How to Prevent the Disclosure of PII
Personally identifiable information, or PII, is a major pain point in eDiscovery – not only because inadvertent disclosure of PII can have major financial and legal ramifications, but there are also moral and ethical implications at play. The biggest challenge working against effective security is how easily PII can accidentally slip into the everyday documents your organization controls and how to find all those needles in that giant haystack. Law firms and eDiscovery service providers regularly handle sensitive information, so preventing the disclosure of that information must be a priority. To start, make sure you’re following three basic rules:
Understand and Identify PII
PII is any private, personal information that can be used in combination with individuals’ names to gain additional information or is sufficient enough on its own to perform identity theft. This can include Social Security numbers, credit card numbers, passwords, ID numbers, or access codes – just to name a few from a very long list. While you’re probably already using discovery to identify information relevant to your case, you might not be on the lookout for PII creeping into your documents. But opposing counsel might be. There is technology available that can quickly and effectively add PII discovery into your current workflow and can quickly flag any Social Security or credit card numbers for special review. Comb your data for PII specifically, and don’t let sensitive information leak through the cracks.
Get a Protective Order
It’s common practice during litigation to seek a protective order from the court when case matter involves sensitive information, but teams often forget to include important stipulations, like what constitutes a breach or how far sensitive data can be distributed beyond counsel. Perhaps it’s necessary for opposing counsel to see names and passwords, but your court order needs to explicitly say they aren’t allowed to pass that information to their client or consultants. Also be sure to include how your team should be notified in the event that there is a leak.
Secure the Data
Knowing how tricky PII can be and placing court orders on its security are two important steps, but the best way to ensure the wrong people don’t find the right information is to remove access entirely. Inappropriate disclosure can’t happen when there’s no data to disclose. Encrypting sensitive data is an effective tool for safeguarding PII as long as the key remains uncompromised, so be careful the opposing party can’t decrypt it and use it to their advantage. Safer still is redacting PII, which removes sensitive information completely. It cannot be decrypted or recovered because it’s gone, allowing you to rest easily knowing it can’t fall into the wrong hands. Manual redaction can be tedious, error-prone, and expensive, though, as reviewers go through line by line looking for sensitive information to redact. Our product, Blackout, automates the redaction process across data sets and even lets you establish specific PII patterns you want to identify and redact, saving time and resources while ensuring a higher level of data security.
For more information on PII and eDiscovery, attend our webinar, which we’re co-hosting with Altep and kCura, on Thursday, February 18th at 11am CT. A panel of industry experts will discuss the ways you can use technology to prevent inadvertent disclosure. Sign up on kCura’s website to attend.