Written by Jeffrey Wolff, Certified E-Discovery Specialist
Introduction
Sensitive information is everywhere, from clients’ names and addresses to the trade secrets a business relies on to beat its competition. As such, organizations can’t avoid collecting, processing, storing, and transferring it. But when sensitive information is not properly protected, the consequences can be severe. Unauthorized disclosures of sensitive data can result in financial penalties, lawsuits, reputational harm, loss of business, and more.
Protecting sensitive information during eDiscovery can be especially difficult. This was demonstrated recently in the Sandy Hook court case. While the defendant was on the stand, opposing counsel revealed that the defendant’s legal team had accidentally sent over an entire digital copy of their client’s cell phone, which contained both previously undisclosed information relevant to the lawsuit and privileged information. The lawyers at fault not only hurt their client (and perhaps their own reputations) but also might be disciplined for their mistake and failure to timely rectify it.
How can you avoid similar blunders? That’s what this post is about. We’ll start by covering some basic facts about sensitive information and the rules that require it to be protected. We’ll then discuss how to determine which information is sensitive and what to do when it is breached. Finally, we’ll offer five ways you can better protect your organization’s sensitive information.
Contents
The basics of sensitive information
What is sensitive information?
What are some types of sensitive information?
What are the laws requiring sensitive data to be protected?
How to determine which information is sensitive?
What to do when sensitive information is breached?
5 ways to protect sensitive information from unauthorized disclosure
How does legal technology make it easier to protect sensitive information?
The basics of sensitive information
Sensitive information is widely variable. It can be personal, like an employee’s Social Security number, or organizational, like the proprietary process for building a machine or device. It can be found in a variety of physical, digital, and other formats, from database entries to text messages. With that variability in mind, though, let’s review some background about sensitive information.
What is sensitive information?
Sensitive information – also known as confidential information – is data that must be protected because unauthorized access to it could harm or negatively impact an organization or individual. The level of protection required may depend on the type of sensitive information at issue.
What are some types of sensitive information?
Sensitive information includes:
- personally identifiable information (PII), which is information that can be used to discern an individual’s identity, such as their Social Security number, date of birth, or street address;
- privileged information, which may include information protected by the attorney-client privilege or another protection; and
- proprietary information, which is information that a company must keep secret to protect its business interests, such as trade secrets, customer lists, or marketing plans.
What are the laws requiring sensitive data to be protected?
The protection of sensitive information is governed by a patchwork of laws and regulations at the global level and at both the federal and state levels in the US.
From a global perspective, the General Data Protection Regulation (GDPR) establishes strict privacy and security requirements for personal data as well as harsh penalties for violations of those requirements. While the GDPR was passed by the European Union (EU), it applies to any organization that targets or collects the personal data of EU residents, regardless of the organization’s location.
In the US, several federal laws and regulations govern sensitive information, including:
- the Health Insurance Portability and Accounting Act (HIPAA), which provides national standards for safeguarding protected health information (PHI);
- the Fair Credit Reporting Act, which regulates protected information collected by consumer reporting agencies; and
- the Federal Trade Commission’s Safeguards Rule, which requires financial organizations to take steps to protect their customers’ sensitive data.
Further, many state laws in the US require the protection of sensitive information. In 2020, the California Consumer Privacy Act (CCPA) took effect, creating robust privacy and consumer protections for California residents. The CCPA applies to companies that do business in the state if certain conditions are met. Numerous other states have similar legislation pending.
But what information are organizations obligated to protect? Let’s take a closer look.
How to determine which information is sensitive?
To determine whether information is sensitive, an organization must be aware of the myriad of laws and regulations – both general and industry-specific – that apply within the jurisdictions where it operates. Each organization should have comprehensive written policies and procedures regarding how to identify, classify, and handle sensitive information.
When a type of information is regulated by the law, such as PHI under HIPAA, the law will clearly define what constitutes PHI. When in doubt, it is better to err on the side of caution by over-protecting information. Legal counsel can assist in delineating which information must be protected.
Various technologies can assist in identifying and classifying sensitive information. Tools designed for eDiscovery and internal investigations allow users to quickly flag and tag sensitive data.
What to do when sensitive information is breached?
Data breaches are more common than you might think. Whether the cause of the breach is internal, such as an inadvertent disclosure or purposeful leak, or external, such as a ransomware attack, the ramifications can be severe. For example, under the CCPA, businesses may have to pay up to $750 per consumer and per incident in the event of a data breach.
If an organization learns that sensitive information has been exposed, it is imperative that it take smart and swift action to minimize any resulting harm. While each organization will need to tailor its response based on its specific circumstances, there are some general guidelines that are instructive. For one example, check out the Federal Trade Commission’s Data Breach Response guide for businesses.
After a data breach, organizations should be sure to:
- Identify the cause, source, and scope of the breach. Was this an internal failure or an external attack? The key at this stage will be thoroughly investigating the breach to prevent additional losses.
- Develop a communications plan and notify the appropriate parties, such as the affected individuals and any applicable law enforcement or regulatory authorities. It is imperative to comply with all applicable breach notification laws and to be upfront and clear about the details of the breach.
- Analyze any vulnerabilities involved in the breach. Secure any weak points that you find and work with forensics and data security experts to implement measures to address those vulnerabilities. The last thing you want is to be hit with another breach due to the same weakness.
Addressing a breach after the fact is never the best option, though. Let’s look at how you can prevent breaches in the first place by adequately protecting the sensitive data your business handles.
5 ways to protect sensitive information from unauthorized disclosure
These five approaches can help your organization keep its sensitive information secure and private.
1. Be proactive and stay vigilant.
Organizations must have robust policies and systems in place regarding the protection of sensitive data. This isn’t a one-and-done exercise; these strategies must be continually reviewed and updated to keep up with new threats and technologies. The importance and complexity of data protection will require input from not only internal IT professionals but also the organization’s leadership team and outside experts.
2. Use technology to identify sensitive information.
Before an organization can protect its sensitive information, it must have a firm understanding of how much of it is within its possession and where it is located. eDiscovery and fact-finding tools enable users to quickly and thoroughly identify the sensitive information they collect and maintain. Using AI-powered tools allows for much deeper analytics of the dataset. As the review takes place, the software also collects information about the evidence as well as helps uncover social links and identify common topics in responsive documents.
3. Do not store or transfer sensitive data without encryption.
Whether in transit or at rest, sensitive information must be protected by comprehensive data encryption. Encryption can be employed at four different levels in the technology stack – full-disk /media, files/folders, applications, and databases. When encryption is employed lower in the stack, deployment becomes easier and it is less likely to interfere with operations in the layers above. Encryption might also mean migrating sensitive data to offsite servers.
4. Make it harder to access sensitive data.
Organizations should require multi-factor authentication systems for access to their infrastructures, especially now when remote work and remote connections have become the norm. Other important strategies to protect sensitive data include requiring frequent password changes and implementing physical barriers and other lock systems with respect to physical data stored on site.
5. Sanitize sensitive documents with automatic redaction technology.
When otherwise disclosable documents include sensitive information, use automatic redaction technology to locate and thoroughly shield it. Automatic redaction tools are much faster and more thorough than manual redactions and avoid the risks of inadvertent disclosure that can occur with manually striking out or covering up information. The result is a lower risk of unauthorized disclosure and more time and resources that the organization can devote to other imperative objectives.
How does legal technology make it easier to protect sensitive information?
In our increasingly digital, remote, and cloud-based world, companies are handling unprecedented amounts of sensitive information. At the same time, hackers are continually searching for vulnerabilities that they can exploit, and the rules regulating the protection of sensitive information are expanding. All of these factors make it more difficult than ever for organizations to remain compliant. And the consequences of an unauthorized disclosure are too severe to be taken lightly.
Legal technology like ZyLAB ONE can alleviate many of the challenges that organizations face when it comes to locating and protecting sensitive information. These tools can help identify, categorize, and sanitize sensitive data. And legal tech can accomplish these objectives far faster than any person could manually. Better results in less time? It’s a win-win.
