In my last post, I addressed finding a needle in a haystack when an opposing party produces its documents to you as a large, unorganized document dump. The next two posts in this series address what happens when you know that there’s a haystack but you’re not so sure about what the needles might look like. In this post, I will address an instance where you know the basic facts of your case but you have some evidentiary gaps.

While news broke on August 18th of Ashley Madison’s stolen data being released via the dark web, Target was penning the final strokes on a $67 million settlement agreement with Visa stemming from its 2013 largely-publicized data breach[1]. This bookend series of events on a single day from two divergent companies highlights the life cycle of a data breach, from discovery, to announcement, to resulting lawsuits. What I find worth watching in this cycle is the recent evolution of consumer plaintiff standing in class action lawsuits, because of the potential costly implications for corporations.

Many organizations struggle with how to get started with a data map, and how to use one that they have. Some basic steps are outlined below, though your project may not follow these exactly. The scope of your project will depend on how complex your organization’s IT is, your resources, and timing; creating and using a data map pre-litigation is going to be different than when you are responding to discovery. It is important to remember that data maps may be developed incrementally, such as by focusing on certain departments or systems before attempting to data map everything.

Does your company have a written policy regarding whether employees may “bring your own device” (BOYD) for work? If not, you need one. At a minimum, your company policy should clearly state whether employee-owned devices may be used in the workplace or to access company data, and if so, in what circumstances. If your company has not already determined what the policy should be, there are risks and benefits of allowing BYOD that you will have to weigh. Two options for employees to use mobile devices for work include “Bring Your Own Device,” in which an employee purchases a device and uses it for work, and “Corporate-Owned, Personally Enabled” devices, or COPE, , involves issuing company-owned devices to employees. Each program has benefits and risks and you will need to determine what program fits best within your corporate culture.

The last 18 months have been a bonanza for cyber criminals. In January, 2014 Target announced that personal information had been stolen from over 110 million accounts; over 83 million accounts at JP Morgan were hacked in August and in September Home Depot acknowledged that 56 million customer accounts were accessed when its payment system was breached. Other well known companies were victimized as well: Neiman Marcus, Yahoo! Mail and even PF Chang’s China Bistro all reported major breaches involving customer data. Just before the start of the 2014 Thanksgiving holiday, news reports began to emerge about a potentially significant data breach at Sony Pictures.