You’ve seen the headlines, heard the horror stories. Heck, you’ve probably received an email or two warning that your data has been compromised. In today’s digital world, data breaches are inevitable.
So, when (not if) a breach happens to you … what will you do? Is your team prepared?
That was the topic of discussion at our Relativity Fest panel: “So You’ve Been Breached: Now What?” Relativity Chief Security Officer, Marcin Święty, led the discussion with three cybersecurity and legal experts to explore data breach response—how to prepare for it, how to respond to it, and why e-discovery professionals are uniquely equipped to handle these crises.
Breaches, Breaches Everywhere
Data breaches vary widely in scope, and the definition of a breach isn’t standard. As Linda Sheehan, head of intelligENS at ENS, explained, a breach typically involves some form of unauthorized access to information, but the impact can be different depending on the laws in the region.
“A data breach itself is very broad in terms,” Linda noted. “Regulators look for unauthorized access, and depending on jurisdiction, this might require [evidence of] substantial harm.” However, Linda cautioned organizations to define breaches more broadly than the regulators and take every incident seriously. After all, any time information is taken, it can have serious reputational and financial consequences.
To drive the point home, Pat Kellerman, managing director at PwC, shared some sobering statistics from PwC’s 2024 Global Digital Trust Insight survey. Among the approximately 4,000 executives surveyed, a staggering 36 percent reported experiencing a breach that cost their organization $1 million or more—a 10 percent increase over the prior year. Thirteen percent faced breaches costing $10 million or more.
Despite these scary ramifications and the known risks, many organizations remain unprepared. PwC’s 2025 survey revealed that only two percent of executives felt their company has implemented cyber resilience actions across their organization.
Understanding and accepting that data breaches are inevitable is only part of the equation. Preparation is key to responding more effectively: “Your cost in responding to a breach is materially lower if you do the preparation in advance,” Pat said.
Where Do You Start? The Team, The Team, The Team
Handling a data breach requires collaboration across various departments and external partners. However, you cannot wait until the ship is on fire to figure out who knows how to work the extinguisher. Get your breach response plan and people in place today.
The panelists all strongly advocated for a RACI chart to define who’s Responsible, Accountable, Consulted, and Informed for each stage of a breach response. To help develop that RACI, they recommended running tabletop exercises—simulations of real-world attacks—to help you identify and fill in gaps before the real thing happens.
“If you haven’t done a tabletop before a breach hits, it will be like that meme where Spider-Man is pointing at himself,” Pat joked.
For Jason Pickens, vice president of cybersecurity at JPMorgan Chase & Co, building relationships across the business—outside the context of breach response—is equally important.
“You can plan all you want to, but without having key contacts across the space, it’s going to be very difficult to get things moving quickly,” he advised. “Building those relationships over time has been very beneficial for me. Network in your environment, especially in larger organizations where there’s a big depth and breadth.”
As a cybersecurity expert, Jason also encouraged the audience to partner with their cybersecurity teams early on: “We are your friends. We are here to protect our organization.”
Know What to Communicate with the Regulators
Compliance with legal and regulatory requirements is crucial to maintaining stakeholder trust and avoiding penalties, and your legal team will play a critical role in navigating this landscape and ensuring compliance.
“Preparing for and being able to earn trust from a variety of regulators is critical,” Pat said. He went on to explain how the industry is seeing a big trend toward “investigating the investigation,” post breach. To help with those hurdles, Pat recommends considering and deeply understanding two key questions:
1. What happened?
“A zero-day attack, where you’re the victim of a crime, is different from a known vulnerability that hadn’t been patched for a year,” Pat used as an example. He advises that, out of the gate, you understand what happened and communicate that to the regulator.
2. Do you have it under control?
This is where preparation, once again, becomes critical. You need to show regulators that you have a plan in place and are taking decisive action toward outcomes. “That will get trust and buy-in from the regulator so that a breached organization is viewed as a cybercrime victim rather than the perpetrator of something nefarious,” he explained.
Recognize the Strengths of Your e-Discovery Team
“When we think of breaches, it’s really discovery at a massive, emergency scale,” Jason pointed out. “But there are different people involved, who have never done discovery before and don’t know what the process is. We as technologists, lawyers, and regulators need to be able to project manage the breach in a way to allow [a successful] response to happen.”
While e-discovery professionals are used to working under tight deadlines, the timelines in a breach response are even more intense. As Linda pointed out, organizations not only face regulatory deadlines, but also deadlines imposed by cybersecurity insurance policies.
“On day one, you have two ticking time bombs: you have the notification requirement in the policy and you have the regulation requirement. Your insurance policy will [often] dictate a smaller time,” she said.
Unlike traditional discovery, breach response requires you to move faster—you need to understand the blast radius, the data impacted, and where to focus your efforts. Here, familiar frameworks can be useful, but they’ll need to be adapted for the urgency and scale of a breach.
“We all have a framework we’re comfortable with and it works: the EDRM. But there are critical differences between a breach and traditional discovery that we need to recognize. We need to take our current skill sets and upskill and know who to bring in,” Pat said.
Old School Meets New School: The Use of Technology
In terms of what technology to use, it may be a combination of old methods and new.
“Old-school ways are still used today,” Jason explained. “File lists can really help you understand project areas we should be talking about. Things like ‘My Secret Project Folder,’” he said in jest.
At the same time, new technologies, especially AI, are transforming breach response. Pat pointed out that the structure and repetitive nature of data in breaches makes it ideal for generative AI workflows. Jason agreed, pointing out the AI used in a breach won’t be something like ChatGPT—instead, AI is an “asset inventory.”
“It’s a paramount way of understanding what to do in a breach, how to measure it, how to respond to it, understanding where your data is, where confidential information is, how you classify it and label it,” he explained. “You’re breached; now what? Where’s your data? What do you do with it? Who’s got it?”
A New Frontier for e-Discovery Pros
To wrap up the discussion, Marcin asked each panelist to share their final takeaways.
In addition to stressing the importance of partnering with your cybersecurity team, Jason encouraged the audience to encrypt everything. “Use two-factor authentication and don’t store anything.”
As for Linda, she gave sage advice about mergers and acquisitions and echoed the importance of partnering with your cyber team: “Whenever you’re doing any kind of due diligence, bring in [the cybersecurity team] from the very beginning. They’ll be able to help with risk exposure.”
Pat urged the audience to take breach preparedness seriously and then left them with a call to action.
“Dive into this space. It’s exciting, and we [as e-discovery professionals] are good at it because of the framework we know so well. Let’s challenge ourselves to put into effect the new generative AI workflows and workstreams we’re thinking about. Lean into tech, validate, iterate, and put together that story.”
Recommended for you
