In our last post we talked about all the places PII might be hiding and what you can do to find it. But what’s at stake if some of it slips through the cracks? We focus a lot on finding and redacting PII while data is being prepared for opposing counsel, but what are the consequences of sensitive data being produced and ending up in the wrong hands?
Federal Rule of Civil Procedure 5.2 stipulates four categories of information to be protected: Social Security numbers, names of minors, birth dates, and financial account numbers. Let’s say you work for Corporation A, which is being sued by Corporation B for work performed by a specific team at Corporation A. Each individual on that team at Corporation A becomes a relevant custodian in discovery. In compliance with Rule 5.2, you cull all the HR documents of the team members for PII to redact. What you don’t realize is that one of the team members has saved a tax document on their desktop to fax to their accountant during work hours. That information is stored on your servers, so it becomes part of the case, and you’ve missed it. You send your documents to opposing counsel for review. They won’t spend their time looking for information to redact on your behalf, so the information makes it through discovery and is brought in as a court document. Now it’s a part of the trial record, which is publicly accessible, and that individual’s information has been compromised.
So what happens when there’s a data breach? Well, that depends on which state you’re in, which federal statute the case falls under, and what the existing data breach laws are. For example, in a case regulated by the strict rules of HIPAA and in a state as diligent as Connecticut, where any information that can potentially have an association with a particular individual is considered private, PII leaks during litigation are subject to data breach notification requirements, meaning you must disclose your mistake to anyone affected, explain to them what they can do to protect themselves, and offer a solution to fix the breach. Beyond notification requirements, you can also be subject to monetary penalties, sanctions, and/or disciplinary actions against the litigators. That would mean Corporation A is subject to a wide range of possible repercussions. In one scenario, Corporation A might have to sue the contract review firm they hired to ensure that they go back to re-review their data, securing any compromised sensitive information. Perhaps there are no punitive sanctions on Corporation A in this instance, but you’ve just lost a lot of time and money in re-review.
In another scenario, the case may be ruled a mistrial because of negligence or non-compliance. Again, Corporation A has lost a lot of time and money, but now you’ve also sullied your reputation because of a mistake in basic litigation processes, risking the loss of future clients and future revenue. But let’s also say that over the course of litigation, the employee whose information has been compromised has left Corporation A. When you notify the former employee of the data breach, they sue you for leaking their private information. Now Corporation A has lost a lot of time and money, your case was thrown out as a mistrial, your reputation is damaged, and you’re caught up in yet another lawsuit. There might be penalties to pay out to the client and possible ethics sanctions handed down from the judge with monetary fines attached. Corporation A decides to sue the review firm for their litigation costs. Now two extra lawsuits have come out of what was supposed to be just one. A tangled legal web has been woven because of Corporation A’s lack of precaution at the onset of the lawsuit with Corporation B.
A data breach can have considerable fallout for firms and clients alike, so ensuring that proper measures are taken to secure sensitive data is a crucial first step in the discovery process. I’ve posted previously about technologies like Blackout that can automate and expedite the process of identifying and removing sensitive data to ensure that nothing falls through the cracks. By incorporating the right legal technologies, money is saved rather than wasted, and reputations remain sterling.
For further reading on this topic:
http://www.insidecounsel.com/2013/07/18/litigation-sanctions-for-spoliation-of-evidence http://www.theediscoveryblog.com/2015/09/18/a-light-in-the-dark-protecting-pii-in-ediscovery/ http://searchsecurity.techtarget.com/news/4500247249/IRS-breach-shows-the-importance-of-PII-security https://www.altep.com/blog/preventing-disclosure-of-pii http://blog.kcura.com/relativity/blog/not-so-peachy-pii-a-cautionary-tale-of-sensitive-e-discovery-data http://www.attorney-myers.com/2014/04/privacy-and-security-in-court/