digital-workflow

This article is the first in a 2-part series on DSARs. The first part will cover commonalities of DSAR and Part 2 will cover responding to DSARs.

Operationally, litigation and investigation, data breach response, and the response to data subject access requests (DSARs) follow similar paths. This includes data identification, collection, processing and the need for an "eyes-on" review of data—specifically, the ability to locate, isolate and manage personally identifiable information (PII).

Consequently, those alternative legal services providers (ALSPs) like QuisLex and UnitedLex with advanced managed review capabilities are leveraging their expertise honed on complex high-stakes litigations and investigations to solve the evolving challenges of data breach response and DSARs.

|

Common Workflow

While there are differences in intent, scope, law, regulatory requirements and other factors, the workflow and expertise required to respond to an adversary, a regulatory authority, a cyber incident or a data subject are very much alike.

The Triggering Event: In each instance there is a triggering event. Respectively, these are notice or reasonable anticipation, the unauthorized access of PII and other sensitive data or the request from a data subject pursuant to the GDPR or the nascent CCPA.

Many organizations now have defined policies and procedures for managing litigations and investigations using frameworks like the Electronic Discovery Reference Model. The cybersecurity incident response team (CSIRT) may have response plans modeled on ISO/IEC 27001:2013 requirements and controls. However, no such standards exist for a DSAR response. Here ALSPs are once again on the front lines developing much needed response protocols.

E-discovery Redux: The current lack of codified procedure needed to effectively respond to DSARs is reminiscent of the early days in e-discovery when ad hoc approaches wreaked havoc on budgets and outcomes. The consequent push for process discipline and quality controls, led by ALSPs, helped solve these challenges.

Organizations would do well to avoid the cycle of fines, punitive actions, outsize cost and reputational damage that prompted action in e-discovery and get ahead of the challenges associated with responding to DSARs by adopting a programmatic approach.

Assessment: Following the triggering event, an assessment will take place to understand the full extent of exposure. Just as counsel need to ascertain the relevant issues, custodians, timelines and data for a litigation or investigation, the CSIRT must also identify scope: namely, all of the sensitive data exposed by the breach. Comprehending all data relevant to a DSAR is equally complex.

While the scope of a DSAR is bounded by the individuals making the request, organizations are discovering that they cannot easily identify where all the subjects' data are located: It can be like pulling on the proverbial thread of a sweater.

Data Identification: In each instance, the full extent of the PII and other sensitive company data involved must be identified. This takes more than legal and forensic expertise. It requires thoughtful planning and operational know-how to avoid excessive cost and the risk of noncompliance.

Identification of data is a complex workflow. The larger and more complex the organization, the more difficult this can become.

Sources of Complexity: There are multiple systems containing PII in many formats. The data resides in marketing, human resources, finance and accounting, legal, sales and other systems. There may be legacy, proprietary, cloud-based or internal server-based systems. The data may also exist in multiples, or discretely, across divisions, subsidiaries, jurisdictions and third parties.

Systems that provide streams of structured data such as financial information are not easily read outside the applications that generate them. These data types must be collected and processed in a way that enables review.

Data Collection, Processing, and Review: Once the data is identified, it must be gathered and processed so that the disparate types are presented in a format that supports analysis. It always bears repeating that despite advancements in technology like predictive coding, there are limitations. "Eyes on data" is still required to affect a proper review and analysis.

Like e-discovery, these are iterative processes: The review may trigger further assessment and the need for additional data collections.

Production: There is no formal "production" in a data breach response as required in litigations or investigations. However, there are reporting requirements stemming from both regulatory and contractual obligations. A discussion of this can be found in "Data Privacy Reviews: The Cornerstone of a Data Breach Response." As noted by Goodman, "timing is always of the essence."

While production requirements for DSARs are not as robust as those in litigations or investigations, DSARs do require the production of the data to the consumer in an easily readable format.

Data Breach-Cum-DSAR: A data breach will likely result in a notice of the breach going out to the affected consumers. Not only may a data breach be a "reasonable anticipation" of litigation, but if the notified consumers are within the authority of the GDPR or CCPA, the organization might now reasonably anticipate receiving DSARs. Data breach response protocols should not only trigger discovery and necessary curative actions, but also would do well to include DSAR preparation.

|

Conclusion

The operational work undertaken in the event of a data breach and DSARs have much in common with traditional e-discovery. Ad hoc responses will not do.

The challenges in responding to DSARs should not be underestimated. Compounding these challenges is that DSARs are not just access requests. They often contain deletion, "removal from communications," and "do not share" requests. Complying with these requests is fraught with tripwires, and as Goodman reminds us, "timing is always of the essence."

No organization is better situated to manage this work effectively, or more experienced in the dynamics of discovery operations, than the ALSP with highly functioning managed document review capabilities composed of permanently staffed experts and reviewers.

As with responses to litigations and investigations, regulatory bodies and the courts expect a high level of competency. Just as with e-discovery, failure to meet those expectations because of high volumes or complexity will not find a sympathetic ear. There is no choice but to do it well.

Fortunately, this wheel has already been invented.

Adam Beschloss is principal at Content Logic. He has more than 20 years' experience in transformational technology- and process-driven services in the legal industry. He has held leadership positions at a Big Four, a renowned global technology company and a leading alternative legal service provider. Beschloss earned his B.A. at Columbia University.