by Hunter McMahon - Altep on February 11, 2016
Peachy HR is headquartered in Atlanta, Georgia and provides outsourced human resources services to small- and medium-sized businesses. Due to rapid growth, Peachy HR hires several new employees on a contract basis to assist with system upgrades, management, and client services.
John Hyre is one of those employees. He is let go.
Upon his termination, Peachy HR performs a Departed Employee Protocol and discovers Hyre had not only been sending sensitive client information to his personal email account to assist clients after hours, but had also been engaged in the unauthorized use of a cloud-syncing application and external media sources.
A Slice of Peachy HR’s PII
While Peachy HR’s counsel is able to leverage declarations from data forensic experts to obtain necessary court orders preventing further damage and use of inappropriately disseminated client data, Peachy HR is now in litigation to recover damages resulting from the employee’s wrongdoing and must produce these records in discovery and in support of motions. Given the anxious circumstances that the initial disclosure of this information has created, Peachy HR wants to ensure that no further compromise of its sensitive information occurs.
What is the best way for Peachy HR to protect personally identifiable information (PII) and meet their discovery obligations?
Although law firms regularly handle very sensitive information, including PII, Peachy HR’s counsel has valid concerns about data management and the need to avoid inadvertently producing such information. The specifics of litigation are often unique; however, there are three basic stages and suggested approaches that will help reduce the risk associated with producing PII:
1. Understand and Identify PII
In our fictitious example, counsel is aware of certain key documents that contain PII. However, counsel is concerned that PII may be present in additional documents located throughout the former employee’s email and hard drive.
According to Georgia Code O.C.G.A. § 10-1-911(6): “Personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
(A) Social security number;
(B) Driver's license number or state identification card number;
(C) Account number, credit card number, or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes, or passwords;
(D) Account passwords or personal identification numbers or other access codes; or
(E) Any of the items contained in subparagraphs (A) through (D) of this paragraph when not in connection with the individual's first name or first initial and last name, if the information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised.
The term “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Given that definition, Peachy HR will have a very specific set of criteria to use when identifying data that is potentially of concern.
While review for relevancy is part of the normal discovery workflow, reviewing for PII is not. However, particularly when PII is known to be present, technology is available that supports the systematic identification of potential instances of PII. For example, pattern matching can be used to identify social security numbers (e.g., ###-##-####) and driver’s license numbers (most states have a uniform format of letters and/or numbers).
With the use of appropriate technology, documents containing PII can be flagged for further review and special handling prior to production. Pattern matching may prove extremely helpful to Peachy HR in identifying instances in which the production of documents with PII may have been a violation of the statute.
2. Seek a Court Order for Protection
It is very common for the parties in litigation to draft, and courts to issue, an appropriate protective order on a matter that involves sensitive information. However, critical components are often overlooked: namely, the security standards and breach notification requirements that should be included in the protective order. In other words, what security obligations should apply to the receiving party, and what must they do if there is a breach?
For example, depending on the degree of sensitivity, the protective order may require that all data remain encrypted while at rest, or it may disallow further distribution of certain types of data beyond counsel (e.g., "attorneys' eyes only"). Additionally, the order may require that certain security standards are to be upheld and notifications given in the event of a data breach, regardless of statutory definitions.
3. Protect the Production
An appropriate protective order will provide guidance and accountability in the discovery process. However, even greater protection is often warranted. For instance, the parties should guard against the inappropriate disclosure of information once the information has been received by a party (or in Peachy HR’s case, a potential second breach).
Encryption can offer protection against unauthorized access to the produced files as long as the encryption key is not compromised. Peachy HR should keep in mind inherent limitations, however. The actions taken by the receiving party cannot be predicted or controlled—once the production is decrypted, the recipient might distribute an unprotected copy (often done out of convenience) or print copies of documents of interest. Obviously, the printed copy no longer has any protection.
Redaction can be the most effective way of preventing any further disclosure of PII, regardless of any receiving party’s unintentional failures. When properly performed, redactions prevent exposure of sensitive information, whether intentional or unintentional. For all intents and purposes, information that has been redacted simply does not exist.
Technology has taken the process of manual identification and redaction of PII from a monumental task, given a data set of any significant size, to a set of queries combined with targeted review. Particularly helpful to Peachy HR is the ability to automate the redaction of PII or sensitive information based on previously identified criteria, as discussed above with pattern matching. The redaction process, of course, does not have to be done on the whole data set. It can be applied just to the set of documents being prepared for production.
While producing documents in response to discovery requests is inevitable during litigation, producing exposed PII does not have to be part of the equation. Simple safeguards and the use of technology have made the process of identifying and redacting PII more reasonable than it has ever been; at the same time, proven workflows can ensure thoroughness and accuracy and provide peace of mind for companies like Peachy HR and their counsel.
Hunter McMahon is vice president of legal and consulting services at Altep, an Orange-level Relativity Premium Hosting Partner. Hunter’s background in both law and technology provides clients dual insight into complex investigative and discovery matters, often surrounding ESI. Hunter acts as a 30(b)(6) witness and as an e-discovery liaison for clients, advising on all stages of the EDRM in effort to increase defensibility, efficiency, and reasonability of the e-discovery process.