Sensitive information can be broadly defined as any information that could cause harm if accessed without authorization, which is why it presents such a unique challenge in eDiscovery matters. eDiscovery requires the identification, collection, review, and production of relevant information as expediently as reasonably possible, but accounting for properly protecting sensitive information contained within eDiscovery data sets can significantly increase costs and time to compliance.
Types of Sensitive Data
There are many types of sensitive information that require careful handling during eDiscovery, including:
- Personal identifying information (PII). Names, addresses, Social Security numbers, financial and medical information, criminal information, and other data that might be used to identify an individual.
- Business and Trade secrets. Information which covers inter alia, commercial, competitive, financial, or accounting.
- Classified information. Information requiring protection against unauthorized disclosure in the interests of national defense and security or foreign relations of the U.S. pursuant to Federal statute or Executive order.
- Privileged communications. Statements made by individuals within protected relationships (husband/wife, attorney/client, doctor/patient) that the law protects from disclosure.
- Biometric data. Information that can help identify an individual based upon their physical or behavioral traits.
- Political affiliation. Data related to campaign contributions and support of specific political candidates, parties, or platforms.
- Religious and philosophical data. Information concerning an individual’s place of worship, days of worship, religious holidays observed, etc.
Additionally, new technology means new types of sensitive information are being created, such as geolocation and short message communication data. Email communications, network share drives, short message conversations (like customer service chats), internal ticketing systems where employees share usernames and passwords, and trade secret information can all present unique challenges in eDiscovery matters. For instance, specialized programming tools may contain source codes and formulas that can be challenging for review purposes.
Identifying Sensitive Data
The first step in identifying sensitive data is analyzing and mapping where it may exist within an organization. Questionnaires, custodian interviews, and other discussions with the client are often helpful in developing a data source map relevant to the litigation. This data map will help confirm that all relevant data is preserved and help facilitate the overall data collection process.
When eDiscovery begins, one of the first steps should be to review the organization’s data map to understand the relevant data sources and where they can be found within the organization’s data systems. It is also important to treat the data map as a living document, updating it regularly to reflect the most up-to-date state of the organization’s systems.
The next step is to determine if collection of the sensitive data is absolutely necessary, and if so, to implement a protocol that continues to protect the data while ensuring the collection is proportional. Once data is collected, certain data types, like short message communications, may need to be converted to data formats that can more readily be ingested for processing into review platforms. During review, documents and communications that contain sensitive data must be identified and those documents and the sensitive information therein must be redacted in order to comply with any legal and regulatory obligations prior to being produced in any time of production.
Without leveraging technology, the process of identifying personal and sensitive information for redaction can be extremely tedious, time-consuming, and fraught with error. Fortunately, providers like CDS have developed tools and techniques like pre-defined or customized regular expression and text searches to help identify documents containing personal information. For example, our proprietary CDS Vision dashboards allow clients to easily pinpoint and address sensitive data across collections. Another CDS tool, CDS Convert, processes and converts chat messages and other short message formats so they can be reviewed alongside email. In addition, tools such as Relativity’s own PI Detect and Redact, and Relativity app Blackout can help streamline the identification and redaction of PII and other sensitive data.
The Legal and Regulatory Implications of Handling Sensitive Data
The GDPR provides a specific definition of personal data as well as sensitive data, or “special categories of personal data” as referred to in the GDPR and the requirements for protecting such data. Whereas in the U.S., various federal and state laws cover different aspects of privacy, making protecting sensitive data more challenging. For example, the CCPA does not define sensitive data, nor does it categorize “special categories of personal data,” but it does define biometric data and covers personal information, which one could argue includes sensitive data in the broad range of personal information. Although many U.S. state laws draw on GDPR as a guideline, and more and more states are adopting privacy regulations these regulations are not thoroughly comprehensive, which will require U.S. corporations to be more proactive in the way they handle, store, and protect sensitive information now and in the future.
Handling sensitive information and the nuances involved must be addressed early in the eDiscovery process. Remediation for mistakes can be costly, and ignoring the regulations or believing they don’t apply to “your data” is not a sufficient excuse to the regulators. Large corporations are not alone when it comes to fines by regulators; smaller organizations can also be assessed penalties. By comparison, the monetary penalties issued by the EU under GDPR are more substantial (up to 4% of global annual turnover or €20 million) compared to the CCPA, for example ($2,500 per violation). In the long run, however, reputational damage could be more costly than any fine.
Planning for sensitive data during eDiscovery and preparing the organization and legal teams is essential for avoiding any legal ramifications. This due diligence will provide the time to better understand the obligations required and what may be necessary to address them. The legal and regulatory requirements of GDPR and privacy laws throughout the U.S. differ in many ways and have various nuances and requirements, which make it even more essential to develop strategies for working with sensitive data no matter what jurisdiction.