a breach being discovered. This is far stricter and faster than even HIPAA which allows up to 60 days.
Although there is no federal equivalent in the US, GDPR applies to the personal data of any EU resident. This means any US company that has PII on any EU resident must comply with the strict guidelines and deadlines or face significant fines. Since GDPR has been in effect, more than 59,000 data breaches have been reported and 91 fines doled out, including the $57 million that Google was hit with for “not properly disclosing to users how data is collected across its services.”
Additionally, there are any number of state laws that impact how PII should be handled, especially after a data breach. California’s Consumer Privacy Act of 2018 has been lauded as “the first U.S. attempt at a comprehensive data protection law” according to the International Association of Privacy Professionals and is expected to impact how businesses across the nation treat PII.
#2. Stop relying on manual PII document review.
Manual PII document review requires incident response teams or legal service providers to scramble to pull together often large teams of reviewers to comb through the data as quickly as possible.
According to Gartner, more than 80% of a company’s data is likely unstructured and researchers predict that amount will increase by more than 800% over the next few years. So, even with standard eDiscovery technology, this can be a daunting and costly task.
The process is so costly, in fact, insurance providers companies have begun to balk at picking up the tab for PII document review completed by attorneys. As a result, many document review companies are hiring non-attorneys to perform document review tasks.
The inevitable loss in quality and comprehensiveness is a significant risk for companies that rely on the accuracy of PII document review to meet ever-stricter regulations. So, what can budget- and time-constrained companies do?
#3. Deploy the right technology for the job.
Some teams are trying to adapt eDiscovery tools in an effort to create smarter post-data breach review processes, but many of these technologies are still limited.
A few tools have machine learning modes or applications that can learn from decisions made by a review team, but they are often mostly untrained out of the box and aren’t transparent about how the algorithms work. And poorly trained systems can deliver inconsistent results.
Look for an eDiscovery technology solution that offers linguistics-based text analytics and, preferably, a mode or application specifically for PII document review or GDPR compliance. Such a solution doesn’t just rely on just an algorithm to work on individual (and likely vague or ambiguous) words. It combines large dictionaries and millions of pre-programmed rules on how words are used both individually or together to communicate meaning.
While all eDiscovery platforms are designed to find specific data, not all technologies or service providers are set up for identifying compromised data post-breach quickly or easily. Choose an eDiscovery partner that offers the ready-made technology to identify and extract PII no matter where your data is–emails, PDFs, CRMs and more–or what the PII includes.