Cyber Incident Response and eDiscovery Are Not One and the Same: Understanding the Key Differences and Associated Risks

Share this article

With the number of cyber incidents skyrocketing, dealing with a data breach has become an all-too-common experience.  In 2022 alone, there were over 500 million cyber-attacks and of these entities over 60 percent were attacked more than once. The average cost to recover from a cyber-attack has increased to over $1.4 million per incident. Trends suggest these numbers and the threats will only continue to grow.

Once an attack occurs, it is important to know who at your organization will respond and in what capacity.  Often this entails a professional being tapped in to respond to a cyber incident because it relates to their job but is not actually their job.  Commonly, those in roles associated with eDiscovery such as IT/Forensics specialists and legal/attorneys are asked to aid in the aftermath of a cyber incident.  While there are similarities between the process and tools needed for eDiscovery and cyber incident response (CIR), having eDiscovery professionals perform tasks post breach instead of cyber professionals incurs risk.  The goals, objectives, and training of eDiscovery and CIR professionals are different. Crossing these roles can cause confusion, inefficiencies, and risk.

CIR Is Not eDiscovery

Process and Technology

CIR and eDiscovery professionals are more like cousins than siblings. CIR goals include locating data that has been breached, finding anyone whose data was exposed, and creating notification lists to alert all affected individuals in a timely manner. This is both broader and narrower than an eDiscovery document review where the goal is to produce relevant data and protect privileged information, while also identifying key themes and facts. All the nuance involved in privilege and relevancy review requires more knowledge of case facts. However, a CIR can actually take longer as all individuals impacted, which can be millions, need to be captured. It is often difficult to ascertain this information ahead of time.  Unlike eDiscovery where the type of files and topics a custodian’s data will contain are generally known, clients are usually surprised by the PII that exists in their breached data and where it lives.  It is not uncommon to discover voluminous amounts of information requiring disclosure after being told there will not be much to find.  It is important to understand in the planning, budgeting, and expectation setting phases that even when a matter is less complex, the density of personal information and CIR objectives can make review slower and more expensive. 


Despite taking longer at times, CIR tends to have accelerated timelines and urgency. CIR often has a time sensitivity component due to laws and regulations controlling breach notification.  At other times, as with ransomware, there is a need or desire to understand what is in the compromised data and take appropriate action. This can include notification before the data or the breach itself is made public by a bad actor.  CIR is not something organizations can anticipate and often results in throwing as many resources at the project quickly – even at the expense of efficiency. 

Staffing and Cost

Because a CIR and eDiscovery review are quite different, there needs to be differences in how teams approach review and expend resources. Think of this as a word search puzzle versus a crossword puzzle.

CIR involves objective identification, while eDiscovery is often subjective. CIR requires extracting information about every entity impacted versus looking for broad and potentially amorphous themes and ideas. Review for eDiscovery requires looking at every document on its face while in CIR, familial context is critical. CIR does not require legal determinations and rarely needs an attorney to perform the work. In eDiscovery, the concepts of attorney client privilege and work product are front and center so the use of barred attorneys to complete the work is key.

All these differences can greatly impact the cost of resources to staff a project.  New CIR clients often assume there will be attorney review, when in fact legal training and background can result in overthinking and slower review. Non-attorneys tend to excel at the CIR objective tasks.

eDiscovery Considerations for CIR

Despite the differences, there are eDiscovery considerations to keep in mind when performing CIR:

  1. Many of the same tools and strategies for eDiscovery can be leveraged in part in CIR. This includes search terms and regular expressions, data processing, data review, and artificial intelligence (AI) tools.
  1. Breaches can lead to litigation and frequently large class actions. Because of this, taking defensible and well-documented actions is important. Attorney client privilege is not relevant in the reviewed material of a CIR, but is relevant to the communications and response to the event. Make certain legal advice is provided by someone familiar with CIR, not just eDiscovery. A common reason class actions result from CIR is because the entity did not respond properly, perhaps because they treated it like an eDiscovery exercise.
  2. Breaches can lead to internal investigations which can also result in litigation.
  3. Best practices in information governance designed to help avoid and/or prepare for a cyber incident can also be applied to eDiscovery obligations. Good information governance will not win a case or ensure proper eDiscovery by itself, but poor information governance can lead to poor eDiscovery or disappointing case outcomes. Spoliation and sanctions are real threats with poor information governance.

While eDiscovery and CIR have overarching characteristics in common at a very high level and involve similar processes, in practice they can be quite different. Given the legal and regulatory ramifications of each, organizations must use the right resources. An eDiscovery expert is not inherently qualified to lead a CIR response and vice versa. Vet teams and staff according to the event and end goal.  When hiring an attorney, make sure they have specific CIR experience and knowledge. CIR regulation is less mature than eDiscovery and is top of mind for many, so the pace at which regulations change or new regulations are adopted is much quicker.  Look for someone who stays abreast of those changes.  The same applies to CIR vendors. Look for a partner who is familiar with CIR and its nuances. Having experience with running multiple CIR projects and knowing the ins and outs, timing needs, deliverable needs, and potential issues is key. This is not something that can simply be gained from eDiscovery review. Above all, remember that eDiscovery and CIR are two separate specialties with different goals and mindsets required.

Brandon Hollinder on Email
Brandon Hollinder
Director of eDiscovery Solutions at Epiq
Brandon Hollinder is a licensed attorney, CEDS, and holds the position of Director of eDiscovery Solutions at Epiq. He has more than 15 years of experience in the eDiscovery managed services, document review, and cyber fields.
Director of eDiscovery Solutions at Epiq

Share this article