In the wake of a data security incident, one of the most critical – and often most challenging – tasks for a company is conducting a thorough review of the data impacted by the incident. This process is essential not only for understanding the scope and impact of the incident but also to be able to comply with various state, federal, and international laws requiring notice when there is an incident affecting personal information of individuals. Even so, companies are often left to navigate this process with limited guidance, unclear expectations, and overwhelming time pressure.
The frequency of cyberattacks with data extortion shows no signs of slowing down, and the volume of data stolen by threat actors continues to be unrelenting – in fact, in Q1 2025 alone, according to one research firm, ransomware groups publicly claimed 2,289 victims on data leak sites, a 126% increase from the previous year. While there is no definitive “average” volume of data exfiltrated in data security incidents, it is increasingly common for large-scale events to involve multiterabytes of impacted data, which often require weeks or more likely months to thoroughly review.
Given the growing scale and impact of these incidents, it is important for companies to understand the key challenges and strategic considerations for reviewing impacted datasets as part of their cyber-preparedness activities so that, in a time of crisis, they can efficiently streamline the process, mitigate risk, and ensure compliance with legal obligations.
Challenge #1: Is an Internal Data Breach Review a Possibility, or Do I Need to Engage an External Vendor?
Once an impacted database has been identified with an incident, conducting a defensible review of that data is critical to ensuring that an organization complies with its legal and regulatory requirements.
A data breach review involves a methodical examination of the impacted dataset to determine if the records contain personal identifying information (PII), personal health information (PHI), or other sensitive data. Companies are generally expected to conduct a comprehensive line-by-line analysis of any impacted sensitive data to identify whose information was exposed and the types of data involved. This typically involves a combination of keyword searches, pattern recognition tools, and manual validation techniques to identify and categorize sensitive data elements. It may also include extracting individual identifiers like Social Security numbers. Each stage of the review should further incorporate rigorous quality control measures to ensure the accuracy, consistency, and defensibility of the findings.
In practice, it is exceedingly rare for companies to handle data breach reviews entirely in-house. Most companies lack the specialized tooling, expertise, and capacity to carry out a defensible review – even when dealing with relatively small datasets. While a limited internal review may be appropriate in rare cases when it is immediately clear that no PII, PHI, or sensitive data is involved, companies should be prepared to provide clear documentation that supports those findings and ensure the approach complies with the company’s regulatory and contractual obligations.
If it is likely that more than an insignificant amount of PII, PHI, or other sensitive data may have been exposed, engaging a reputable external vendor is strongly advised and consistent with industry practice. External vendors not only offer the technical capabilities and expertise needed for a thorough and timely review but also provide an added layer of credibility and validation that external parties, including regulators, often expect.
Key advantages of using an external vendor include:
- Specialized Expertise and Efficiency. External vendors bring considerable experience in incident response, including technical workflows for data mining. Unlike internal teams – who may lack the necessary specialized tools or training – vendors are equipped to handle large volumes of impacted data under tight deadlines with precision and speed. Their familiarity with regulatory expectations and industry standards helps ensure a defensible and streamlined review.
- Cost-Effective Risk Mitigation. While external reviews may involve higher up-front costs, they often reduce long-term risk exposure by minimizing the likelihood of errors, delays, or regulatory missteps. Internal reviews may appear more budget-friendly but often require hidden investments in training, temporary staffing, and tooling – and may still fall short of the rigor expected in high-profile incidents.
- Credibility and Regulatory Confidence. External vendors offer an independent, objective assessment that typically carries more weight with regulators, plaintiffs’ counsel, and other stakeholders. This impartiality is especially critical in large-scale breaches or when litigation is anticipated because the review process is likely to be heavily scrutinized by regulators, plaintiffs’ counsel, or both. In some industries, external review is not just best practice – it is a regulatory requirement.
- Operational Relief and Predictability. External vendors provide dedicated teams and offer defined timelines, deliverables, and accountability. This reduces the burden on internal staff, allowing them to focus on business continuity and remediation efforts.
Challenge #2: How Should I Select a Vendor and Manage the Review Process?
Once an external vendor is engaged, the focus shifts to selecting the right partner – one that not only meets technical and regulatory requirements but also aligns with your organization’s risk posture, communication style, and operational cadence.
While speed and cost often dominate the decision-making process, an overly limited review or one found to contain inaccuracies can require the company to re-review the data – a costly and time-consuming setback that can delay regulatory reporting and increase legal exposure. To avoid these pitfalls, companies benefit from a more holistic assessment of vendor selection, including methodology, technological capabilities, quality assurance measures, and relevant experience. Specifically, the following considerations can help companies make an informed and strategic decision:
- Relevant Scoping, Experience, and Availability. Assess whether the vendor has experience with similar types of breaches and working with organizations in the same industry – familiarity with industry-specific legal and compliance requirements is essential. Look for vendors that can provide references or case studies that demonstrate both their technical expertise and understanding of your regulatory landscape. It may also be necessary to consider the vendor’s capacity to meet a company’s specific demands. This includes the vendor’s ability to operate under tight deadlines, offer 24/7 support, and scale quickly if the impacted dataset expands or new file types are identified. If litigation is a possibility, selecting a vendor with a strong industry reputation and a proven track record can be especially important.
- Methodology. Evaluate the vendor’s process for identifying, analyzing, and reporting on reportable personal information within the impacted dataset and confirm that the vendor maintains appropriate documentation of those processes. The methodology should be updated to accurately reflect the steps taken while undertaking the review, including documentation of key decisions.
- Technology and Validation Processes. At a minimum, a vendor’s technology should align with established industry standards, making it important to understand how a vendor’s tooling ranks against its competitors. From a technical and strategic standpoint, companies benefit from selecting vendors that: (1) conduct preliminary scans before beginning a detailed review to efficiently identify files that may have been encrypted before the incident and may be excluded from the review following appropriate testing, files requiring further processing, and files needing manual review – such as records containing context-sensitive information like medical records or email content; and (2) leverage advanced automation in data extraction, which enhances both the speed and accuracy of identifying potentially reportable personal information. A vendor’s tools should also be able to adapt to myriad and complex data sources and formats and be capable of handling the volume of data to be reviewed. Companies should be prepared to defend any software or practices that may be potentially controversial or produce inconsistent results. Finally, look for vendors that can provide documentation of the quality control measures in place to ensure reliable results.
- Pricing. While pricing is typically based on the volume of data to be viewed, the initial estimate is often incomplete or overly optimistic, leading to delayed timeframes or unexpected costs down the line. Key challenges may include: (1) extended timelines due to data complexity, poor formatting, or the age and condition of the impacted data; (2) additional charges arising from newly discovered datasets or formatting issues that require extra processing; and (3) hidden frees or separate costs for project management, reporting, or reprocessing data that may not have been included in the original quote. To reduce the risk of budget overruns, companies should request a detailed pricing breakdown, including scenario-based estimates, and clarify whether pricing will be fixed, tiered, or time-based. Incorporating defined milestone and completion schedules into contracts can assist in identifying potential timing issues early, while escalation clauses offer additional protection by ensuring that emerging issues are promptly addressed before they disrupt overall project timelines. As previously noted, reviewing vendor references or case studies can also offer valuable insight into a vendor’s ability to deliver on time and within budget.
- Transparency and Post-Review Support. Regular vendor updates and clearly defined performance benchmarks are essential throughout the review process to mitigate delays and identify potential issues early on. Companies should proactively request examples of the vendor’s reporting templates and standard status updates in advance to ensure transparency, alignment, and accountability at the outset. Reviewing these materials in advance allows companies to assess whether the vendor’s reporting cadence and level of detail will support timely decision-making and help uncover gaps in reporting logic or formatting that could hinder notification efforts. When large-scale notifications are anticipated, companies further benefit from understanding whether the vendor can assist with providing information needed for responding to regulatory inquiries, assisting with litigation, or providing additional post-review services as needed.
Maintaining strong oversight of the data review will help minimize a company’s potential overall risk exposure. Since data reviews are typically conducted to inform a company’s legal obligations, the vendor should be engaged under privilege, with legal counsel playing a central role in directing the review and managing its findings. This approach helps preserve privilege and ensure that the review aligns with the company’s legal strategy.
Challenge #3: A Final Data Review Deliverable That Withstands Scrutiny
Another challenge that companies commonly face is ensuring that the final data review output can withstand scrutiny from both legal and regulatory perspectives. The primary purpose of a data review is to provide actionable insights that inform a company’s legal obligations. The final report – often referred to as the “final deliverable” – serves as the official record of what reportable personal information was identified in the impacted dataset and the individuals affected, which typically forms the basis for a company’s notification decisions.
The final deliverable has become essential not only in shaping immediate notification efforts but also in serving as a foundational document in any subsequent regulatory investigation or litigation. With the continued rise of data breach class actions, the final deliverable can demonstrate whether the company acted diligently, disclosed information accurately, and fulfilled its obligations under applicable law. This record should capture all legally relevant information – that is, what data elements may trigger any legal or regulatory reporting obligations. This information, while usually dependent on the regulatory frameworks that apply to the organization, commonly includes accurately identifying affected individuals and their specific impacted data elements, as well as other contextual attributes unique to the data owner (e.g., account identifiers and policy numbers). In incidents involving third-party vendors, the final deliverable should also be structured to enable the data owner – often the customer or business partner – to make its own determinations of its breach notification obligations; this is particularly important in regulated industries such as health care or finance, where downstream obligations may differ between entities.
While the final deliverable should be tailored to the particular facts of an incident, working with legal counsel to prepare a breach notification deliverable before an incident and incorporating it into the company’s incident response plan can significantly reduce the potential likelihood for error and time required to address these issues in real time.
Challenge #4: Balancing Depth of Data Review with Regulatory Pressure for Timely Notifications
Regulators at both the state and federal levels have increasingly pursued enforcement actions against companies that fail to meet their meet data breach notification obligations. These actions often stem from perceived delays in notifying affected individuals, incomplete or inaccurate disclosures, or inadequate documentation of breach response efforts. For example, in 2023, Blackbaud agreed to a $49.5 million multistate settlement following a breach that exposed the personal information of millions of individuals. Regulators criticized Blackbaud for delays in notifying affected individuals and providing misleading or incomplete statements about the incident, highlighting the need for a robust breach notification process. In particular, the company agreed to develop and implement a breach response and notification plan that includes detailed notification responsibilities to end customers and appropriate documentation of security incidents.
A growing number of class actions have been filed in recent years against companies involving claims for allegedly failing to provide timely notice to affected individuals. These instances – along with several others – highlight the legal and financial consequences of noncompliance.
There is no single, national standard requiring an entity to notify affected individuals after a data breach. Instead, all 50 U.S. states, the District of Columbia, and several U.S. territories have enacted their own breach notification laws, each with varying definitions of reportable personal information and timelines for disclosure. Various federal and state industry-specific regulations impose further obligations, often with differing reporting thresholds and deadlines. For instance, while some laws require that companies notify affected individuals or regulators within a specific number of days, others use more flexible language like “without unreasonable delay,” which leaves room for interpretation based on the circumstances of the incident. This fragmented landscape creates significant uncertainty for companies, particularly when determining how comprehensive a data review should be to meet overlapping or conflicting obligations.
Even in the face of regulatory ambiguity and little guidance, however, companies are expected to act swiftly, defensibly, and in good faith when responding to a data security incident – particularly when assessing whether their efforts to identify and notify affected individuals were reasonable. Falling short of these expectations is viewed by regulators as not only an operational failure but also a violation of statutory obligations under industry-specific regulations and various state-level data breach notification statutes. To minimize regulatory scrutiny, companies should thoroughly document each step of the review process, creating a defensible record that demonstrates diligence, transparency, and compliance with applicable standards.
Challenge #5: When to Forgo a Detailed Data Review
While conducting a comprehensive data review is often the gold standard for incident response, it can also be technically demanding, resource-intensive, and time-consuming – often requiring weeks or even months to complete. In some cases, the population of impacted individuals cannot be readily identifiable. As a result, some companies in these circumstances may decide to forgo a detailed review of impacted data and instead issue blanket notifications to the entire potentially impacted population.
A “blanket notification” is when a company provides direct notice (e.g., email or mail) of a security incident to all potentially impacted individuals without first confirming exactly whose information may have been involved. This approach may be desirable in the context of large-scale incidents such as ransomware attacks when, for example, a detailed review of the impacted data is not feasible due to system encryption, corruption, or destruction. However, some companies may also decide to issue blanket notifications when the scope of the incident is unclear, to reduce costs associated with conducting an extensive data review, or to expedite the company’s response and mitigate potential legal or reputational risks associated with delays. Because such an approach often results in over-inclusive reporting, it should be carefully considered when more targeted data review is feasible because it may increase regulatory scrutiny.
Ultimately, the decision to forgo a detailed review should be made in consultation with internal or external legal counsel and should be well documented to demonstrate that the organization acted responsibly under the circumstances.
Ransomware Fusion Center
Stay ahead of evolving ransomware threats with Alston & Bird's Ransomware Fusion Center. Our Privacy, Cyber & Data Strategy Team offers comprehensive resources and expert guidance to help your organization prepare for and respond to ransomware incidents. Visit Alston & Bird's Ransomware Fusion Center to learn more and access our tools.
If you have any questions, or would like additional information, please contact one of the attorneys on our Privacy, Cyber & Data Strategy team.
You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.