Dealing with High Risk Data

When people think of high risk data, most think of Personal Health Information and Personally Identifiable Information as it relates to HIPAA and the health care industry, but Steve Shebest's very informative article "High Risk Data: Have a Plan!" explains how high risk data can also be found in the financial, commercial, transportation, industrial, and other highly regulated sectors.

The cost of a breach, which is more likely to occur during the discovery process, can be high and can take the form of not only monetary costs, but also indirect costs such as reputational loss and diminished goodwill among customers and the public.  In order to mitigate the risk of data breach, it is critical to understand the three weak points of the discovery process (at collection, at data transfer, and once in the hands of third parties such as vendors and partners) and proactively implement a plan, both internally and with business partners, to minimize the risks.

Some of the strategies suggested are performing targeted collections to either eliminate the need to collect high risk data or at least reduce and identify it (in order to subject it to a different workflow), making sure data is encrypted during transfer, and having in-depth discussions with partners and vendors that address any potential weak points in the way they process, host, review, and produce the data.  All of these strategies should be used proactively, at the outset of an engagement, rather than waiting for a breach to occur.

The ultimate lesson is that in the midst of sometimes frantic eDiscovery, counsel cannot lose sight of the importance of data transfer security, having a strong contract with a vendor outlining security duties, and an awareness of what is actually being harvested from the client.