The LDI Approach to Data Loss Prevention

In 2019, Capital One disclosed a massive data breach—possibly the largest bank data breach in history—that exposed the personal information of more than 100 million people. The attacker, a former engineer at the bank’s cloud services provider, exploited a misconfigured firewall to access a trove of data stored on Amazon’s servers: names, addresses, credit scores, even linked bank accounts.

The breach sparked a $190 million class action lawsuit. Furthermore, the bank had to pay an $80 million fine to regulators and was rapped for failing to establish “adequate data loss prevention controls” in a consent order by the US Treasury.

Four years after this attack, Tesla faced a data crisis of its own. More than 100 gigabytes of internal employee files was leaked: compensation records, Social Security numbers (including Tesla CEO Elon Musk’s own SSN), and sensitive data such as consumer complaints regarding Tesla's Full Self-Driving (FSD) features. The data exfiltration was orchestrated by two former employees who leaked it to a German newspaper.

It’s important to note that neither of these incidents were zero-day attacks; they did not feature advanced malware; nor were they carried out by nation-state actors.

But the larger question was how could such high levels of sensitive information be accessible, extractable, and transmissible in the first place?

When the SUN is Hiding in Plain Sight

Most enterprises have some form of data protection infrastructure in place—endpoint security, encryption, firewalls. But too often, they lack a coherent and actionable policy for what kind of data needs protecting. Not all data is equal, yet without consistent classification and controls, organizations are left with blind spots: files carrying sensitive, useful, and necessary (SUN) data.

The implications are profound. Misrouted spreadsheets, unmonitored cloud folders, and unclassified HR files don’t just trigger IT alerts—they open the door to regulatory investigations, civil litigation, reputational damage, and shareholder lawsuits. The exposure isn’t always immediate. And so the risk continues to loom. Legal Data Intelligence practitioners are increasingly being asked to step into this space to bring legal clarity to a technical problem. What kind of data constitutes risk? Who determines materiality? What thresholds or workflows should trigger an alert or a block?

Moving from Crisis Response to Preemptive Strategy

Today's business environment runs on information, most of it stored as electronic data. Whether it's loss through cybersecurity breaches or departing employees, an organization has to have controls and safeguards that are process oriented as well as technical.

To support this shift, we’ve introduced a new use case in the Legal Data Intelligence model: Data Loss Prevention (DLP).

The workflow helps LDI practitioners divide DLP policies into three different areas: Data Identification, Data Classification, and Data Protection.

It recognizes the interconnected nature of a DLP program (including data governance, security operations, configuration management, and policy) and highlights LDI's focus on breaking down silos. Legal teams can now use this framework to partner more effectively with IT and security, define SUN data across business units, and ensure that sensitive information is consistently protected, before regulators or threat actors ever come calling.

The Data Loss Prevention workflow is now live and available for download. It was jointly developed by founding members Briordy Meyers, Sarah Bennington, along with LDI Architects Joe Bartolo, Ryan Costello, Chris Haley, Michael C. Kearney, Rachel McAdams, George Phillips, Lisa Ripley, Rob Robinson, and Michael Sarlo.