Data breaches are a universally frightening prospect in today’s world. Neither consumers nor companies have an appetite for these digital violations, but the reality is that they’re becoming increasingly common: in 2020, the volume of records compromised in data breaches jumped by over 141 percent compared to the previous year.
During Relativity Fest 2021, attendees listened in on a session entitled “Data Breaches: How Law Firms Can Leverage AI to Respond With Speed, Clarity, and Precision.” Presenters discussed how some law firms are adapting to provide new services in the face of these threats, using AI to identify personally identifiable information in compromised data more quickly. Their goal is to help companies notify those affected by breaches and respond to incidents in a more timely manner.
It's a critical service, as companies don’t have the luxury of taking a slow and steady approach to this process—aggressive regulations are pushing for tighter response timelines and data breach assessments across regions. Fortunately, a few best practices can help extinguish the fires and give everyone a leg up in protecting themselves from the consequences of a breach.
First, Organize That Data
Your very first step to protecting your organization from a breach should happen long before that breach even occurs.
“We often think ‘I’ve been breached—how do I handle it?’ is the first question,” Jeremiah Weasenforth, head of data and discovery strategy at Orrick, said during the Relativity Fest session. “But we should first be asking a lot more”—and a lot sooner.
Jeremiah ticked off a few questions all organizations should ask themselves as a matter of course:
- How are we storing customers’ data and where is it located?
- Do we have PII we’re sending around, such as Social Security or account numbers, between employees—especially in a virtual world?
- How are we dealing with inputs from our customer base? Do they send us information via a structured system, or informally by other methods?
- Are we anonymizing data stored in our systems? Or is somebody keeping spreadsheets of PII on thousands of individuals somewhere?
It may not be easy to track all of this down, but capturing and documenting all of it is essential to minimizing the damage done by a data breach down the road.
“This planning will not only help limit the impact of a data breach, but make the notification process, when it does need to happen, easier,” Jeremiah explained. “This way, you already know where this data is, what you’re looking at when it’s compromised, and what workflow you need to capture it.”
Pick Up the Pace without Panicking
Discovering a data breach is a nightmare scenario—but staying calm is important. If you have a data map on hand, using it as a guide should help you move faster and feel more in control of your response.
But even if you don’t have that map in hand, this isn’t a nightmare you need to navigate alone. Firms like Orrick and Debevoise & Plimpton are ready to assist.
“The ability to go through data quickly in response to a data breach has become critically important,” Avi Gesser, a partner at Debevoise, emphasized for Relativity Fest attendees. “Not only is there a huge increase in attacks, via ransomware in particular—there’s also a growing sophistication of attackers who take the money they get and put it into R&D and recruiting.”
Believe it or not, Avi said, criminal hacking enterprises have become both specialized and commoditized. They use the ransom money they take from their victims—often the price required, they say, to avoid the sale of stolen data (a promise they may or may not keep)—and reinvest it back into their own organizations. The funding allows them to attract and train ever greater talent, making them more formidable over time.
“This is concerning because that transfer of wealth means attackers are getting better and better, so regulators are focused on choking off that resource and forcing companies to be more proactive,” Avi continued. “Companies who suffer a breach must be better at responding, more hardy, and less likely to pay ransoms.”
Consumers, too, need protection from this increased risk. So breach notification obligations exist in all 50 US states, on top of federal and international requirements.
As a result, Avi said, “companies are under enormous pressure to figure out what data’s been taken and who they have to notify quickly.” Sometimes that deadline is as little as 72 hours.
This is where professional help comes into play. Jeremiah and Avi’s teams leverage Text IQ for Data Breach to help clients quickly parse through affected documents, searching for PII, to generate a report of affected people who require notification. The tech uses AI to flag all types of identifiable information, from Social Security numbers to names (and nicknames!) to addresses and more.
The technology, combined with the firms’ expertise, also helps companies identify which people are subject to which notification requirements—and exactly how they might’ve been impacted by the breach.
“We need to not only identify when a person’s PII is present, but how it’s connected to other information, and that’s not easy to search for,” Jeremiah said. “We could start by running broad searches for account numbers, for instance, but in a financial institution or similar type of company, that will hit on many docs that don’t necessarily contain PII. Additionally, complex searching like regular expressions may help find patterns of numbers, but they aren’t foolproof; for example, a 5-digit account number pattern might also return zip codes.”
Efficiently screening data for PII and cataloging its presence isn’t a problem that can be solved with more people—it’s a big data problem, and your best bet for tackling it is with AI.
“Don’t just throw 100 bodies at this and say ‘go nuts,’” Jeremiah warned. “It’ll be rife with error, and when done manually, you can’t focus on the one or two people at the end of the bell curve who are making mistakes.”
Build Defensible Documentation
Once you’ve identified affected individuals, you’ll need sound documentation capturing how they were impacted and what your notification process looks like from this point forward.
“We could talk all day about how difficult this could be,” Jeremiah said. Unlike data review, “you can’t throw 100 people at generating a report. We need a clean way to do that, including fixing problems like inconsistent address formatting. A tool like Text IQ for Data Breach can automatically generate this report rather than exporting data and forcing you to generate it from scratch.”
So much of the potential for recovery from a data breach comes from consumer perceptions of how an organization responds. Because these breaches are so common, falling victim to one isn’t necessarily a guarantee for a hit to your reputation—but failing to respond on time absolutely is.
“If you miss deadlines because you can’t get to data quickly enough, that puts you in a worse position than notifying people within the right timeframe,” Avi said. “There’s a real premium on getting this right.”
A solid reporting system will make that possible.
Lean on Lasting Partnerships for Lasting Lessons
In addition to keeping that data map handy—and updated—on an ongoing basis, companies can defend themselves against breaches by taking thoughtful lessons from each response exercise and implementing it into their approach for next time. This is easiest to do when you establish lasting partnerships with the firm who’s assisting you in your analysis and response.
“Law firms in this space are building these practices because this is what our clients need,” Avi said during Relativity Fest last fall. “Clients are experiencing data breaches, and this incident response work is a chance to show clients we can handle crises for them and give them important, practical, strategic advice when they really need it. I think it adds a lot of value when we can help clients navigate these incidents.”