Our Insights

Thought Leadership and Industry Trends

Home 9 Insights 9 Critical Considerations for Sensitive Information in a Data Breach

Critical Considerations for Sensitive Information in a Data Breach

Jan 18, 2024

Everyone has a legal and moral duty to collect and manage data responsibly. Mishandling sensitive data can pose significant risks to individuals, organizations, and even society as a whole. One of the greatest potential risks associated with mishandling sensitive data is a data breach.

Data breach is a rising liability for large corporations. In 2023, the global average data breach cost was $4.45M per breach, while the U.S. average was $9.44M per breach, according to IBM’s annual Cost of a Data Breach Report. Data breaches are extremely hard to prevent, as hackers frequently target individuals who inadvertently provide them access to sensitive information. Additional risks associated with a data breach include:

Identity theft. Stolen personal information, such as Social Security numbers, credit card details, or addresses, can be used to commit identity theft. Criminals may use this information to open fraudulent accounts, make unauthorized purchases, or engage in other criminal activities. The Federal Trade Commission (FTC) reported receiving over 1 million reports of identity theft in 2022.
Financial loss. Mishandling sensitive financial data can lead to significant financial losses for individuals and organizations. Businesses may also incur financial damages due to the costs associated with investigating and mitigating the breach, implementing security improvements, compensating affected individuals, and dealing with legal proceedings. According to IBM’s report, despite the spiraling costs of a data breach, more than half of all breached organizations plan to pass the costs onto consumers rather than boost security investments.
Regulatory non-compliance. All U.S. states, the District of Columbia, Puerto Rico, and the Virgin Islands have approved data breach laws requiring notification of security breaches involving personal information. Mishandling sensitive data may lead to non-compliance with these laws, resulting in potential legal consequences and fines.
Espionage and cyber warfare. Malicious actors may target sensitive data for espionage purposes or cyber warfare, leading to potential national security risks. According to the Center for Strategic and International Studies (CSIS), Russian cyberattacks on military command and control centers continue to be a critical aspect of the war in Ukraine.
Loss of competitive advantage. Businesses often rely on proprietary information and trade secrets for a competitive edge. Mishandling such information can lead to a loss of competitive advantage and damage market position. Customers may lose trust in a company for failing to protect sensitive information, and rebuilding trust can be a lengthy and challenging process.
Loss of privacy. Mishandling personal data can infringe on individuals’ privacy rights, and this erosion of privacy can have significant social and ethical implications. A data breach leads to losing control over one’s personal information, and individuals feel helpless as their data is disseminated without their consent.
Operational disruption. Data breaches can disrupt normal business operations, negatively affect productivity, and require costly recovery efforts. According to Infosecurity Magazine, publicly traded companies suffered an average drop of 7.5 percent in their stock values after a data breach, and it took an average of 46 days for stock prices to return to pre-breach levels.
Reputational damage. Data breaches can also cause irreparable reputational damage, especially for organizations that work in the legal technology and financial spaces, e.g., law firms, eDiscovery software and service providers, and financial institutions. Loss of trust from customers, partners, and the public can have long-lasting consequences and may impact business relationships.

Protection from data breaches requires stringent security protocols, technology, and continual education of employees on data handling. When a breach occurs, the clock starts ticking from the moment it is discovered. In addition, companies must comply with costly breach mitigation and notification procedures, often in compressed time frames.

Using eDiscovery Tech to Respond to a Data Breach

Organizations increasingly use technology solutions initially designed for eDiscovery as part of their data breach response plan. AI-powered eDiscovery systems can provide better context for prioritization and response to data security alerts to facilitate a faster response to incidents and identify root causes to lessen vulnerabilities and prevent future issues. AI can also be a force multiplier, helping teams automate time-consuming activities and streamline containment and response.

E-Discovery specialists are well positioned to help with the review and notification process following data breaches using some of the tools and technologies already in place for eDiscovery review. In addition, new purpose-built data breach review tools have been created to assist with the breach review and notification process. These tools focus on identifying PII and sensitive information and the custodians they belong to and preparing a notification report for affected individuals.

Data breaches may be inevitable. However, the ability to respond with eDiscovery software that utilizes AI and automation can help organizations shorten response times, comply with tight reporting deadlines, maintain an audit trail, and save money as well.

CDS provides a full range of advisory services related to data breaches. To discuss how we can streamline your organization’s response, contact us at for a consultation today.

About the Author

Nicole Guyer

As Client Director at CDS, Nicole advises attorneys and ediscovery practitioners on managing electronic data through the EDRM lifecycle. She is passionate about developing sophisticated workflows and takes a hands-on consultative approach. She draws on more than a decade of eDiscovery experience to advise clients on advanced analytics and litigation support technologies to efficiently investigate data, cull data volumes and implement cost-saving solutions. Nicole has also managed large-scale document review projects and assisted with privilege reviews and privilege log creation. She is a Relativity Certified Administrator.

01 May 2024

7th Annual Putting Insights into Practice Forum

Navigate a virtual journey through today’s biggest legal data management challenges at PIIP 2024: ADVENTURES ON THE DATA CONTINUUM

Find out more

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gcl_au	3 months	This cookie is used by Google Analytics to understand user interaction with the website.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
_hjFirstSeen	30 minutes	This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
oktgid	1 year	This cookie is used for storing the visitor ID of the user who clicked on an okt.to link.
oktsid		This cookie is used for storing the session ID of the user who clicked on an okt.to link.
pardot	past	The cookie is set when the visitor is logged in as a Pardot user.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
fr	3 months	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Duration	Description
_dc_gtm_UA-109542572-2	1 minute	No description
_hjAbsoluteSessionInProgress	30 minutes	No description
_hjid	1 year	This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInPageviewSample	2 minutes	No description
_hjTLDTest	session	No description
AnalyticsSyncHistory	1 month	No description
CONSENT	16 years 8 months 26 days 9 hours 2 minutes	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

Our Insights

Thought Leadership and Industry Trends

Critical Considerations for Sensitive Information in a Data Breach

Using eDiscovery Tech to Respond to a Data Breach

Nicole Guyer

7th Annual Putting Insights into Practice Forum

Our Blog

Sign Up for Our Newsletter

About CDS

Contact Us