PII & PHI Records – Slaying the Hydra of Data Governance

PSP’s “How Many Records Do We Have? Professional Service Firms and PII / PHI Records” was published in June 2022 and remains one of our most popular Insights. The continuing significance of the issue has prompted this update, addressing increases in data breach class actions and the costs these are adding to already expensive data breaches. Professional service firms should make informed decisions about their Data Governance rules to help address this risk.

A rising tide of data breach class action lawsuits is a concerning risk development arising from the large amounts of regulated data held by professional service firms, in the form of PII (Personally Identifiable Information) and PHI (Protected Health Information, a subset of PII specifically related to healthcare and regulated by HIPAA).

These class actions have the attention of cyber and professional liability insurers. Data breach claims against professional service firm can impact either or both policies. Both sets of insurers are increasingly encouraging firms to purchase higher coverage limits and are heightening their scrutiny of data governance and security protocols.

Recent Settlements

Between December 2023 and December 2024, professional services firms settled (among others) the following class action lawsuits arising from data breaches:

• February 2024 - $8 million (638,000 individuals impacted by the breach)

• November 2024 - $8.5 million (9,550 individuals impacted by the breach)

• December 2024 - $21 million (3 million individuals impacted by the breach)

Data Breach Lawsuits Adding to Costs

The emergence and growth of data breach class actions adds to the costs of a data breach.

Unfortunately, many of these costs are also on an upward trend, including:

• Breach Counsel, Digital Forensics & Incident Response, Remediation of Systems
  
  • While traditionally the immediately incurred and paid expenses in the claims process, they are not typically the most significant portion of the ultimate cost of the incident.
  
  
• eDiscovery to establish whose data has been breached and the extent of the firm’s notification responsibilities
  
  • A universe of data known or suspected to have been compromised needs to be established to determine PII and PHI content and the list of individuals affected. This process involves advanced automation and, often, large teams of human reviewers.
  • Class action litigation arising from the breach can substantially extend the length of time that such data must be held and therefore increase the associated cost.
  
  
• Issuing jurisdiction-required statutory notifications and provision of required services such as:
  
  • ID Theft Insurance
  • Credit Monitoring
  • Call Centre Services, etc.
  
  
• Payment of a ransom
  
  • Ransoms intended to prevent hackers from exploiting or publishing the data
  
  

Threat actors typically present professional service firms with two ransom scenarios:

Alignment of Knowledge Management and Information Security Strategy is Vital

While often seen as an intractable problem BEFORE a breach, identifying the number of individuals whose data is stored in a firm’s systems, is one of the most important and expensive tasks DURING or AFTER one.

Indexing tools, some of them AI-enabled, are emerging to assist in this area. However, many firms still question the value of investing in these approaches based only on a potential future risk of compromise.

Some reticence may also be due to past data governance efforts forcing users to tag emails, files or other data at the time they are saved. This has led to push back from knowledge workers, often resulting in the removal of the user data-tagging requirement.

In other cases, the view that every item of client data is equally confidential, equally sensitive and deserves equal protection meant that investing in the overall protection of the entire corporate repository became a higher priority than tools to identify what and where the data was.

As a result, after a cyber incident, any eDiscovery process necessary to provide regulators with accurate accounting, enumeration and identification of the number of individuals whose data is in the various Document Management Systems, SharePoints, and other repositories at the firm, is often paid for by insurers as an insured expense.

So, Why Invest in Data Governance?

One of the appeals of AI and other data analytics tools is the prospect of being able to turn the enormous quantities of data held by the firm into actionable intelligence that facilitates better advice for clients and is a differentiator for the firm. Efforts to realize the value of Knowledge Management is driving investment into these tools, and Data Governance has a key role in this process.

In parallel, and as shown by the above trends in class action lawsuits, entities that host regulated data face significant and increasing hazards in the legal, regulatory and litigation environment. It has also become more prevalent for victims of data compromise to sue and for regulators to penalize “transgressors.”

This environment also affects firms that share regulated data with their vendors. They are under pressure to ensure that the vendors are managing and protecting the data that they hand over in connection with engagements.

Hackers are exploiting theft of sensitive data as a strategy. A report from Coveware indicates that while only 25% of victims of ransomware pay extortion demands for decryption keys, 41% pay if there the extortion is based on data exfiltration. Our own experience is that professional services firms will often pay at an even higher rate if sensitive client data is compromised.

Investing in a comprehensive data governance strategy and the management of sensitive data can have positive returns in increasing the firm’s ability to leverage data and enhance services to clients, while at the same time helping to reduce the attack surface and the potential for legal and regulatory liability.

You Can’t Manage What You Can’t Measure

Data Governance should not be viewed as an audit requirement (although that is an outcome of the process); it is primarily the beginning of knowledge engineering within the firm. As such, it should involve the leaders of the business, together with technology strategy and security working in close collaboration with those overseeing risk.

A professional service firm is often a pressure cooker of client service and responsiveness. Technology facilitates the instant availability of information, often spawning multiple copies of data in multiple locations – in email, DMS, Shared Files, Cloud, Secure File Transfer Applications, etc.

This can lead to data saved across structured, semi-structured and (mostly) unstructured locations with multiple and duplicative records. This makes it extremely challenging to identify the number of individuals whose records are held, harder to manage the data, and increasingly difficult to secure it. It also can rob the firm of the opportunity for analytic innovation with the data of its own business.

In an environment where, according to IBM’s Cost of a Data Breach Report 2024, the average cost of a breach is between $170 and $190 per record, Data Governance does not just help identify the scale of the exposure for insurance purposes, it helps the firm create a strategy to manage and mitigate the risk.

Manage and Mitigate

The broad parameters for a manage and mitigate data strategy could be formulated as follows:

• Active Records
  
  

  Sort by the risk or the “weight” or “gravity” of the records. Obviously active data needs high availability, but the associated risks are not equal. For regulated data, large quantities of PHI represent a higher exposure than large quantities of other types of PII, for example. The firm also has possession of highly sensitive client data, like trade secrets and IP, that could represent a heightened likelihood of client litigation and potentially very substantial liability if it is breached.

  After identifying these particularly high-risk types or quantities of data, a firm may want to segregate them into more restrictive environments with higher levels of encryption and security, as well as specific retention rules. Such records may only be retained for the duration of activity and then either moved to a more secure (potentially in a “nearline” or “offline” environment) or appropriately expunged.

  
  
• “Dormant” Records
  
  

  These are files that are inactive; files that will not be needed instantly or at short notice and thus can be stored further from “active data stores or current production environment”. The firm, for instance, could define a period of zero access to categorize these matters. They can then be moved to a secure encrypted storage site requiring justification for access.

  
  
• “Cold” or “Fossil” Records
  
  

  These files can be categorized in three ways:

  • Engagements that are concluded and there is no possibility of any further activity or requirement to access the files. The firm can set the parameters around how this is to be determined: for example, the parties may be dissolved entities. These files could safely be permanently deleted or encrypted, moved to offline media (tape or hard drive) and sent to a storage facility.
    
    
  • Files belonging to employees who have been out of the firm for more than “X” number of years or clients whose contracts expired “Y” number of years ago – again the firm can create its own parameters. These files can potentially be deleted or encrypted, moved to offline media and sent to a storage facility.
    
    
  • Files that have not been active or accessed in “Z” number of years and the client engagement letters expired “Y” number of years ago. These files can potentially be securely shredded or encrypted and moved to offline media and sent to a storage facility.
    
    

The firm can also set rules, like automatic deletion after a specific length of time, around other applications such as email and fileshares.

In the case of secure File Transfer (FTP) applications, strict limits on the length of time that files will be retained before being automatically deleted is recommended, otherwise the temptation is for these to be used as additional storage sites, compounding the impact if the system or application is breached.

Data is Fuel, Knowledge is Power

In enterprise level breach events, senior leadership of a company often lament that “The only thing worse than contacting the firm’s current clients to notify them of the incident, is having to spend time calling clients we have not dealt with in a decade or more for the same reason.”

A calculated strategy around what data to retain, where and for how long, can reduce this exposure without impacting the firm’s business. Ignoring the risk, and thereby retaining it, can dramatically increase the costs of a breach in electronic discovery processing, notifications and the potential class action group size.

Data governance tools are invaluable for implementing these types of rules and can add other capabilities as well, such as assisting with the identification and categorization of PII and PHI. They can also provide more sophisticated management tools; for example, automatically redacting PII or PHI in emails that have reached a certain age. Employees can still trace the correspondence for a particular matter in their email files but if they need the PII details they must go to the Document Management System. Locating and understanding the exact nature and purpose of PII and PHI in your systems may also help avoid accidentally making it available for the training of internal AI tools (or worse, external AI integrations).

Managing data through a comprehensive Data Governance strategy can help the firm to more safely leverage data as fuel to power the development of knowledge, that in turn can be used to provide analytics and intelligence to clients. Without a strategic governance implementation, that data may become the fuel that causes an uncontrolled wildfire or explosion in the event of a breach.