Frequently Asked Questions

ValidatePIIClasses (VPC) is a breach validation platform purpose-built for litigation support. We determine which individuals in a dataset had specific types of personally identifiable information exposed in data breaches. Rather than relying on breach notifications alone, VPC cross-references your population data against multiple breach intelligence sources to produce verified, per-person exposure findings.

VPC serves law firms, legal service providers, and claims administrators working on data breach class action cases. The platform helps quantify harm heterogeneity across a class by determining exactly what data was compromised for each individual, supporting settlement allocation and damages analysis.

Consumer breach notification services tell you that a breach happened. VPC tells you exactly who was in it and what was exposed. Key differences:

• Per-person validation against actual breach data, not just metadata
• Breach-specific attribution linking each exposure to a named incident
• Cutoff-date filtering to separate pre-existing exposure from new incidents
• Exportable reports with breach groups and PII class breakdowns for court filings

Access to VPC is limited to vetted organizations due to the sensitive nature of breach data. Contact our team at Sales@ValidatePiiClasses.com to discuss your use case and begin onboarding. We verify all users to ensure the platform is used for legitimate litigation support.

You upload a CSV or Excel file containing your population data. At minimum, email addresses are required for basic breach lookups. For deeper validation, you can include:

• Full name (first and last)
• Phone number
• Physical address (street, city, state, ZIP)
• Date of birth

The more identifying fields you provide, the more comprehensive the breach matching becomes.

The upload process has four stages:

• Upload: Your file is encrypted immediately upon upload.
• Map Fields: You map your spreadsheet columns to standardized PII fields. AI-assisted suggestions help speed this up.
• Process: Each record is cross-referenced against breach intelligence sources. Your uploaded file is deleted at this stage.
• Report: Results are available in an interactive report with filtering, breach groups, and Excel export.

If a record in your dataset contains multiple email addresses, VPC automatically expands that row into separate searchable entities. Each entity is checked independently against breach sources. The results then roll back up to the original record, so your report totals align with your input file.

Processing time depends on dataset size and the processing tier selected. You will see real-time progress updates during processing. Most projects complete within hours. Large datasets with advanced validation may require additional time.

VPC offers multiple processing tiers that provide increasing levels of depth and confidence:

• Email-based lookups: Searches breach databases using email addresses. Returns claimed exposure based on breach metadata.
• Record-level matching: Expanded database coverage that confirms an individual's record exists in a breach.
• Field-level validation: Comprehensive multi-field search that matches your actual PII data against breach records for the highest confidence results.

These represent increasing levels of confidence:

• Claimed: The breach metadata indicates this data class was part of the incident.
• Confirmed: The individual's record was verified as present in the breach database.
• Validated: Your PII data was directly matched against breach records. This is field-level proof of compromise.

Yes. You can upgrade from a lower tier to a higher one without re-uploading your data. This lets you start with a cost-effective analysis and move to full validation if the case requires it.

VPC assigns each person to a breach group (G0 through G3) based on exposure severity:

• G0 – No Exposure: No breach matches found.
• G1 – Low Severity: One to two breach matches.
• G2 – Moderate Severity: Three to four breach matches.
• G3 – High Severity: Five or more breach matches.

Breach groups help prioritize class members by exposure severity for settlement allocation.

The cutoff date lets you filter breach results by when the breach occurred. Breaches are categorized as pre-cutoff or post-cutoff relative to a date you set. This is critical for litigation where you need to isolate exposure that occurred before or after a specific incident.

Changing the cutoff date dynamically recalculates all breach counts and group assignments without reprocessing.

VPC identifies exposure across standardized data classes including:

• Contact: Name, Address, Phone, Email
• Identity: Date of Birth
• Government IDs: SSN, ITIN, Driver's License, Passport
• Financial: Credit Card, Bank Account
• Credentials: Passwords, Security Questions

Grouped classes like Government IDs can be viewed as a summary or expanded to show individual components.

The interactive report includes:

• Key metrics: total records, breached vs. not breached counts
• Breach group distribution (G0 through G3)
• PII exposure breakdown by data class
• Filterable records table with per-person breach details
• State-by-state breakdown for jurisdictional analysis
• Saved views to preserve filter configurations

Yes. Reports export to Excel with all applied filters preserved. You can choose grouped data classes (e.g., Government IDs as a single column) or expanded individual columns (SSN, ITIN, Driver's License, Passport). Exports include record IDs, breach counts, data class flags, and state information.

VPC uses a defense-in-depth approach:

• Files are encrypted immediately upon upload using AES encryption
• Uploaded files are deleted as soon as processing begins
• PII fields are cleared from processing tables after results are generated
• All data is encrypted in transit via TLS
• Each tenant's data is isolated in separate database schemas

Only users you explicitly authorize within your organization can access your projects. Company users have read-only access limited to their assigned projects. VPC staff access is restricted to essential support operations and is logged.

Uploaded files are encrypted at rest and deleted once processing starts. Pre-processing data has a retention window. After processing completes, only breach match results and aggregated summaries are retained. Raw PII is not stored long-term.

See our full Security & Compliance page for infrastructure details, application security controls, compliance standards, and incident response procedures.

Security & Compliance →