Solving the PII Problem: Securing Rogue Data in Discovery

Tuesday, November 17, 2015 by Thought Leadership Team


In a recent article, my Kroll Ontrack colleagues Jim Loveall and John Pilznienski discussed the challenges of finding and removing personally identifiable information (PII) during discovery. While most organizations recognize the need to protect their data, they do little to protect or segregate their employees’ PII within their own network environments. Coupled with the constant blurring of personal and workplace data and the growing public policy concerns with privacy protection, the safety and security of PII within company firewalls must become a priority for corporations if they wish to avoid inadvertent disclosures or compromise employee PII during the discovery process. These issues and more are discussed in the article published on the Westlaw Journal: Computer & Internet.

How does PII Sneak into Document Collections?

While many times the collection of PII is purposeful, such as the collection of data from HR records in employment cases, PII is also often unintentionally included through overly broad collections. Employees may send emails to payroll records containing their Social Security numbers, or perhaps to their spouse using their work email to send copies of personal tax records, or even send scanned and emailed health records to submit to an insurance provider. These examples show how easy it can be to leak PII, and the need to comb collections not only for relevance and privilege, but also for PII and personal health information (PHI).

What are Some Steps to Find and Remove PII During Discovery?

Accounting for PII during discovery can be difficult, both because of the ubiquitous nature of PII and the potpourri of applicable data privacy laws. Astute legal teams will deploy both a tested process and innovative technologies in locating PII. Two stages, preservation and review, are critical in these efforts.

Preservation begins with compliance officers employing clear policies regarding employee use of the organization’s systems and devices, and once litigation ensues, litigation teams should be on the lookout for sources of PII from the beginning. Working with a technical consultant to create a data map is one method to know where the organization’s data is stored. With that understanding, a targeted collection strategy can be implemented to exclude documents from the collection population.

Once reasonable means are employed to collect the data in a targeted manner, the next step is to process the data, remove system files and narrow the potential review population. After the likely relevant population is identified, additional searches for PII and PHI, including the use of automated tools such as TAR, can inform the review process and help to ensure the identification and exclusion of personal information from the production set.

The ediscovery process presents a real risk of unintentionally compromising PII and PHI, with personal devices everywhere and data trails being generated in all aspects of our modern life. But if lawyers monitor the shifting state of data privacy regulations and use some best practices, including targeted collection processes and leveraging technologies in the review stage, they can be confident that they have taken reasonable measures to locate and remove PII and PHI during discovery.