When an organization experiences a data breach, few recognize that the organization ends up becoming a double-victim. Not only does it suffer direct damages from the loss and recovery, but it also faces regulatory fines and litigation. To put this into context, think about a scenario where a burglar breaks into your home and steals valuable items from you. In the aftermath, not only do you have to fix anything that was broken and replace your valuables, but the government fines you for the intrusion and you are sued by your neighbors.
Unfortunately, this is the reality for organizations today and the recent ruling against Capital One in the Eastern District of Virginia does more to strip away protections that help companies defend themselves in data breach litigation. It is a well-known best practice in the incident response world to hire a forensic consultant through outside counsel in the aftermath of a cyber attack. The primary reason not to contract directly with the forensic consultant is to preserve the likelihood that any findings from the forensic consultant are protected by the attorney work product doctrine in the inevitable litigation that follows a data breach.
Last month, the Federal District Court in the Eastern District of Virginia ruled that this process was not sufficient by itself to protect a forensic report prepared by Mandiant in the aftermath of the Capital One breach. If the rationale behind this decision ends up becoming precedent across the country, it will have disastrous effects for every company that experiences a data breach. Here are six potential ramifications:
As is evident by the very fact that “many lawsuits” were filed beginning the day after Capital One’s public disclosure, there is no question that when a breach happens, litigation will follow. The attorney work product doctrine is designed to protect the work attorneys and their contractors do to prepare for litigation. In this case, the court appeared to take issue with the fact that Mandiant and Capital One had a retainer agreement prior to the breach.
As a large financial institution, it is imperative that it be able to investigate very quickly when a potential breach occurs. Unlike other business transactions, there is no time to waste gathering proposals and moving through the typical enterprise buying process. Not only does speed of investigation help limit the damage to consumers, but speed is also a requirement by regulations like GDPR that require notification in 72 hours. The unfortunate message that the Court sends to companies with this type of ruling is that if you proactively prepare by lining up necessary vendors before the inevitable breach, any work those vendors do for you could be discoverable in litigation.
Increases Breach Response Costs
Additionally, if an organization needs to wait until an incident happens to hire the necessary vendors, it will increase the cost to respond to a breach substantially. Part of the reason companies like Mandiant offer retainer agreements is because there is a limit to the number of clients they can serve at a time and IR firms are always very busy. If you want to hire highly skilled forensic consultants to show up at your office in a matter of hours, the price will necessarily become exorbitant. There is a limited supply of cybersecurity talent in general and an even smaller supply of cyber forensics consultants that can effectively respond to cyber attacks.
If attorneys are forced to share forensic reports, the often lamented “analysis paralysis” that afflicts most legal professionals will reach new heights. Rather than working as efficiently as possible to complete an investigation, every word communicated during the investigation will need to be scrutinized during an investigation for the possible liability that comes from it. This slower process does not align with the severity of the circumstances and the demand it creates to move quickly and it further increases the negative consequences for consumers.
Discourages detailed and objective findings
If organizations will be required to reveal the findings of a forensic report, there will be much more pressure to reveal a minimal amount of information to protect the company from potential liability. Revealing detailed findings in a forensic report will shift the focus from getting to the root cause of the problem to characterizing the company’s security posture in the most glowing terms possible to demonstrate that it had reasonable precautions in place. This would prevent incident response firms from continuing to help their customers make great strides in increasing their security postures as they have in the past.
Limits service offerings for forensics firms
The court found the fact that Mandiant was performing other services for Capital One, contributed to this perception that Mandiant would have done the same work even if the breach litigation did not occur. The implication is that the report would have been protected by attorney work product if Mandiant had not been doing any other work for Capital One.
There are two negative results that may arise from this type of logic: 1) a forensic consultant’s work will need to limit its services to breach response only, if it wants that work, and 2) by calling in a forensic consultant to perform breach response work that does not regularly do work for the company, it will inherently not be as familiar with company’s systems and less likely to be able to perform the breach response work as well or prevent further damage as quickly.
Ignores accepted facts that breaches will happen to all organizations and that litigation will always follow
Everyone in the cybersecurity world has accepted the adage, “it is not if, but when.” In fact, many understand that is not a singular statement. Breaches, plural, will continue to happen to all organizations. Further, any breach of substantial size, and even some that are not, tends to bring months, if not years of litigation. Any retainer agreement for breach response services is by necessity entered into for litigation purposes, whether the business labels that agreement as a “legal expense” or “business critical expense.” This ruling draws the counter-factual conclusion that breaches do not tend to result in litigation.
Capital One has appealed this ruling, but if this ruling develops into a larger and consistent precedent, here are some of the actions companies may need to take as a result:
- Avoid signing retainer agreements for data breach forensic firms.
- Only hire a forensic firm through outside counsel that has not performed other services for the organization.
- Do not share forensic reports from a breach investigation outside of the legal team.
- Do not label the forensic work in a way that indicates a business interest. Preferably forensic work should come from a legal budget and ideally a litigation specific budget.
- Any routine report done by a forensic consultant needs to vary significantly from the type of report produced in response to a breach.
Whether or not this ruling holds up or becomes an accepted precedent, it is important that companies prepare for the inevitable incidents that will occur at every organization. BreachRx is a platform that helps companies proactively prepare for privacy and cybersecurity incidents. By implementing BreachRx, organizations can transform crisis breach response into a routine business process.