When a data breach happens, time is of the essence. Since breach notification laws vary from state to state, breach response teams are under intense pressure to analyze, cull and review data, identify affected individuals, and notify them promptly and accurately, all within the legal time limits. How can teams do this effectively and swiftly, without wasting time and resources?
The answer is specialized data breach response software using iCONECT’s purpose-built cyber data mining, review, extraction, and normalization tool. When it comes to discovering and responding to compromised data, a modern platform is essential for saving time, analyzing data, and notifying those affected.
Modern data breach response and cyber data mining platforms drive a faster, more-defensible breach response by leveraging automation and specialized features across the four key pillars:
- Speed of import
- Detecting Personally Identifiable Information (PII)
- Reviewing, extracting, and consolidating PII
- Creating a notification list
The following pillars are essential to the data incident response process and demonstrate how the iCONECT platform enables quick and effective notification list creation.
#1. Speed of Import: Turning Raw Breach Data into Actionable Intelligence
Perhaps one of the most time-consuming parts of the data breach response process is ingesting the affected data and preparing it for analysis. Ingestion speed is crucial to allow impacted organizations to quickly analyze data for potentially reportable PII.
Slow imports can cause chaos from the start. It is critical that breach response teams understand the scope and extent of impacted data quickly. That means getting data in fast, doing any data cleanup, running intelligently-targeted OCR, and then entity detection is paramount. This allows quick and accurate estimates and accelerates when review and extraction can begin.
Ingestion is more than just loading files. As data is imported, the best data breach response platforms convert raw data into standardized, usable formats, making data ready for analysis and allowing for quick and accurate PII detection. Customizable deduplication solutions allow for your workflows to be built into the tool instead of having to be stuck with fixed approaches.
For example, iCONECT recently implemented ingestion performance improvements that allow teams to customize which data types receive which forms of analysis (e.g. OCR and PII detection routing). These improvements increased ingestion speed by up to 70%, drastically cutting down the time from the word ‘go’ to having actionable information to scope datasets, prepare estimates, and begin review.
READ MORE: Top 9 Pre-Incident Data Mining Techniques Every Security Team Should Know
#2. Detecting PII: Finding the Right Data Without Slowing Down
Not all breached data demands the same level of immediate attention. In a data breach scenario involving terabytes of information, focusing analysis and review efforts on documents likely to contain high-risk PII is critical for accelerating the response. The primary challenge lies in quickly and accurately identifying these high-value documents amidst massive volumes of less-important information.
While identifying every possible instance of PII might seem overly thorough, a high false-positive rate forces review teams to spend critical time validating harmless data, diverting resources from the affected records. This inefficiency slows down the entire breach response timeline, increases costs, and hinders compliance with strict notification deadlines.
Many critical PII records, such as physical forms, licenses, and contracts, exist as scanned images or PDFs within the breached dataset. Accurate Optical Character Recognition (OCR) is essential for making the text within these image-based documents searchable and consumable for PII detection tools. Without OCR, these documents can be overlooked by detection tools, posing a significant blind spot in the notification process.
However, running OCR on every file in a breach can be time-consuming. Instead, the best modern data breach response platforms employ smart targeting to analyze metadata and file type, identifying only those documents that genuinely require OCR (e.g., TIFF, JPEG, non-text-searchable PDFs). iCONECT, for example, uses parallel pathways, allowing PII detection to begin immediately on native electronic files (such as emails and spreadsheets) while OCR runs only on documents that need it.
After processing, routing, and OCR’ing, the next step is to understand the breach landscape. Understanding the dataset to identify PII concentration hotspots provides a clear guide for where to focus your efforts. Having multiple, concurrent, and customizable detection pathways allows users to customize their detection approach to their dataset. iCONECT offers:
- Built-in iCONECT Entity Detection (over 200+ PII types)
- Optional Azure Cognitive Services for PII, PHI, health and other data detection
- Search terms
- Regular expressions
This multi-pathway approach significantly improves the ability to detect important PII and doesn’t wed users to a single approach. The layered approach allows users to choose the right tools for their data set while minimizing false positives. Further, the concurrent, complementary approaches provide a highly defensible audit trail of the PII identification process, which is crucial when you are building the defensibility and transparency of your approach.
#3. Reviewing, Extracting, and Consolidating PII: Human-Centered, Defensible Review
While smart, targeted automation may accelerate PII detection, human reviewers may still be better positioned to do the actual extraction. Many automated tools still have challenges performing automated association of PII elements, requiring significant human QC after the machines complete their work, which can quickly evaporate any perceived savings in other platforms. Supporting, accelerating, and checking human reviewers is a critical feature of the best data mining platforms. iCONECT, for example, guides this process with a clear, transparent and auditable workflow with built-in customizable validation checks (e.g., SSN format checks) to reduce human error.
PII is managed securely in a two-tiered structure, separating source records from extracted person-level PII for efficient analysis and easier reference. The platform is flexible, allowing customization of PII fields based on jurisdiction and project needs, which can be saved as reusable templates.
iCONECT further solves the challenge of extracting PII from complex spreadsheets by providing a native, in-platform import tool, which allows average reviewers the ability to deal with complex data. This eliminates external spreadsheet handling workflows, improving security and allowing reviewers to save and reuse mappings across similar files for rapid, repeatable extraction.
The final step in data breach response is transparent subject grouping (deduplication) to create a notification list. iCONECT uses sophisticated, language-agnostic AI algorithms to ensure data subject matching and consolidation are done efficiently and accurately. This approach allows automated deduplication while providing transparency on the algorithm’s decisions on data subjects to users.
READ MORE: 7 Crucial Actions to Take Immediately After a Data Breach
#4. Creating a Notification List: From Review to Regulatory Action
After entity extraction is complete, creating a notification list that is both accurate and defensible is the final step in the process. Quickly, accurately, and effectively manipulating and compiling extracted entity information into a final notification list can be a challenge, but iCONECT’s deduplication and normalization process makes what used to be a complex and time-consuming task much simpler, all while maintaining traceability and accuracy.
iCONECT’s notification list creation tool allows users to customize the normalization parameters, adjust grouping results in the platform, adjust results, and even create multiple notification lists. Clear reasoning for the grouping and normalization is provided by the AI, allowing for easy and accurate presentation of results.
Other thoughtful deduplication, normalization and notification list creation efforts include:
- Customizable approaches using document metadata to determine the newest-in-time entity information to improve notification success.
- Maintaining a clear link back from deduplicated, normalized entity information to the underlying documents, ensuring that every decision can be quickly traced back to the original source documents. This level of transparency is essential for legal counsel and regulators reviewing how notification lists were created.
Another key consideration is the ability to support multi-jurisdictional compliance. In many cases, organizations must generate multiple notification lists from a single, fully reviewed dataset to satisfy differing state and regional requirements. Tools such as iCONECT are designed to accommodate these variations, enabling legal and compliance teams to respond accurately to overlapping and accelerated deadlines.
Finally, reporting plays a crucial role in translating technical analysis into usable information. Clear, client-ready reports that quantify the number of unique affected individuals and categorize the specific types of exposed PII allow legal teams to communicate findings confidently and consistently, both internally and to external stakeholders.
One Platform, Four Pillars: Faster Resolution
While many data breach response platforms have one or two of these four pillars, the best platforms implement and excel at them all. By integrating these four critical pillars, the iCONECT platform delivers a comprehensive, end-to-end breach response solution. This unified approach eliminates the chaos and delay inherent in less-specialized tools, ensuring you achieve speed without sacrificing quality, accuracy, or defensibility.
Take control of breach chaos. Contact us to discover how iCONECT’s data breach response and cyber data mining platform can optimize your PII identification, speed your review and get you to the notification phase quickly, accurately, and efficiently.
