Skip to Content (custom)

The Ins and Outs of Early Case Assessment for a Cyber Incident Review

  • Cyber Breach
  • 4 Mins

In the fast-moving industry of cyber incident response, success and efficiency come from preparation. Once a matter is promoted to review, the most common request for timing is “as soon as possible.” How is a client’s desire for expediency translated into a tangible timeline? The answer is through the process of Early Case Assessment (ECA).

ECA is a proactive strategy that ensures clients and review management share a clear understanding of the case plan. It places both the client and the review manager in the best position to manage and meet stakeholders’ expectations. What follows are the key components and takeaways of ECA as it applies to cyber incident response reviews.

Data Owner Information

Understanding the industry in which the data owner is engaged can increase the efficiency and accuracy of the review. It is helpful if the client provides general information about the data owner’s industry, any particulars that may influence the capture of sensitive information, and the client’s expectation of the type of sensitive information present in the data. For instance, data that contains a high amount of Personal Health Information (PHI) or is regulated by HIPAA will often require more time for review and data entry.

Data Type Evaluation

By the time a case is escalated to review, the client service and project management teams have provided the client with a general overview of the document types and the number of documents that contain Non-Public Personal Information (NPPI) hits (the review population). Scoping gives this information meaning within the context of review. Generally, matters with a high volume of Excel, PDF, and image documents require a longer review period. During the scoping process, the review manager assesses each document type, paying attention to the complexity, size or page length, and commonalities in the document sets. Additionally, the review manager applies the client-approved review protocol to determine the types of Personal Information (PI) in the document population and the amount of PI to be recorded from each document.

To increase the overall efficiency of review, the review manager utilizes scoping to organize the data. For example, documents may be batched by file name, subject, hash value, or document ID to ensure that reviewers encounter similar documents in each batch. Scoping also provides the review manager with the information to advise the client of the number of documents expected to be promoted to the Complex Document Review workflow (CDR).

Query Identification

During the scoping process, the review manager can identify potential questions or issues for client consideration prior to the start of review. Although query escalation is ongoing throughout each stage of review, early escalation provides advantages: it lowers the risk of re-review, improves review team training, and identifies additional tags or fields. The information from preliminary queries supplements the protocol during the initial substantive training. Timely escalation of queries and receipt of responses has the far-reaching effect of increasing the efficiency and accuracy of review.

CDR Promotion

ECA is vital to understand the scale, time requirement, and cost associated with the complex document phase of review. Excels, PDFs, and image documents are the most likely candidates to contain the sensitive personal information of more than 30 individuals. During the scoping process, the review manager can identify and sample similar documents that readily meet the CDR requirement. These documents are promoted directly to the CDR workflow. Then, the review manager can begin to create a cost estimate for CDR. The cost estimate considers the time associated with mass extraction based on the technical complexity of extracting data from the source documents. Cost and time savings may be available where documents with like headings and sensitive information can be extracted through an elevated technology-driven complex review process. With this information in hand, the client can prepare the stakeholder for any additional costs and provide a more detailed explanation of the review process earlier in the overall timeline.

Document Demotion

Early case assessment can also further identify documents that do not contain sensitive information as defined by the client-approved protocol. The review manager may identify tranches of documents by specific files names or file types that can be removed from review by the data analyst team. The review manager can conduct an “eyes-on” review of a sample set of data and exclude these documents from the first-level review.

Once the ECA phase is complete, all stakeholders understand the case needs, potential obstacles, and the case plan. Furthermore, the review manager and senior data analysts are more prepared to tailor workflows to achieve projected timelines. In turn, the client has a better understanding of the overall review process and can make informed decisions as the review progresses through each stage of the review.

While it might seem expedient to jump into review as soon as the review team receives a data set, ECA provides deep insight that inform review workflows, timelines, and cost.

Courrine M. Knight, Esq. By Courrine M. Knight, Esq. is a review manager on Epiq’s Cyber Incident Response Team. Courrine is an experienced Civil Litigator with a background in human rights, international business and trade.

The contents of this article are intended to convey general information only and not to provide legal advice or opinions.

Subscribe to Future Blog Posts