Data Breach Response at Scale: Lessons from a Fortune 20 Retailer

When a Fortune 20 retailer was hit with a ransomware attack, the real challenge wasn’t containment. It was clarity.

More than 22 million records were exposed, spanning PII and PHI across pharmacy systems, loyalty programs, insurance data, and internal HR platforms. The data was fragmented, inconsistent, and scattered across systems that were never designed to work together. At the same time, regulators across multiple jurisdictions were expecting clear, defensible answers within weeks.

This wasn’t theoretical. It was a matter Lineal handled from initial scoping through regulator-ready output in just three weeks, without large-scale manual review.

The difference wasn’t effort. It was approach.

The Part Most Breach Plans Don’t Solve

Most organizations are built to respond to the breach itself. Incident response teams move quickly to contain the threat, isolate systems, and begin forensic analysis. That part is structured, practiced, and usually effective.

The breakdown happens immediately after, when the question shifts from what happened to what actually matters: who was affected, what data was exposed, and what needs to be reported.

This is where most teams fall back on what they know: eDiscovery workflows. Data gets collected, processed, loaded into a review platform, and handed off for manual review.

That model works for litigation. It was never designed for breach response.

Because in a breach, you’re not dealing with documents. You’re dealing with data. Messy, duplicated, structured data pulled from multiple systems, with sensitive information hiding in places no keyword search will ever reliably surface. Treating that like document review doesn’t just slow you down. It fundamentally misframes the problem.

The Clock Is Already Against You

While teams are trying to force this data into a familiar workflow, the regulatory clock is already running.

Global frameworks are tightening timelines across the board. GDPR requires notification within 72 hours. Singapore’s PDPA gives you three days. California’s SB 446 sets a 30-day deadline for individuals. Other jurisdictions follow similar paths, often overlapping in ways that make compliance even more complex.

There is no room to “figure it out later.” The expectation is speed, accuracy, and defensibility, simultaneously.

And the cost of missing that mark is not theoretical. It’s measured in regulatory exposure, operational disruption, and long-term reputational damage that far outlasts the breach itself.

A Data-First Approach Changes the Outcome

When Lineal approached the Fortune 20 retailer matter, the team didn’t start by forcing the data into a review platform. They started by making the data usable.

The first step was normalization: bringing together fragmented datasets from across pharmacy systems, loyalty databases, insurance platforms, and HR environments into a single, structured foundation. Each source came with its own schema, inconsistencies, and gaps. Until that was resolved, no analysis would be reliable.

From there, Amplify™ was used to analyze the data as data, not as documents. Duplicate records were collapsed to reduce noise and volume. Detection logic was tailored specifically to the client’s PII and PHI patterns, rather than relying on generic rules. Free-text fields were analyzed to surface sensitive information that traditional workflows routinely miss.

Human validation was layered on top to ensure that every output was accurate, defensible, and aligned with regulatory expectations.

This is not a theoretical model. Lineal holds the Relativity Data Breach Response competency, reflecting proven, repeatable workflows built for exactly this kind of problem.

The outcome was straightforward: 22 million records analyzed, a three-week deadline met, and a regulator-ready output delivered without large-scale manual review. More importantly, the client had a clear, defensible understanding of who was affected and what data was exposed.

Technology Alone Isn’t the Fix

It’s easy to assume this is a tooling problem. It isn’t.

Breach response is a coordination problem just as much as it is a data problem. Legal, compliance, security, forensic investigators, and executive stakeholders are all involved, often working under pressure and with incomplete information.

Without a unified workflow, those efforts fragment quickly. Work gets duplicated, timelines slip, and outputs don’t align with what regulators actually expect.

Most organizations unintentionally make this worse by starting from scratch when a breach occurs, bringing in a provider, onboarding a new team, and trying to explain their data environment in real time. That delay is where responses lose momentum.

Why Prepared Organizations Move Faster

The organizations that respond well don’t build their capability during the breach. They already have it.

They know where their sensitive data lives across systems and geographies. They have teams in place that understand how to analyze that data at scale. And they have workflows designed to move from raw data to defensible answers without hesitation.

A managed services model makes that possible. With an embedded partner, there is no onboarding lag, no discovery phase, and no need to translate the environment under pressure. The response starts immediately, with a team that already understands the landscape. That difference is often measured in days, and in breach response, days matter.

Rethinking Breach Response

If your breach response plan still relies on document review as its primary method of analysis, it is already out of step with the reality of modern data.

Breach response today is not about reviewing documents. It is about understanding complex data environments quickly, accurately, and in a way that stands up to regulatory scrutiny.

That requires a different mindset, a different workflow, and a different level of readiness.

Because when a breach happens, the question isn’t whether you can review the data. It’s whether you can make sense of it, fast enough to act.

__

About Author

Brian Stempel is a law practice technology executive and thought leader with over 30 years of experience in delivering innovative solutions and services to the legal industry. He is the Senior Vice President of Strategic Client Solutions at Lineal where he helps clients solve legal challenges with Lineal’s award-winning Amplify™ platform. Before Lineal, Brian ran eDiscovery operations at Kirkland & Ellis, Paul Hastings, and Debevoise & Plimpton. A life-long learner he also holds executive education certificates from Cornell University, MIT Sloan School of Management, Columbia Business School, and Harvard Business School in various fields related to artificial intelligence, innovation, DEI, and leadership. 

__

About Lineal 

Lineal is an innovative eDiscovery and legal technology solutions company that empowers law firms and corporations with modern data management and review strategies. Established in 2009, Lineal specializes in comprehensive eDiscovery services, leveraging its proprietary technology suite, Amplify™  to enhance efficiency and accuracy in handling large volumes of electronic data. With a global presence and a team of experienced professionals, Lineal is dedicated to delivering custom-tailored solutions that drive optimal legal outcomes for its clients. For more information, visit lineal.com