How to Assess Data Breach Impact

September 7, 2023

In the world of cybersecurity, law firms play a pivotal role when crisis strikes. As clients look for guidance in the aftermath of a cyber event, the critical first step involves swift assessment of the compromised data’s “blast radius.” 

Determining whether it constitutes a legal data breach and evaluating its materiality is key. 

When Personally Identifiable Information (PII) is compromised, immediate disclosure becomes obligatory. The challenge arises as IT teams often lack the insight to determine the scope of a breach because they don’t know what sensitive data they have and where it is located. 

Rethinking eDiscovery Tools: A Quest for Accuracy 

While traditional eDiscovery tools are a go-to solution for many law firms due to their convenience and perceived cost-effectiveness, their limitations become apparent in the context of data breach incidents. These tools rely on keyword searches and regular expressions (regex). For example, a search for social security numbers might involve keywords like “Social” or “SSN” along with the pattern “xxx-xx-xxxx”.  

This approach demands extensive keyword searches for various types of sensitive data potentially compromised—phone numbers, email addresses, passport numbers, health records, national identification numbers, and more.  

Despite some eDiscovery solutions offering pre-built searches for popular data types, the process remains labor-intensive and manual, often leading to either incomplete or overly inclusive results. 

Precision Matters: Overcoming Under Inclusiveness and Over Inclusiveness 

 The negative outcomes of this approach are two-fold: under inclusiveness and over inclusiveness.  

Under inclusiveness occurs when searches for personal information fail to return documents containing PII, Protected Health Information (PHI), Payment Card Industry (PCI), and other protected documents. 

Missing results are very common with eDiscovery solutions.  

For instance, searches looking for only U.S. drivers’ licenses could miss state or country IDs issued in other countries. Multiple variants into how individuals or teams enter data can also create misses, if these variables weren’t  considered in the search. 

Or, a search for telephone numbers could miss results if the pattern was instead of xxx-xxx-xxxx or if the area code wasn’t used. Another common example is that there are over 1,600 domain extensions (.com, .gov, .edu, .co, .us, etc.). 

If these aren’t all accounted for, matches will be missed, resulting in an incomplete grasp of breach scope. This can lead to inadequate resilience strategies and potentially missing disclosures, thus jeopardizing compliance. 

 On the other hand, over inclusiveness arises when false positives—results erroneously flagged as PII—are returned. For instance, a product code might trigger a false positive due to a matching pattern. As a result, eDiscovery solutions may return around 50-60% of documents as matches, while actual PII-containing documents are much less.  

The costs are substantial. An oft-cited analysis by Anne Kershaw1 estimates an astonishing cost of $18,750 for each gigabyte of data that must be reviewed. This estimate assumes that a GB of data = 75,000 pages, reviewers can complete 50 documents per hour, and the cost per reviewer is a conservative $50 per hour. 

With data volumes growing, this approach is not only time-intensive but also humanly impossible to meet regulatory and stakeholder demands.  

How To Assess the Impact

With the exponential growth of data and the increasing threat of cyber-attacks, Spirion offers purpose-built solutions that provide agility, resilience, and speed. 

Spirion searches, at scale, for the data that if inappropriately accessed would result in a breach. Once discovered, we then automatically protect that data. Three specific needs we hear from organizations around incident response and data protection are as follows: 

  1. They have experienced an incident and need to understand what kind of sensitive data, and how much, may have been compromised so they can determine materiality  
  2. After completing their investigation and determining which locations were compromised, they need to identify and remediate PHI/PII data and notify impacted individuals and entities  
  3. They need visibility into all sensitive data they currently have stored, so that they can minimize and protect the data and thus minimize the impact of any future adverse event  

Unmatched Accuracy: Spirion’s Data Discovery Advantage  

Spirion addresses all these needs. Battle-tested since 2006 across billions of enterprise records, Spirion’s Privacy-Grade™ sensitive data discovery solution is custom built to detect PII, Protected Health Information (PHI), Protected Credit Information (PCI), and numerous other sensitive data types across diverse file formats (including images) and environments.  

It discovers data with an exceptional 98.5% accuracy right out of the box, no AI training or repetitive searching needed! It trims document reviews to just 2-5% extraneous documents.  

Introducing Spirion Data Impact Assessment  

Spirion Data Impact Assessment (DIA) leverages the power of the Spirion platform into a new solution that empowers law firms to assist client’s post-breach.

The Data Impact Assessment offers insight into compromised sensitive data, its management, and materiality. It analyzes clients’ IT environments, determining location, volume, types, and financial value of sensitive data. Armed with this information, law firms can make informed risk management decisions and meet even the tightest notification deadlines with ease. 

Maximizing Accuracy: The Path to Savings 

Spirion’s unparalleled accuracy translates to significant time and cost savings. Compared to eDiscovery tools, Spirion’s DIA can save over $100,000 and 51 weeks of reviewer time for every 10 GB of compromised data. With Spirion, precision empowers strategies and expedites precise responses to tight disclosure deadlines. 

A Solid Foundation: Spirion’s Sensitive Data Governance 

With DIA, Spirion offers clients an immediate solution for scoping their sensitive data that was compromised in a breach. If needed, a second Spirion solution, Sensitive Data Finder can help to remediate PHI/PII data and notify impacted individuals and entities. 

“Locking the barn after the horse was stolen” is an axiom that expresses the futility of taking action when it’s too late, but in the case of data protection, it’s never too late. With the increasing frequency and sophistication of cyber-attacks and ever-expanding data privacy laws, an ongoing program of sensitive data governance is essential. 

To address this need, Spiron Sensitive Data Platform offers automated, always-current sensitive data discovery, classification, and remediation – actions including quarantine to a safer location, alerts, encryption, redaction / anonymization, and other safeguards to minimize their sensitive data threat surface. Simply put, if data is secure, it can’t be exfiltrated. With Spirion’s proactive stance as the basis of a sensitive data governance foundation, data stays secure and compliant because the best time to mitigate the damage of a data breach is BEFORE it occurs! 

Reference: “Automated_Document_Review_Proves_Its_Reliability” by Anne Kershaw, Reasonable Discovery, Nov. 2005