HSF lawyers develop in-house cyber platform to assist clients with security breaches
The firm has developed software that identifies data and clients affected in a breach
September 19, 2018 at 07:22 AM
4 minute read
Herbert Smith Freehills' (HSF) in-house cybersecurity team has built and developed a new tech platform to help clients respond quickly in the aftermath of a data breach.
The new offering has already been trialled on a number of personal data breaches, demonstrating significant cost savings.
Under new General Data Protection Regulation (GDPR) rules, once an organisation has established that a personal data breach has occurred, it must report the scale of the leak to the Information Commissioner's Office (ICO) within 72 hours, while it may also be required to inform affected individuals.
These requirements are particularly challenging when organisations face sifting through massive volumes of unstructured data.
HSF global cybersecurity head Andrew Moir, who took a lead role on the project, explained: "A client could be in a situation where they have thousands of emails which have been breached, and you don't immediately know what's in them and who they relate to. Historically, you'd do a manual review with teams of lawyers itemising the personal data within the documents. It can be very time consuming, and we thought there must be a better way to do it. This is a way into the data, and gives you the visibility upfront you wouldn't have otherwise."
The platform is trained to pick out personal data from the breached information sources – for example documents, emails or spreadsheets – and can then link that personal data back to the person affected. The tool can also create automatic distribution lists so that the client can notify the individuals directly.
The software can also provide demographics of the breach, which will help the organisation assess what international regulatory regimes will apply.
According to Moir: "In some cases where we've used this tool, we've actually avoided doing a significant review of the underlying materials at all. When there's no review or a very targeted review, the cost can be of the order of 10%-20%. It depends how much data there is – the economies of scale are greater for larger breaches. In a matter we did recently – a medium-size breach with over a hundred gigabytes of data – the costs associated were about 20%."
Because the software can also identify documents that contain the most significant personal data, any manual review which is considered necessary – for example on a high-profile breach attracting more attention from regulators – will be of fewer documents and take far less time. Moir says the cost can still be less than half of a manual review.
In creating the platform, Moir said the cybersecurity team cut development time and avoided complex processes that come with outsourcing development and testing, due to the fact that lawyers in the team have coding skills. This project used a combination of programming languages C# and SQL.
He added: "It took us a little while to turn the idea into a reality, but we also needed to develop the process around it. It needs to be defensible, and for any given breach the regulator will need to be satisfied that it's an appropriate way to proceed. We've used it in matters already and as long as you're in a position to justify your approach when the time comes, you should be fine with the ICO."
Moir has previously written software to help settle ownership disputes for financial algorithms, and has also developed a number of home-automation apps that are on sale in the Google Play store: "I've been coding since I was knee-high – I was part of the generation that grew up with a computer. The difference with me is that I've maintained it. When I decided to be a lawyer, I didn't stop doing it."
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Dentons Australian Chair Doug Stipanicev Back At Work After Investigation
4 minute read
A&O Shearman Luminary, Former US Co-Chair, to Leave Partnership
Mayer Brown’s Hong Kong Split to Take Effect in the Coming Week
Trending Stories
- 1GE Agrees to $362.5M Deal to End Shareholder Claims Over Power, Insurance Risks
- 2As Political Extremism Rises, is Voter Data the Next Privacy Frontier?
- 3So You Want to be a Tech Lawyer? Consider Product Counseling
- 4US District Judge in North Carolina Will Take Senior Status
- 5From 'Confusing Labyrinth' to Speeding 'Roller Coaster': Uncertainty Reigns in Title IX as Litigators Await Second Trump Admin
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
