Cyber Incident Response

Handling a cyber incident can be stressful for clients and counsel due to the initial breach and the pressure to quickly review the compromised data. Having seasoned cyber incident professionals available to handle the project can help to alleviate some of this stress.

Before an incident occurs, it is crucial to have the right team in place that can work collaboratively between counsel, client, and the service provider. This team approach is integral to achieving the best results in the most cost-efficient and timely manner.

To understand the specific processing considerations for cyber incident matters after a data breach, it is best to think of the requested deliverable and how that will be created. The deliverable will be a de-duplicated list of all individuals who might have been affected, their addresses, and any exposed personal information (PI) that will need to be identified on the deliverable and/or in the notification letters.

The primary considerations for handling cyber incident matters are markedly different from those in regular eDiscovery projects and drive the processing and workflow approach for cyber review matters. The following are the steps involved in handling a cyber incident matter:


The best way to contain costs is to reduce the review set to the smallest population possible. Global de-duplication removes exact duplicates from the review set. Common computer-generated filetypes that do not contain any PI information can be removed (or de-NISTed) to decrease the initial population. De-NISTing uses a list published by the National Institute of Standards and Technology (NIST) as a starting point for filetype exclusions. However, it is crucial to analyze all remaining filetypes with counsel to identify additional filetypes specific to the data set that can also be removed.

Data Mining

Initial culling can further reduce the population. Analysis of email domains with counsel may uncover emails from specific senders that will not contain any PI. Sampling at this phase may also uncover additional blocks of removable data, such as auto-generated responses from IT departments and no-reply messages. A discussion with counsel regarding what can be removed is important as it will vary by matter.

Applying Search Terms

Search terms are crafted to capture types of items most likely to contain PI. The best way to accomplish this is to use “regular expression” searches in combination with keyword searches. A reviewer must find both a name and related PI in the same document to include it in the notification list. Search term hit reports contain only individual records, not entire email families.

Application of Analytics Functionality

After finalization of the search terms are set, secondary culling procedures can further reduce the population. Only the most inclusive email in a thread needs to be reviewed to capture any potential PI. Attachments can be de-duplicated according to their processing hash values.

Final Reviewable Set

The final reviewable set is a product of data mining and culling by cyber incident professionals, close consultation with counsel and clients to identify the unique characteristics of each data set, and cyber incident search terms as the basis of an iterative, collaborative process. For this streamlined data set, the review manager and review management team will conduct a manual review. The review can be structured in multiple ways depending on the nuances and goals of the incident response. We offer a multi-step process of reviewing and tagging the PII—which we do with a combination of linear review and utilizing analytics technology. From there, we have a secondary QC and fact development review, where the review team will build a dossier of the individuals affected for notification.

We make sure you have a response plan in place to prepare for cyber incidents. A response plan that emphasizes close collaboration between counsel, client, and cyber project professionals leveraging programmatic tools and workflows. This approach will help to ensure the most cost-efficient and timely response to a cyber incident.