Epiq’s “Ruyk” ransomware attack in February cut off customer access to their hosted discovery matters for roughly three days. This outages constitutes a major service interruption and violation of normal Service Level Agreements for one of the largest global legal service providers. Beyond SLA penalties, missed production deadlines and unhappy customers, Epiq is now facing a potential class action suit under the new California Consumer Privacy Act (CCPA). Epiq asserts that based on their investigation no consumer data was exfiltrated and no PII exposed in the attack. But what is the cost to defend against the allegations and the cost to their reputation?
I generally recommend actively screen for PII in collections or excluding or redacting it during processing as being irrelevant and a risk. Even better is having a written policy in your discovery protocols that requires counsel approval before collecting from data sources with known PII (i.e. HR reports, benefits managers, etc.). Of course, this requires you to have an updated data map in your ECA process. So many moving parts for discovery practitioners to account for.