Data Mapping: Leave No Data Behind

In the current digital era, businesses are gathering and keeping enormous volumes of data on their clients, staff and operations. Data breaches and cyberattacks are more likely as data volume increases. Corporate legal departments must implement an efficient information governance procedure that incorporates data mapping to reduce these risks. Data mapping is the process of figuring out what information a company gathers, where it is kept and how it moves across the company. Every company's legal department should engage in it since it enables them to comprehend their data landscape and put the necessary security measures in place to safeguard sensitive data. This article examines the importance of data mapping for corporate legal departments and how it fits into a larger strategy.

Familiar Ways That Data Mapping Engages In Your Everyday Matters

We all know that data mapping is the process of identifying and documenting the flow of data through a system or organization. In litigation or regulatory cases, data mapping can help identify and locate relevant data sources, understand the scope of data retention obligations and assess the risks associated with data storage and management practices. Here are some familiar ways that data mapping is involved in litigation and regulatory cases:

1. Securities Fraud Investigation. In a securities fraud investigation, data mapping can help identify all the systems and applications that may contain relevant data, such as trading systems, customer databases and email archives. Data mapping can also aid in picking out the individuals with access to this data and the specific elements relevant to the investigation.
2. E-Discovery. In e-discovery, data mapping can help identify the locations of electronically stored information and determine the best approach for collecting, processing and reviewing that ESI. This can include mapping the data flow within an organization to find key custodians and data repositories and tracking the data processing and review workflows to ensure that relevant data is identified and produced promptly and efficiently.
3. Privacy Compliance. In a privacy compliance audit or investigation, data mapping can help identify the types of personal data that an organization collects, where that data is stored, how it is processed and who has access to it. This can assist organizations in uncovering potential compliance risks and developing strategies for minimizing those risks, such as implementing data minimization and deletion policies.
4. Intellectual Property Litigation. In intellectual property litigation, data mapping can help identify the locations of key documents, such as patents, trademarks and copyrights, as well as the systems and applications used to create, store and manage those documents. This can aid in determining potential sources of infringement or misappropriation and potential weaknesses in an organization's intellectual property management practices.
5. Anti-Money Laundering Compliance. In an anti-money laundering investigation, data mapping can help identify the locations of financial transaction data, such as bank records and wire transfer logs, as well as the systems and applications used to manage that data. This can allow investigators to trace the flow of funds through an organization and establish potential money laundering activities.

Data mapping has become increasingly important in recent years as more companies collect and process substantial amounts of personal data. Failure to properly map and protect data can lead to legal repercussions, including fines, penalties and legal liability.

But Have We Seen Data Mapping Play a Role In Any Recent Cases?

Here are 10 examples from recent cases in which data mapping played a significant role:

1. In July 2021, the Irish Data Protection Commission issued a decision against WhatsApp for GDPR violations related to its data mapping practices. The DPC found that WhatsApp did not provide sufficient information to users about its data processing activities, including data mapping, and failed to obtain valid consent for these activities.
2. In November 2020, the UK Information Commissioner's Office fined Ticketmaster UK Ltd £1.25 million for GDPR violations related to a data breach. The breach was caused by a vulnerability in a third-party support chatbot, which allowed attackers to access customer data. The ICO found that Ticketmaster did not have proper data mapping in place to identify and protect customer data.
3. In August 2020, the U.S. Federal Trade Commission settled with Zoom Video Communications over allegations that the company had misled users about its security and data practices. The settlement required Zoom to implement a comprehensive data security program, including data mapping, and submit to third-party audits for 20 years.
4. In United States v. CareFirst, Inc., 1:15-cv-00882-TSC (D.D.C. Mar. 29, 2017), the government sued the defendant for failing to take reasonable steps to protect the sensitive personal information of its customers. As part of the litigation, the defendant was required to produce data maps of its information systems to show how the sensitive information was being stored and transmitted.
5. In Liberty Mutual Fire Insurance Co. v. EZ-FLO International, Inc., 1:16-cv-05720 (N.D. Ill. Mar. 1, 2018), the plaintiff sought summary judgment in a case involving a claim for damages resulting from a fire caused by a defective product. The plaintiff relied on data mapping evidence to demonstrate that the defendant's product was defective and caused the fire.
6. In In re Equifax, Inc., Customer Data Security Breach Litigation, 1:17-md-2800-TWT (N.D. Ga. Apr. 18, 2019), the defendant was sued by customers and financial institutions after a data breach exposed the personal information of millions of individuals. As part of the litigation, the defendant was required to produce data maps of its information systems to show how the breach occurred and what information was compromised.
7. In the case of In re: Capital One Consumer Data Security Breach Litigation, data mapping was used to demonstrate that certain data was not accessed during a cyberattack. The court granted summary judgment in favor of Capital One, finding that the plaintiffs had failed to show that they had suffered any harm as a result of the breach.
8. In the case of Cunningham v. Montesano, data mapping was used to show that certain emails were not sent or received during a specific time period. The court granted summary judgment in favor of the defendant, finding that the plaintiff had failed to produce sufficient evidence to support a claim of defamation.
9. In the case of Collin v. State Farm Mutual Automobile Insurance Co., data mapping was used to show that the defendant did not discriminate against minority customers in setting auto insurance rates. The court granted summary judgment in favor of State Farm, finding that the plaintiffs failed to provide discriminatory intent evidence.
10. In the case of C. v. Esper, data mapping was used to show the location and movements of military personnel in Afghanistan. The court granted summary judgment in favor of the government, finding that the plaintiffs had failed to establish a claim of negligence in handling their personal information.

These are just a few examples, but they demonstrate how data mapping was used in legal cases to support or refute claims; it's worth noting that data mapping is more than a critical component of data protection, privacy and compliance and can be useful in many legal scenarios involving personal data.