A major U.S.-based consumer services company experienced a privacy breach at a European company it had acquired. The company needed to identify the personal data that was compromised so it could respond to the incident according to requirements under the General Data Protection Regulation. The organisation also needed to determine whether any of the exposed employee or customer personal data was protected under additional regulations. Emerging data source experts in FTI Technology’s Information Governance, Privacy & Security practice in EMEA were engaged to provide a broad view of the breach, including its severity, the volume and types of personal data that were exposed, and the scope of jurisdictions implicated within the dataset.

Situation

While the initial analysis appeared to indicate the breach was limited to only several employee inboxes and a small number of file servers, once FTI Technology began looking at the dataset, the team discovered that the breach extended to millions of datapoints containing personal or sensitive information — including national and passport identification numbers, usernames, passwords and other sensitive personal data across dozens of data sources including email, file servers and business applications.

The breach response quickly became a high-pressure, high-stakes incident. This led to ongoing discussions between the client and outside counsel about risk tolerance, cost and specific notification requirements relating to the breach. FTI Technology’s deep expertise in privacy regulation and understanding of digital risk were integral to informing these critical decisions and helping the client understand the facts underlying its risk conversations.

The forensic investigation of the incident also occurred at the same time the data analysis began. The team started with an initial subset of data that grew as the forensic investigation progressed. The team implemented a phased approach to the analysis, which helped maintain progress despite changes and delays in the dataset resulting from the evolving investigation.

Our Role

In the initial week, FTI Technology conducted a robust preliminary analysis that provided the client with a broad view of the extent of the breach and the level of risk associated with it. This included a combination of complex techniques including artificial intelligence and predictive coding as well as bespoke solutions to address challenges with emerging data sources and unstructured data. Because the exercise focused on individuals rather than documents, traditional e-discovery workflows were not applicable.

The team’s extensive experience in data breach response was critical in developing novel workflows and prioritising different categories of data in a highly complex dataset. The analytics models were designed to efficiently identify high-priority data categories such as children’s personal information, health-related information and personal identification numbers first and foremost.

In addition to initial scoping and analysis and application of advanced analytics, FTI Technology delivered the following solutions:

  • Implemented an analytic review to reduce the scope of data sources containing affected personal data by 90%.
  • Conducted an extensive data cleansing exercise to reconcile poor data quality, duplicative information and intermingling of employee data and customer data.
  • Provided analytics to confirm the affected dataset for extraction. Mapped each affected individual and each data entity to clearly determine and document who was impacted and which breached items related to each person, to enable fulsome and accurate breach notification.
  • Implemented machine-based extraction workflows to automate where possible. When automation was not possible, the team leveraged FTI Technology’s document review experts to extract specific information as needed.
  • Supported legal counsel in reporting and engaging with numerous regulatory bodies investigating the breach. Ensured all workflows were documented and traceable to fulfil requirements and ensure that the notification was as complete as possible for high-risk and highly sensitive personal information.

Our Impact

  • Under intense pressure and a compressed timeline, FTI Technology helped the client understand the scope and scale of the breach and fulfil notification requirements for a breach spanning millions of datapoints. The team followed a risk-based approach to prioritise the analysis and response according to the sensitivity of the information and jurisdiction.
  • FTI Technology’s data privacy, emerging data sources, e-discovery and analytics experts created and executed workflows and tools that reduced the dataset by 90%, saving time and money in a highly complex and sensitive matter.
  • Working closely with counsel and the client, our comprehensive data identification and reconciliation exercise reduced the population of individuals to be notified of the breach by 85%, shielding the client and its customers from unnecessary, excessive or incorrect notifications.
  • Rapid response enabled regulatory response and helped address regulatory concerns quickly in all jurisdictions impacted.