PII is ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable’.
It includes names, home and email addresses, passport and driver’s licence numbers, employment status, criminal record, age, ethnicity, race and more. Identifying all of these diverse forms of data is a complex task.
Under Australian Legislation data, including (PII) is protected under the Privacy Act 1988 as well as under the Australia Government Notifiable Data Breaches Scheme which was introduced in 2018. The latter requires Australian Government agencies and organisations to notify individuals affected by data breaches likely to result in serious harm.
The Problem
Traditionally legal teams may have only thought about protecting personal data when providing documents to a regulatory body, court or another party, in response to, for example, Notices to Produce or Disclosure Orders, consideration being given to whether personal information should be redacted.
However, there is now a more serious threat to PII in the form of Data Breaches. Over the 2021–22 financial year, the Australian Cyber Security Centre (ACSC) reported it received over 76,000 cybercrime reports, an increase of nearly 13 per cent from the previous financial year. This equates to one report every 7 minutes. There was an increase in the number and sophistication of cyber threats, making crimes like extortion, espionage, and fraud easier to replicate at a greater scale.
In recent years, a number of notable data breaches have included:
– 3 billion Yahoo users security questions, passwords and financial info
– 700m LinkedIn users email address, phone numbers and profiles
– 350m Facebook users account names and phone numbers
– 330m Twitter user’s passwords
In Australia, data breaches in 2022 included Optus affecting 9.8 million customers, and Medibank, the private health insurer, who confirmed all of its 3.9 million customers were affected.
Key 2021–22 Financial Year Statistics
- Over 76,000 cybercrime reports, an increase of nearly 13 per cent from the previous financial year
- Self-reported losses from cybercrime increased significantly to over $98 million
- 95 cyber incidents – around 8 per cent of all cyber incidents the ACSC responded to – affected critical infrastructure. (New definition compared to 2020-2022)
- 150,000 to 200,000 Small Office/Home Office routers in Australian homes and small businesses vulnerable to compromise including by state actors. The average loss per report across businesses increased 14 per cent compared to 2020–21
- 135 ransomware cyber security incidents, an increase of over 75 per cent compared to 2019–20. In addition, the ACSC identified and notified 148 organisations of ransomware activity
The Solution
Automated Identification
Relativity Redact is built into our Relativity review offering. It allows users to redact or highlight files in three simple steps:
1. Identify the information you wish to identify and redact or highlight.
2. Set the rules as to what will be automatically redacted or highlighted.
Relativity Redact has a number of pre-set options that can be combined with rules of your choice to identify common patterns such as Credit Card Numbers, Driver Licence Numbers, Tax File Numbers and Birth Dates.
3. QA the results.
Relativity Redact provides a summary of the automated redactions/highlights that are applied. QA can be done on a redaction by redaction or highlight by highlight basis, or by way of mass operations as required.
Documents not Suitable for Automated Redaction / Highlighting
Where documents are not suitable for automated redaction, for example documents where the quality of text is poor and can’t be read by the software – handwritten notes or low -quality scanned documents – Law In Order’s Document Review team can review these documents and redact or highlight any relevant text manually.
PII that is not Suitable for Pattern Recognition
Automated redaction/ highlighting is possible with a list of known names or a repeatable regular pattern, such as a Tax File Number. However, if you wish to identify and redact all names or text not easily identifiable by pattern recognition, an automated workflow may be insufficient. In this case, our Document Review team can undertake the review of these documents and redact or highlight any relevant text manually.
Summary
Using a combination of technology and human reviewers, Law In Order can provide a quick and cost efficient workflow to assist with you meeting your data protection and reporting obligations.
For further information, please contact:
Linda Fernandez, Chief Client Officer, Law In Order
sydney@lawinorder.com