Over the last five to ten years, companies have experienced cyber breaches on a fairly consistent basis, with hackers pursuing data for the sake of profit. Typically, data such as names, addresses, bank and credit card information has been targeted in order to commit fraud.
However, the Sony Pictures breach that occurred in November 2014[1] changed the situation. This cyber-attack targeted atypical information like employee salaries, personal emails between executives and celebrities, and creative themes and other details about upcoming films — in other words, data that was not of much benefit except for the purpose of malicious exploitation.
Increasingly, there appears to be a hierarchy among hackers — a contest of sorts — with status measured by the size, scale and impact of the hack. Companies need to assess their abilities to prepare for and respond to data breaches.
In the past, a company’s response to a breach would begin when an incident was discovered. At this stage, the extent of the breach and any specifics as to what information was taken might be unknown. Insurers, outside counsel and investigators would likely be involved at an early stage to find out what type of information was compromised, when it was taken and how quickly the leak could be stopped.
The breach landscape is, however, changing rapidly, and savvy legal and IT teams are now looking for more than just one-off breach responses. Instead they are looking to partner with experts that can handle a breach from initial detection through any resulting litigation — and offer adjacent services, such as proactive information governance — to help both reduce the risk of a data breach and minimise the damage if one does occur. Similarly, even after a data breach, that partner may offer services to handle any litigation that arises from the breach efficiently and effectively, including eDisclosure services, forensics and collections, document review and processing and production. As the breach runs through its life cycle, litigation may arise — depending on factors such as the size of the breach, the company and consumers involved, and the nature and scope of what was taken or compromised. In the event of litigation, an organisation will require an eDisclosure service, which enables it to efficiently manage the collection, processing and review of electronic documents and communications. An experienced eDisclosure service provider will use technology to perform automated searches on collected data to determine relevance to the case at hand. Utilising technology not only speeds up the eDisclosure process but also helps manage the cost of the exercise.
With the help of its service provider, the organisation will need to prove to the regulatory authorities that it had systems in place to minimise the risk of a breach in the first instance by demonstrating that it had established, well-communicated corporate policies as to data loss prevention and any associated auditing procedures. It will also need to show that it had no advance knowledge of potential threats and that it responded with timely and adequate notice post-breach.
Document review is integral to this process, involving in-depth evaluation of the relevant communications. In data breach litigation, this process can be exhaustive, with large bodies of documents needing to be reviewed for relevance by trained experts in very short periods of time. In this scenario, an outsourced solution for document review — with secure facilities, tested training methodologies and review workflows — is essential.
Recent high-profile data breaches have put the threat of malicious hacking in the spotlight, raising fears of regulatory punishment and severe damage to corporate reputation. Organisations need to take control of the whole data breach cycle, working with information governance experts to take a more proactive approach to prevention and developing a more holistic, end-to-end response in the case of detection. As hackers become more sophisticated and less predictable, organisations are increasingly engaging with experts to counter the threat should it arise.
Brookes Taney is Vice President of Data Breach Solutions at Epiq Systems
[1] BBC News, ‘Sony Pictures computer system hacked in online attack’, http://www.bbc.co.uk/news/technology-30189029, 25 November 2014