Firms should be aware of making potential admissions when assessing their cybersecurity risks, including when investigating an actual data breach. There have been a number of cases over the last several years that clearly illustrate that a firm’s good faith effort to assess cybersecurity vulnerabilities and/or to analyze a data breach can be used against the firm if that information is not protected under attorney-client privilege.
What the cases teach us is that firms, including those with in-house counsel, should always consider retaining outside counsel to lead its data breach response and cybersecurity assessments. Even if a firm already has a cybersecurity firm working on various matters, a new agreement should be executed through outside counsel specifically for the forensic investigation and data breach response. For example, consider the following cases.
Two courts found that since a cybersecurity firm had a prior relationship with the subject company, their work could be classified as general cybersecurity or business purposes, and, thus, their findings were unprotected and turned over to plaintiffs. Capital One settled for close to $200M dollars after the ruling. See In re Capital One Consumer Data Security Breach Litigation, 2020 WL 3470261 (E.D. Va. June 25, 2020); In re Dominion Dental Services USA, Inc. Data Breach Litigation, 429 F.Supp.3d 190 (E.D. Va. Dec. 19, 2019).
Another example from across the county is In re Premera Blue Cross Customer Data Sec. Breach Litig., 296 F. Supp.3d 1230 (D. Or. 2017), in which the court found that the forensics report is less likely to be protected when the company, rather than outside counsel, retains the forensic team. In comparison, when outside counsel retains the forensics team the information is much more likely to be protected. See In re Experian, 2017 BL 351985 (C.D. Cal. 2017). This was true in the following case as well, In re Target Corp. Customer Data Security Breach Litigation, MDL No. 14–2522, 2015 WL 6777384 (D. Minn. Oct. 23, 2015), where the court noted that Target’s in-house counsel specifically retained outside counsel for legal advice about the breach and potential litigation.
Further, it is critical that a firm consider the distribution list for the data breach investigation details and reports. Specifically, the on-going data breach investigation should only be shared on a strict legal-purposes-only basis and only to those executives involved in the legal side of the matter. Courts will look at the fine details even when outside counsel is utilized, including whether the data breach information is provided to all executives and/or all board members. If so, a firm risks losing confidentiality because the data breach information is being shared in the normal course of business rather than for legal purposes, including in anticipation of litigation.
In sum, a firm has many different obligations to run an efficient and successful business but when faced with a data breach, a firm must separate its cybersecurity assessment or breach response efforts into a legal bucket and treat it apart from its normal business and governance functions. As the saying goes, the devil is in the details and the courts have found that even the smallest detail can be the difference when it comes to protecting a firm’s cybersecurity vulnerabilities.
Written by John J. Cooney, Esq
With over a combined 25 years of business, legal, and technical experience, The Law Office of John J. Cooney, P.C. offers comprehensive legal strategies and solutions for businesses working seamlessly with management and any existing counsel in an efficient manner. John’s firm concentrates on General Counsel services, Pre-Litigation Investigation, Defense, and Compliance services, as well as the Cybersecurity arena.