CBI Confidential Business Information

Eliminate a Fatal Flaw in Your Information and Data Loss Prevention Strategy in Five Steps

Share this article

Legal teams go to great lengths to identify and protect privileged information from inadvertent disclosure. There is another type of information that could be just as damaging to the company as a whole, but it receives far less focus and protection during the eDiscovery process: Confidential Business Information (“CBI”).

CBI refers to information unique to the corporation who owns it. It’s anything key to the business that the company would not want its competitors, or the public, to know. Examples include board meeting presentations, go-to-market plans, metrics and analysis about the company’s economic performance, and future business plans.

While corporations rigorously protect CBI in scenarios outside of litigation, it may take a back seat during litigation. This can be due to multiple factors:

  • Competing priorities, where the primary focus is centered around other legal issues (like privilege),
  • Lack of active involvement of stakeholders who are aware of, and knowledgeable about, the form and presence of CBI,
  • Employing outside counsel to review this information, making identification and protection cost prohibitive.

How can an organization overcome these factors in a way that is sustainable? Historically there has not been an easy mechanism for doing so and the vast majority of organizations have no plan or process in place today for addressing CBI. However, with today’s AI-based technologies, there are strategies that can be stood up to protect CBI during the litigation process. These strategies rely on preparation, education, awareness, and safeguards, and eliminate the reliance on end-users via AI.

Follow these five steps to reduce your company’s risk of inadvertently disclosing CBI during litigation:

1. Define what CBI means in the context of your company.

Do you have data you want to protect?  Include all relevant stakeholders from your business in the conversation as you define CBI, such as business unit leaders, sales and marketing leaders, engineering leaders, and members of your legal team.

2. Proactively define CBI data ahead of litigation in a plan document.

Proactively define CBI data ahead of litigation in a plan document that can be shared and updated, and then address it again at the onset of each litigation. Wrapping a CBI discussion into your custodian interview process is a great way to address it in every matter, early in the matter, and to also consult the data owner’s subject matter expertise about its content. By addressing CBI sooner rather than later in the process you can ensure it is thought through before counsel negotiates ESI and production protocols.

3. Once you have defined what CBI is in the context of your company, locate and flag it.

Which employees and custodians would possess this data? What file shares or systems would include it?  Do you have tools such as Microsoft 365 that let you flag data for special treatment and that you can use to more easily identify the presence of such data when collecting and producing it in litigation or arbitration for example.

4. Use portable AI models to assist with CBI identification.

With your definition of CBI, along with some examples, you can use AI to help flag and identify CBI in your data sets. Ultimately this work will help you create a portable AI model that can be customized, updated, refined, and, importantly, reused across your data sets. One benefit of a portable model approach is it can be updated for new data sets that contain different types of information and to account for a changing definition of CBI over time.

Withholding and redacting privilege is commonplace and a well-established workflow and understanding across the legal community exists for protecting it including searching, identifying, describing, redacting, and logging the information. If you can identify and explain what constitutes CBI, you can potentially treat it just like privilege. However, this is not a complete solution. There will be courts who do not allow CBI redactions and there may be matters where CBI is relevant to the dispute and so must be produced. Under such scenarios having a strong protective order that addresses and protects CBI is even more critical. Consider provisions such as Outside Counsel Eyes only designations and dichotomies to help minimize who on the opposing party side may see the information.

These five steps do not need to be an all-or-nothing proposition across every matter. If there is a matter where you know CBI won’t exist or the receiving party would not recognize CBI or be able to do anything with it, then perhaps it is not worth the effort. At a minimum, defining what CBI is for you and where it might be located are key first steps. When and how you choose to further review and protect CBI can be made when the issue arises.

Letting CBI out the door is, in essence, a preventable and self-inflicted data breach. Don’t risk your company’s most important and strategic information. Develop a well thought out plan on how to address CBI sooner rather than later, and don’t hesitate to engage a consultant or expert to assist.

Brandon Hollinder on Email
Brandon Hollinder
Director of eDiscovery Solutions at Epiq
Brandon Hollinder is a licensed attorney, CEDS, and holds the position of Director of eDiscovery Solutions at Epiq. He has more than 15 years of experience in the eDiscovery managed services, document review, and cyber fields.

Share this article