In our previous blog, we explored three steps corporations can take to prepare for post-breach data mining. But what happens after an incident occurs? In this blog, we look at four actionable tips law firms and vendors can follow for an optimal post-breach data mining experience.
Why Is Post-Breach Data Mining Important?
Post-breach data mining plays a central role in managing the aftermath of cyber incidents. After a breach, corporations often face a vast amount of data that needs to be sifted through to extract crucial information—often under severe time constraints. With a 30 to 60-day deadline for breach responses, a significant portion of this time is usually spent before data mining even begins, leaving just 5 to 10 days for this critical task.
If a corporation fails to notify affected individuals within the allotted time, it faces legal, financial and reputational damage. These costs can add up quickly. The global average data breach cost in 2024 was USD 4.88 million, which means corporations can’t afford to delay their responses to breaches.
Efficient data mining is essential to meet these tight deadlines. Corporations that partner with a law firm or vendor experienced in data mining have a better opportunity to quickly identify compromised data, assess the breach’s scope and fulfill regulatory requirements.
Having a well-thought-out plan before a breach occurs can minimize the stress and time crunch associated with data mining, ensuring that the process is streamlined and that critical insights are uncovered swiftly.
4 Best Practices for Post-Breach Data Mining
Law firms and vendors can follow these proven methods to ensure a more streamlined post-breach data mining process.
1. Only Review What’s Necessary
When preparing for post-breach data mining, focus only on reviewing what’s absolutely necessary. Remember that the goal is to create a notification list, not a production set like in eDiscovery.
Many who are new to this space may mistakenly approach post-breach review as they would with traditional eDiscovery, where full families of documents—like parent emails and their attachments—are often reviewed in their entirety. However, the mindset in post-breach review needs to shift.
In post-breach data mining, you’re not concerned with every copy of a document or who the personal information was originally intended for. What matters is that the threat actor had access to it. For example, if the same attachment appears across multiple emails, you only need to review one instance of that attachment if it’s identical. Similarly, if the attachment has no personal information, you may not even need to review it—just the email itself.
By strategically narrowing the scope of what needs to be reviewed, you can streamline the process and focus on extracting critical information. This saves time and reduces the burden of reviewing unnecessary data to ensure a more efficient and focused response.
2. Plan for Data Normalization
Another helpful tip is to account for data normalization because the data extracted during this process needs to be complete and cohesive.
For instance, there might be five different documents, each containing partial data on an individual: one might have a name and email, another a name and Social Security number, another a name and birth date, and so on. Data normalization combines these scattered pieces of information to ensure accuracy, allowing you to link them together and create a complete profile for each individual. This is crucial for generating accurate notification lists and avoiding duplication.
A common hesitation in this space concerns extracting full data elements during the review process. To avoid handling personal information unnecessarily, some reviewers opt for a “yes/no” extraction process—indicating whether certain information, like a credit card number or birth date, is present but not capturing the actual data.
While this might seem safer or quicker, it can complicate quality control and data normalization later. When it comes time to link data subjects across documents, having actual pieces of information makes the normalization process much smoother and more accurate. For example, having a full birth date instead of just knowing whether one exists can help ensure precise identification, which improves the quality and reliability of your data analysis.
3. Align the Review Process with Data Breach Notification Needs
Before you begin post-breach data mining, it’s vital to know what you want to include in your data breach notification letters from the outset. Consider how you plan to notify individuals and what specific information you intend to share in those communications.
For example, if your client wants to notify impacted individuals via SMS, make sure you extract phone numbers during the review process. This prevents the need to go back and extract that data later, preventing delays and additional effort.
Similarly, consider fully extracting elements rather than selecting “yes” or “no.” This helps with data subject normalization and lets you include pertinent information more easily in the notification letter or as information available during any call center process.
By planning ahead and aligning your review process with the information needed for the notification letter, you can avoid these issues and ensure your notification letters are accurate and timely.
4. Use Purpose-Built Data Mining Software
When you want to streamline the post-breach review process, it helps to have data mining software built specifically for the task.
The right software will make it easier to meet data breach requirements:
- Identification: Use a mix of search terms, regular expressions and AI reviews to efficiently identify personal information within documents.
- Extraction: Automatically extract data that matches attorney-defined triggers.
- Verification: Allow users to define their criteria so you can verify results manually or automatically.
- Normalization: Create a notification list by deduplicating and normalizing the extracted elements.
Don’t make the process more complex than it has to be—look for software that enables full data extraction quickly and efficiently without requiring you to retype information for every document.
Additionally, software with built-in data normalization capabilities will significantly enhance the process, allowing you to merge and standardize fragmented data points automatically. These features save time and reduce the likelihood of human error, ensuring the review is accurate and that the resulting notification list is comprehensive and reliable.
Conclusion
In the aftermath of a cyber incident, efficient data mining is crucial for law firms and vendors. You’re in the business of protecting your client’s interests, both legally and operationally. Therefore, providing a quick, accurate and compliant cyber incident response is critical to success. Efficiency allows you to ensure compliance, minimize breach impact, make informed strategic decisions and protect your company’s and clients’ reputations.
By following these best practices, you can streamline the data mining process and minimize the breach’s impact on your client.
iCONECT is a cyber data mining platform designed to help you quickly identify and extract critical information from unstructured data so you can develop a comprehensive notification list and rapid response plan. Talk to an expert to learn how iCONECT fits your post-breach data mining process.