Exterro's Legal GRC Breakdown

Get your daily dose of news, best practices, and technology from Exterro's e-discovery, privacy, and digital forensics experts here.


Why Law Firms and LSPs Should Offer Data Breach Document Review Services

Created on August 21, 2023

Legal GRC Market Analyst at Exterro

Clients need their attorneys most when they are in a moment of crisis. For law firms and legal service providers (LSPs) working with corporate clients, there are few crises that compare to the fallout from a data breach. With direct financial, regulatory, and reputational costs looming over them, clients need to count on their law firm partners to give solid advice, mitigate the risks they are facing, and comply with the legal requirements of reporting on the breach to authorities and data subjects alike.

One critical way that law firms and LSPs can support their clients and deepen their relationships with them is by managing document review projects related to data breaches.

For most businesses, falling victim to a data breach is a question of when, not if. Forty-five percent of US companies have experienced a data breach. In 2022, there were over 1800 data breaches in the US alone—almost five per day. In the US, the average data breach costs companies almost $9.5 million. One small sliver of good news is that the average cost of breaches of over 10 million records fell in 2023… but was still well over $160 million dollars.

As is true of civil litigation, document review is one of the major costs associated with data breaches. Organizations must quickly identify compromised data, then go through it to search for personally identifiable information (PII) and personal health information (PHI) and notify both authorities and data subjects in short order—typically within 45 to 60 days of the discovery of the breach. Law firms and LSPs have an opportunity to provide valuable services to their clients by managing data breach document review projects expertly and efficiently.

Organizations responding to data breaches should almost invariably consult with legal counsel—preferably counsel with privacy and data security experience—to help them negotiate the myriad responsibilities they have. Professional legal counsel can and should help their clients determine their legal obligations and notify affected parties, including employees, business partners, and customers.

To be worthwhile, though, the organization must communicate the details of what happened to affected parties—not just how the breach occurred, but what data was taken, how the information has been used, what steps are being taken to remedy the breach, and whose data has been compromised. When data breaches have the potential to involve millions of records, sifting through that information to understand what was taken is a major undertaking in itself. Within the 45-to-60-day window required by most regulations, they must:

  • Identify PII and PHI
  • Identify data subjects
  • Link compromised data to subjects
  • Notify authorities and data subjects

To support clients through this process, law firms and LSPs should take three critical steps:

  • Building a Team
  • Developing Processes
  • Investing in Purpose-Built Technology

For tips on these three action items, download the Exterro whitepaper, 3 Keys to Building a Data Breach Document Review Business.

Sources: 25 ALARMING DATA BREACH STATISTICS [2023], The Cost of a Data Breach Report 2023