Breach ResponseRecent Court Decisions Warns Companies To Not Engage Incident Response Tech Firms Without First Engaging Legal Counsel

Recent Court Decisions Warns Companies To Not Engage Incident Response Tech Firms Without First Engaging Legal Counsel

In any data incident the first question is – who do I call first? Well a recent court decision reminds companies that the first call should be legal counsel.

Data breaches are a risk to any company collecting personally identifiable information. When an incident occurs, companies should carefully consider the possibility that the incident may result in litigation, including a data breach class action brought by any impacted consumers, and therefore take appropriate steps to preserve privilege over any post-breach analysis and work product. A recent court decision serves as a warning for companies who want to utilize the privilege doctrine to shield their post breach work product from disclosure during post breach litigation.  

Capital One

In 2015, Capital One hired Mandiant to provide cybersecurity consulting services. The master service agreement executed between the parties was occasionally supplemented by various Statements of Work for Mandiant to provide additional specified services. In March 2019, Capital One experienced a data breach. Capital One immediately retained outside counsel to provide legal advice regarding the incident. Thereafter outside counsel, Mandiant, and Capital One executed a Letter Agreement pursuant to which Mandiant would provide incident response, forensic and remediation services in relation to the incident.  

After conducting its analysis, Mandiant provided a forensic report regarding the incident to outside counsel. The forensic report was subsequently distributed to Capital One’s legal team, board of directors, various employees, regulators, and Capital One’s accounting firm. In post-breach litigation following the incident, Capital One asserted that the forensic report was privileged and protected by the work product doctrine.  

The court held that despite the fact that the report was prepared at the direction of outside counsel, Capital One failed to satisfy its burden of proving that the report would not have been prepared but for anticipated litigation and thus fell outside the scope of protected attorney work product.

District Court Affirms

Not surprisingly, Capital One appealed the Court’s ruling, arguing that the magistrate judge misapplied the controlling law and improperly relied on Capital One’s business uses of the report. On June 25, 2020, the District Court affirmed the decision, ordering Capital One to produce the report. On appeal, the Court focused on “the driving force behind the preparation of the report” and whether it was compiled in anticipation of litigation. The Court found that Capital One failed to prove that there were any differences between Mandiant’s report and what would have been prepared in the ordinary course of business, absent anticipated litigation or legal counsel.

Lessons from the Decision

This conclusion brings into question best practices following a data security incident. At least according to this decision, companies should consider the following guidance points offered by the decision when preparing for potential data security incidents.

1. Legal vs. Business Advice

An important factor considered by the court in Capital One was whether the report in question was prepared in order to provide legal advice or business advice.  In general, the attorney client privilege does not apply in situations where the attorney acts merely to provide business advice. (Aetna Cas. & Sur. Co. v. Sup. Ct., 153 Cal. App. 3d 467 (1984)).  

In Capital One the court placed the burden on Capital One to prove that the forensic report was prepared for the purpose of anticipated litigation and concluded that they failed to provide sufficient evidence. The court found that hiring outside counsel alone was insufficient.  Companies should therefore consider ways to memorialize the fact that a forensic report is being prepared for legal advice—and specifically disclaim that the report is not for business purposes.

2. Distinguish Post-Breach Relationships from Preexisting Relationships

Even though Capital One found that hiring outside counsel alone was insufficient to establish privilege, it is still an important factor in proving that a forensic company’s work is done in anticipation of litigation. Capital One distinguished its circumstances from a previous case, In re Experian Data Breach Litig., where the court held that a similar report was privileged in part because Experian hired outside counsel first, and that counsel retained the cybersecurity firm to prepare a forensic report.

In the event of a preexisting relationship with a cybersecurity firm, in light of the Capital One decision, companies should distinguish the post-breach services from those of a previous business relationship. The post-breach agreement should make it clear that the work is being done at the direction of outside counsel in anticipation of potential litigation.  The post-breach work should be limited in scope and any non-litigation work should be outlined on a different agreement.

3. Legal Expense

The Capital One court put emphasis on the fact that Capital One designated Mandiant’s retained as a “business critical” expense and not a legal expense at the time it was paid. Companies should therefore always pay for a third-party forensic firm’s work out of its legal budget.

4. Limit Dissemination of Post-Breach Forensic Report

Another important distinction between Capital One and Experian was that in Experian the full report was not shared with the company’s incident response team.  In contrast, in Capital One the post-breach report was widely disseminated to internal groups and third-party regulators. Companies should limit the distribution of post-breach reports and consider including confidentiality instructions to maintain privilege.  

Conclusion

The cases are varied in their approach to the use of incident response tech law firms. But all decisions make clear that legal counsel should be engaged at the outset of a breach.

Companies confronted with a data breach should carefully consider the guidance offered in Capital One. Hiring experienced data breach counsel to help preserve applicable privileges and leverage their industry experience may prove extremely helpful during any post-breach litigation.  Recent increases in data breach class actions brought under the California Consumer Protection Act (CCPA) highlight the importance of being prepared for post-breach litigation.

The team at Beckage has extensive experience in data security incident response and understanding of the steps necessary in order to preserve privilege. If your company believes it is experiencing a data breach, call our 24/7 breach response line at 844.502.9363. One of our tech breach coach lawyers would be happy to assist you.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

SHIELD ActBeckage Urges NYS AG To Delay SHIELD Act Enforcement

Beckage Urges NYS AG To Delay SHIELD Act Enforcement

In light of the rapidly evolving COVID 19 pandemic and the unprecedented changes to the New York workforce and network infrastructure, Beckage PLLC has sought from New York’s Attorney General (AG) Letitia James a delay to the March 21 compliance milestone and general enforcement of the New York State Stop Hacks and Improve Electronic Data Security Act (SHIELD) Act by six months.  

By letter dated March 18, 2020, the law firm Beckage, on behalf of a range of its clients which cut across industries and size in New York State, asked the AG to provide this relief for companies as well as a concurrent postponement of enforcement actions and civil penalties to allow companies throughout New York State to work to update their administrative, physical, and technical controls in light of the current pandemic.

For background, phase two of the SHIELD Act’s implementation has a compliance deadline of March 21, 2020.  This compliance milestone requires companies handling NYS resident data to have certain administrative, physical, and technical controls and policies in place by this date for data security protections.

Leading up to March 21, companies were forced to respond to the COVID 19 outbreak, shift overnight to a remote workforce, but still meet the phase two of the SHIELD Act.  Companies throughout the state have experience sudden changes in a very short period to adapt to the COVID 19 pandemic.  Accordingly, any prior SHIELD Act compliance work needs to be reviewed and updated as necessary.  

Considering the COVID 19 pandemic, for which Governor Cuomo issued a state-wide emergency declaration on March 13, 2020, Beckage’s letter to the AG highlighted the incredible challenges posed as it relates to the SHIELD Act.  

Jennifer A. Beckage, Beckage said, “Businesses throughout the State are moving hundreds, if not thousands, of employees to remote workforce and cloud-based environments and are dedicating extensive Information Technology and HR resources to these efforts.  The diversion of these resources to COIVD 19 efforts means that many organizations may not have the resources to meet the SHIELD Act’s March 21, 2020 milestone.”  Additionally, even organizations with extensive resources that have already taken steps to comply with the Act by the milestone are now seeing their entire enterprise shift in light of COVID 19.  As Ms. Beckage explained, “By moving to remote workforces overnight, existing policies, practices, network infrastructure, and risk assessments may have completely changed, rendering current policies in some respects irrelevant or obsolete, or requiring updates to existing administrative, physical and technical controls.”

Beckage supports the goals of the SHIELD Act and applauds New York’s efforts to keep the state’s laws up to date with current technology.  Beckage is organizing comments on behalf of businesses impacted by the SHIELD Act, which will be anonymized and included in a report prepared by Beckage to the New York’s AG’s office as they continue to seek assistance from the AG.  Should you wish to be included, please submit your comments through our SHIELD Act comment portal by emailing shieldactcomments@beckage.com.

Subscribe to our newsletter.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Second Compliance Deadline of NY SHIELD Act ApproachesSecond Compliance Deadline of NY SHIELD Act Approaches

Second Compliance Deadline of NY SHIELD Act Approaches

If you waited until the last minute to develop a data privacy program, well now it is required in New York. Signed into law on July 26, 2019 by Governor Cuomo, the Stop Hacks and Improve Electronic Data Security (SHIELD) Act requires businesses to implement safeguards for the “private information” of New York residents and broaden New York’s security breach notification requirements.

Read More
How IoT Will Impact Data Security & Privacy For BusinessesHow IoT Will Impact Data Security & Privacy For Businesses

How IoT Will Impact Data Security & Privacy For Businesses

You’ve probably heard the buzz about the Internet of Things (IoT) – a suite of emerging technologies that promises great value to businesses, individuals and society. As broadband internet and Wi-Fi capable devices become more readily available, and reduced costs in technology supply chain fuel innovation, the number of IoT devices and applications is estimated to grow into the billions. What’s more, the nature and applicability of IoT is constantly evolving. According to the Government Accountability Office, IoT “can be used in almost any circumstance in which human activity or machine function can be enhanced by data collection or automation.” IoT is clearly the future, enabling new efficiencies and technological capabilities for businesses looking to grow and compete in a competitive marketplace. But before businesses jump into this next big thing, it’s critical to understand exactly what IoT is and how it will impact data security and privacy issues.  

Read More
Wooden mazeEvolving Privacy Paradigms

Evolving Privacy Paradigms

Privacy paradigms all over the world are quickly evolving, starting with the European Union’s adoption of the General Data Protection Regulation (GDPR), Brazil’s General Data Protection Law, India’s pending Personal Data Protection Bill, and California’s just-passed Consumer Privacy Act. While the specifics vary, the international trend in adopting a comprehensive privacy law to govern all sectors, industries and emerging technologies remains. What’s more, the international paradigm is shifting away from a US-backed view of personal data as a commodity, and towards the EU’s view of personal data as an extension of self, with a range of human rights implications for data subjects. From the right to notice, access and correction to the right to portability and even erasure, companies subject to international privacy laws must have processes in place to identify personally identifiable information and respond expeditiously to the requests of individuals.

Depending on past data practices, businesses may also be faced with legacy archives of personal data now subject to international regulation. Inventorying your company’s data archives, classifying that data based on its content and sensitivity, and processing or destroying it appropriately are all necessary steps that businesses will need to take in the near term. Businesses should also consider whether de-identification and anonymization of personally identifiable information provides an avenue to avoid the strictures of some of these international privacy regimes.

To successfully operate in a multi-jurisdictional world businesses must appreciate the evolving privacy paradigms currently in play and adapt to them within the requisite time frames. With penalties nearing 4% of annual worldwide revenues for the GDPR, compliance is key. Beckage attorneys know the difference between being in compliance with privacy laws, and being able to demonstrate that compliance to the satisfaction of a national or international regulator. Call experienced counsel on whether and how your company can comply with the GDPR or national and international privacy laws.

DISCLAIMER: This client advisory is for general information purposes only. It does not constitute legal advice, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.