What to Redact in Ediscovery: Containing the Redaction Explosion in Your Doc Review Workflow
The ediscovery process is, almost by definition, shaped by sensitive data. In even simple matters, legal teams spend significant energy shielding information protected by attorney-client privilege or otherwise confidential from disclosure.
But there is also a whole universe of additional sensitive information in many discovery document sets–trade secrets, financial data, social security numbers, and the like. This is, after all, information worth litigating over.
As such, there has always been a need to redact sensitive data from documents being produced to support litigation or other types of ESI productions. The ability to efficiently apply redactions has long been a required component of any ediscovery workflow.
However, both the volume of potentially sensitive data to be redacted and the data sources where redactions need to be applied have exploded in recent years, forcing ediscovery teams to adjust to keep up with the growing volume of redactions that need to be applied.
Legal professionals are adjusting their workflows and leveraging technology to effectively contain the redaction explosion of more data and different data sources to be redacted.
What Type of Sensitive Data Needs to Be Redacted?
The specific information you’ll want to redact during the ediscovery process will vary depending on the matter and the data in your document corpus. But, generally speaking, the types of sensitive data commonly redacted have into three categories over the years:
Privileged Information. Examples include communications between an attorney and their client are protected under the attorney-client privilege and work product by attorneys that are protected as an attorney work product, etc. Federal Rule of Civil Procedure 26(b)(5)
discusses the parameters for claiming privilege in discovery.
Confidential Information. Examples include intellectual property, trade secrets, or other protected information. Under ABA Model Rule 1.6, lawyers have a duty to protect client-confidential information.
Personal Data. This includes personally identifiable information, or PII (e.g., names, dates of birth, or Social Security numbers), and protected health information, or PHI (e.g., medical records). FRCP Rule 5.2 discusses redacting court orders and filings to protect personal data, including individuals’ social security numbers, taxpayer identification numbers, birth dates, the name of a minor individual, or financial account numbers—restricting to the last four digits of the SSN, TIN or financial account number, birth year and minor’s initials.
Every day, courts in the United States adjudicate thousands of cases, and in many instances, are writing new case law. We’ve surveyed the key opinions to find the 16 most crucial ediscovery cases for legal professionals. Download your copy and read our roundup.
Two Factors Leading to the Redaction Explosion
So, what has caused the explosion in redactions? Here are two primary factors:
Data Privacy Legislation
Recent data privacy legislation like the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Health Insurance Portability and Accountability Act of 1996 (HIPAA) have expanded the scope of personal data to be protected and the importance of protecting it.
For example, the GDPR defines personal data expansively, including information such as:
Identification card number, like SSN (or equivalent in other countries), driver’s license number, etc.
Name and surname
Email address
Phone number
Home address
Date of birth
Race
Gender
Political opinions
Credit card numbers
Data held by a hospital or doctor
Photograph where an individual is identifiable
Cookie ID numbers
Internet protocol (IP) addresses
Location data (for example, the location data from a mobile phone)
Advertising identifier of your phone
Health information such as diagnoses, treatment information, medical test results, and prescription information is considered protected health information under HIPAA, in addition to some of the PII data listed above.
This expansion in scope and importance of PII has added considerably to the redaction burden in ediscovery, with use cases expanding beyond litigation to data breach response and other use cases where PII remediation may be necessary.
Expanded Sources of ESI to Be Redacted
The second factor leading to the redaction explosion is the expanded sources of ESI that require redaction. In recent years, the explosion of data from collaboration apps and audio/video ESI sources has required workflows to be adjusted to support those new ESI sources. Redactions aren’t limited to email and office files anymore.
How to Contain the Redaction Explosion
With so many more potential areas of sensitive data to redact, how can ediscovery teams keep up? Here are two ways to contain the redaction explosion and how ediscovery solutions can help:
Batch Redaction
Many types of sensitive information can be identified across document collections. That includes data that fits specific patterns, like SSNs and credit card numbers, email addresses, unique person names, and more. Batch redactions allow you to identify those patterns and redact information in bulk (or in batch) across many or all of your documents.
Batch redactions can enable your team to contain the explosion of personal data that requires redaction in ediscovery workflows while still meeting reporting requirements such as documenting redaction reasons.
Expanded Workflows for Other ESI Types
There is no “one size fits all” workflow for supporting redactions anymore. ESI types like audio/video files have special requirements for how redactions should be handled, including the ability to apply redactions to either the audio/video file or the transcript—or both—while (once again) documenting the redaction reason.
See how redaction works in Everlaw here.
Failure to properly document audio redactions can lead to costly and time-consuming discovery disputes, as was the issue in this case’s recent ruling earlier this year.
Final Thoughts on Redacting Sensitive Data
As privacy concerns increase and data sources continue to proliferate, redacting sensitive information during the discovery process is becoming increasingly important. Whether you’re seeking to avoid embarrassing redaction failures or to reduce the time and cost incurred by manual redaction methods, having the proper tools and procedures in place is essential.
To learn more about streamlining redactions with Everlaw, click here.