Large PII & PHI data-breachignites a successful managed review.

SummaryClient industry: Cyber Risk Management

Business challenge: Data breach review of personal information with a tight turnaround time in multiple locations.

Highlights/outcomes: A successful Managed Review using Relativity technology and hosted services in which 68% of the documents underwent a stringent quality control process under a tight turnaround time, resulting in a 89% accuracy rate.

OpportunityThe Client engaged the managed review services of Special Counsel, Inc. to conduct a data breach review to identify whether Personal Identifying Information (“PII”) and/or electronic Protected Health Information (“ePHI”) had been compromised within a set of documents whose security had been breached through their clients Office 365 environment. What constitutes ePHI is determined by the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and there are various state and federal laws outlining the notification requirements individuals, including, for example, customers, clients, employees, and/or independent contractors, whose personal Identifying Information (“PII”) and/or electronic Protected Health Information (“ePHI”) has been compromised. What is determined to be PII/PHI is dependent upon not only Federal law, but on each state’s law, so each data breach project must be handled individually

to ensure that the list of applicable PII/PHI is consistent with the applicable state’s laws and each protocol must be individually crafted to the applicable state law.

Business Challenges

It is customary that notice must be provided to the those affected within 60 days of the discovery of the breach, so this review, like others involving data breach, had a very tight turn around, as it is often many weeks from the time of discovery until the documents/data are made available to Special Counsel for review. In addition to the managed review services of Special Counsel, D4 processed and hosted the relevant data/documents and worked directly with the Clients to determine the types of potential PII and/or PHI that would be subject to this review. This was one of many data breach managed reviewed projects contracted between the Client and Special Counsel this year and is substantially different from traditional managed review projects done for purposes of discovery/production.

EQ is the legal consulting division of Special Counsel—the nation’s largest full-service provider of legal solutions. To learn more about M&A support and eDiscovery project management, contact your local EQ location today. specialcounsel.com

Engagement / our solutionThe primary responsibility of the review team for a data breach project is to identify if there was any individual and/or business PII and/or PHI information contained within the breached documents, what type of PII/PHI was contained within said documents and to extract as much identification and notification information from said documents as possible so that the Client can provide written notice of the breach to those businesses and individuals affected. All this information is recorded within the Relativity data review platform, and the final product provided to the Client is a Final Notification Report in an excel spreadsheet outlining the individuals and/or businesses, types of PII/PHI breached, notification information and the document numbers where said breached information was located.

The project started with a team of 11 review attorneys and one managing attorney, all of whom had prior experience with data breach projects. The review attorneys were tasked with reviewing 8,175 documents. The managed attorney noticed on the first day of the review that there were some documents within the review universe that were poorly formatted and appeared to potentially contain PII/PHI for many individuals (in some documents up to several hundred) and that several of these documents were very lengthy (500-1000 pages).

Special Counsel developed a mass overlay spreadsheet to record the names, contact information and types of PII/PHI for documents containing a large number of individuals, from which they can enter the information into the review platform in a much shorter

time than can be done manually by the review team. Due to the poor formatting of these documents, the mass overlay spreadsheet would not be effective for 271 of the poorly formatted documents with potential PII/PHI. These were coded as Needs Further Review and set aside while the other documents were processed.

Within 4 days, the team had completed the review of all the documents in the review set, except the 271 documents coded as Needs Further Review. As these documents were reviewed, the rate of review dropped from approximately 25 documents per attorney per hour to .5 documents per attorney per hour, due to the poor formatting, and large number of potential individuals with PII/PHI contained within. Three days later, Special Counsel made the decision to suspend the review until feedback and direction was received from the Client and Counsel on how to handle these documents. At this time there were approximately 147 documents that remained to be reviewed and coded.

Five days later, the Managing Attorney began receiving feedback from Counsel on these poorly formatted documents and worked directly with Counsel over the next couple of days to determine that of the remaining 147 documents, only 33 had potential PII/PHI. Within three days, the Managing Attorney created a list of the 33 document ID numbers and a search within Relativity for these documents and provided them to Counsel for further review and feedback on how to proceed. Two days later, Counsel responded that they had reduced the number of documents with potential PII/PHI to 7, but that these documents appeared to contained hundreds (if not thousands) of potential individuals. Six days after that, Counsel agreed to reinstate the project with 2 review attorneys, and arrangements were made to re-start the project with four days and two review attorneys who had extensive experience with data breach projects.

Total documents 8,1758,175 100%

0 0%Documents reviewedDocuments not reviewed

PII responsiveness

ID related tags

PII type

Totals

Totals

Totals

Responsive

Not responsive

Foreign language

Review tech issue

Needs further review

Responsive due to family

Social security number (full)

Diver’s license number (full)

State identification number

Passport number

Unique or other government issued ID number

Business

Individual

1,018

6,664

4

153

0

336

6,905

0

1

2

13

117

5,391

12.45%

81.52%

0.05%

1.87%

0.00%

4.11%

125.36%

0.00%

0.02%

0.04%

0.24%

1.43%

65.94%

Other vital information Totals

Marriage certificate

Parent’s legal surname prior to marriage

2

7

0.04%

0.13%

Financial related

Tax related

Health related

Account access

Totals

Totals

Totals

Totals

Financial account number

Security code or password for a financial account

Credit or debit card number (full)

Credit/debit card security code or password

Individual taxpayer identification number

Employer taxpayer identification number

IRS e-file PIN

Medical history/treatment/diagnosis

Health insurance policy or subscriber number

Health insurance application or claims information

Health information

Identified patient

Email address and password

Username and password

Security code/access code password

47

9

18

16

62

276

1

20

1,745

154

70

53

25

62

18

0.85%

0.16%

0.33%

0.29%

1.13%

5.01%

0.02%

0.36%

31.68%

2.80%

1.27%

0.96%

0.45%

1.13%

0.33%

8,175Documents

reviewed

25Documents reviewed per attorney, per hour

specialcounsel.com

Outcomes / highlightsThe managed review portion of this project was completed within a month, which included all targeted QA searches, de-duplication and normalization, at which time Special Counsel created the final notification report for the client.

Of interest is that during the managed review portion of this project, Counsel reached out directly to the Managing Attorney to inquire about assistance with a separate matter, and the Managing Attorney was able to provide Counsel with the resources to assist with this additional matter. As is common in data breach cases, notification information (address/phone number etc.) is not always able to be located within the documents. Counsel had the ability to obtain addresses for individuals contained on the notification report through use of their SSN’s from a 3rd party vendor. Counsel requested from Special Counsel to extricate the SSN’s from the documents for those individuals identified on the notification report as having had their SSN’s breached. The Managing Attorney was able to quickly identify the resources needed to complete this request, and worked with sales, D4 and Solutions to have a team of six attorneys available to begin this extrication on the morning following the request. This entire six-person team had prior data breach experience. The team was able to extricate the SSN’s for approximately 1500 individuals that same day, and Special Counsel was able to provide the requested information to Counsel before the end of the day. For a second time, the managed review portion of this project was completed.