Cimplifi™ Announces New Enhancement to Ecosystem with CI Image

Blog  |  May 11, 2023

Why Use a Hammer When You Can Use a Swiss Army Knife?: Considerations for Incident Response

In our first post in this series, we discussed how eDiscovery technology and workflows are being applied to several different use cases today. According to eDiscovery Today’s 2023 State of the Industry Report, seven use cases are being applied by at least 40% of 410 survey respondents.

One of those use cases is incident response, for which eDiscovery is used by close to half (47.8%) of respondents – the fifth highest percentage of respondents overall. In this post, we’ll discuss the purpose of incident response, how eDiscovery for incident response is unique, and how eDiscovery workflows and technology can be applied to support your response to cyber incidents.

Purpose of Incident Response

The Sedona Conference® Incident Response Guide states: “In today’s connected world, compromise of electronically stored information (ESI) is inevitable—even for the most prepared organization. An effective and efficient response is critical to expediting recovery and minimizing the resulting harm to the organization and other interested parties, especially affected consumers.”

When responding to cyber incidents, the primary goal is to quickly identify, contain, and mitigate the incident. Part of that identification, containment and mitigation includes identifying any parties affected by the incident, notifying them about potential exposure of their data and possibly offering mitigation to address the exposure (e.g., such as free credit monitoring for a period of time).

How eDiscovery for Incident Response is Unique

There are several ways in which conducting eDiscovery to support incident response is different from other eDiscovery use cases, including litigation. They include:

  • Goals for Review are Different: For many use cases (including litigation and investigations), the goal of is to identify responsive documents in terms of the subject matter of those documents (i.e., which documents are relevant to the litigation, investigation, etc.). That determination may often be possible after reviewing only part of the document, perhaps even just the first page. For incident response, review is done primarily to identify potentially exposed personally identifiable information (PII), which is objective data, and every page of each document typically must be reviewed as any of them could have PII.
  • Review Staffing is Also Typically Different: Staffing for litigation and other related reviews usually involves legal professionals (review attorneys and paralegals) who have legal background and training to make subjective determinations on relevance. Incident response reviewers typically don’t require any specific legal background, just a sound attention to detail!
  • Stakeholders: For litigations and investigations, the stakeholder(s) are the client(s) involved, who are typically limited (except for certain types of cases, such as class actions). The stakeholders in incident response are the parties for which data is potentially exposed, and this could be thousands of individuals and organizations.
  • Timeframe: Unlike litigation and HSR Second Requests that have regimented timeframes and schedules for conducting discovery, incident response is almost always an expedited time frame, as organizations need to respond quickly to breaches and notify affected parties of their data exposure as soon as possible to minimize damage and potential liability.

Applying eDiscovery Workflows and Technology to Incident Response

The typical eDiscovery workflow for incident response includes the following steps:

  • Identification: Potentially exposed data is identified.
  • Ingestion: That data is processed and ingested into an eDiscovery platform.
  • Searching and Culling: To identify ESI that potentially contains PII, searching and culling is performed.
  • Review: Potentially responsive ESI is reviewed to locate specific instances of PII within the collection and log the instances and the parties affected.
  • Normalization: When review is completed, the results are normalized, deduplicated and QCed.
  • Reporting and Notification: Information about the exposed data and the affected parties is then used for reporting and notification to those parties.

Searching and culling typically includes using these approaches:

  • Regular Expressions: Regular expressions (Regex) use patterns that identify strings that match the patterns. Regex matching can be used for numbers that follow consistent formats and finding common patterns of PII (such as social security numbers, phone numbers, drivers’ license numbers and credit card numbers) is a common use case for regular expression searches.
  • Email Thread Identification: To the extent that PII appears in emails, the use of email thread identification to identify unique emails within the thread can save considerable time in review, especially since every page of a document must be reviewed to identify PII.
  • AI and Machine Learning Technology: Unsupervised learning capabilities can be used to identify documents with potential PII. For example, clustering and near-dupe identification are unsupervised learning techniques that can identify similar documents to those with PII that may also include PII. These same techniques can also be used to eliminate groups of documents unlikely to have PII (based on the absence of PII of other documents in those groups.)
  • Sampling: Conducting at least one random sample of the set of documents not retrieved during searching is important to confirm (and be able to defend) your approach for identifying documents that potentially contain PII. If any documents with PII are found during the sampling phase, the results should be evaluated, and additional searches may be necessary.


Applying eDiscovery workflows and technology to support incident response may be one of the most unique applications of eDiscovery! But incident response still requires the same EDRM phases – Identification, Preservation and Collection, Processing, Analysis and Review, and Production and Presentation – that eDiscovery requires for other more traditional use cases. The goals and approaches for incident response may be different, but incident response still benefits from the application of eDiscovery workflows and technology!

For more regarding Cimplifi security, privacy, and compliance services, click here.

In case you missed the other blogs in this series, Why Use a Hammer When You Can Use a Swiss Army Knife?: Use Cases for eDiscovery Today,  you can find them here: