Forensic reports that analyze the causes and effects of data breaches have long been a staple of incident response. Involving counsel in preparing these reports, including to maintain privilege over the findings, has also long been an important element of the incident-response process.
Although there has been some split in how different courts apply the work product doctrine to forensic breach reports, courts have typically found that reports prepared by third-party forensics consultants at counsel’s request are privileged. For example, in In re Experian Data Breach Litig., Judge Andrew J. Guilford in the Central District of California applied a “because of” standard used in the Ninth Circuit to determine that such a report was protected work product. In In re Arby’s Restaurant Group, Inc. Data Sec. Litig., Judge William M. Ray, II in the Northern District of Georgia held that a report created after an internal investigation by Mandiant Services Inc. was protected work product. And in In re Target Corporation Customer Data Sec. Breach Litig., Judge Jeffrey J. Keyes in the District of Minnesota found that emails relating to the work of Target’s Data Breach Task Force, which focused on informing Target’s in-house and outside counsel about the breach so that Target’s attorneys could provide the company with legal advice and prepare to defend the company in litigation, was protected by the attorney-client privilege and the work-product doctrine.
Earlier this summer, however, a federal court rejected a litigant’s privilege claim over a breach report in a case involving a significant and widely-publicized breach. In In re Capital One Consumer Data Sec. Breach Litig., Capital One was ordered to turn over a forensic report prepared by cybersecurity consultant Mandiant in the wake of Capital One’s July 2019 data breach that affected more than 100 million Americans. Capital One had argued the report was protected under the attorney work product doctrine because it was prepared to help Capital One’s outside counsel deal with the litigation arising from the data breach. U.S. Magistrate Judge John F. Anderson disagreed, finding that most of Mandiant’s work fell under the scope of an engagement that predated the data breach. The presiding District Court Judge, Judge Anthony J. Trenga, agreed with Judge Anderson and ordered Capital One to produce the report.
So does Judge Anderson’s decision mean increased judicial scrutiny in the future of privilege assertions over data-breach reports? And how may quickly-changing public sentiment and developing law change the landscape? We offer a few insights below.
Overall shift to data transparency
Judges may start to scrutinize privilege assertions more because the public seems to care about the relevant issues more. Data security in the United States has very quickly emerged as a significant issue for consumers. Consumer concern about the security of their private information is fed daily by reports of significant breaches, foreign hacking, and increasingly inventive phishing scams. For example, in Capital One’s July 2019 data breach, a former employee of Amazon Web Services hacked into Capital One’s server and gained access to social security numbers, bank account numbers, names, addresses, credit scores, credit limits, balances and other personal information belonging to more than 100 million Americans. In 2017 a data breach at Equifax compromised the private records of more than 147 million Americans. And in 2016, Yahoo! reported two major data breaches of user account data that impacted all of Yahoo!’s 3 billion users.
Consumer concerns about data privacy have also increased as questions arise regarding how consumer information is collected, shared, and used. For example, in 2018, Facebook made headlines after a former employee of Cambridge Analytica revealed a data leak where the personal information of up to 87 million Facebook users was harvested without their consent and sold to Cambridge Analytica. In February of this year, a punitive class-action lawsuit was filed against Clearview AI in the United States District Court for the Southern District of California, alleging that Clearview AI unlawfully “scraped” biometric data—mostly images of individuals—from social media and other websites and applied facial-recognition software to create databases for sale to law enforcement and the private sector.
Data security and privacy are also rising concerns for in-house lawyers. In its 2020 survey of more than 1,000 chief legal officers of businesses, the Association of Corporate Counsel found that compliance, data privacy, and security top the list of most important issues for businesses, with no change from 2019. Similarly, in a survey conducted by ALM Intelligence and Morrison & Foerster in spring 2017, 63% of the general counsel and in-house lawyers polled described data privacy and data security as very important challenges. Respondents identified phishing/malware (74%) as the greatest area of concern, followed by hacking (70%), compliance obligations (68%), breaches at vendors (58%), and employee mistakes (52%).
As data security and privacy take center stage, companies are expected to be more transparent about the data they collect and what they do with it. California requires it. Under the California Consumer Privacy Act (“CCPA”), which took effect earlier this year, covered businesses are required, upon receiving a verifiable consumer request, to disclose to consumers the categories and specific pieces of information that the business has collected. Businesses that collect consumers’ personal information must also, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information will be used. And California voters recently approved the California Privacy Rights Act, a new privacy law that will expand consumers’ rights in California beyond those provided by the CCPA, and could potentially become the new standard for consumer privacy law.
Numerous bills have also been introduced at the federal level that would extend some of California’s protections nationwide. While none have been passed so far, most experts expect to see more proposals during President-elect Biden’s administration.
As companies are expected to be more transparent, that same expectation appears to be extending to how companies address data security, including data breaches. Consumers want to know not just what is done with their information, but also how it is secured. In the event of a breach, consumers want to know what happened. Knowing what happened, and how the issue was fixed, enables consumers to make informed decisions about whether to continue business with the affected entity. In that context, it is entirely possible that companies’ privilege claims over data-breach reports, which contain key information about how a breached company dealt with the breach, will get more judicial scrutiny as more breaches occur.
But more transparency is not always beneficial. For example, policymakers have recognized that requiring entities to disclose information that would provide a “roadmap” by which they may be attacked could hurt both the breached entities and consumers. While many state security breach notice laws require a description of the facts of a security incident in notices to affected consumers, states expect that the description will be general and not include information on specific control failures. Furthermore, Massachusetts law specifically prohibits the inclusion of “the nature of the breach or unauthorized acquisition or use” so as not to create additional risk to the entity experiencing the incident.
Data breaches as “run-of-the-mill” business
Another possible reason courts could start to more carefully scrutinize claims of privilege over data-breach reports is simply that data breaches, ransomware, phishing and other attacks on systems and data are so prevalent now that investigating them, and reporting on the investigation, are just part of doing business.
That reality played a significant part in Judge Armstrong’s ruling ordering Capital One to produce its report of the 2019 breach. Mandiant prepared its report under a 2015 Master Services Agreement with Capital One and January 2019 Statement of Work under which Capital One retained Mandiant to provide incident response services and incident remediation assistance and to produce a detailed final report covering the engagement activities, results, and recommendations for remediation. After the data breach in July 2019, Capital One’s outside counsel and Mandiant signed a separate Letter Agreement for Mandiant to provide services and advice concerning “computer security incident response; digital forensics, log, and malware analysis; and incident remediation.” Although the Letter Agreement was executed in response to the data breach, the Court determined that Capital One failed to meet its burden of showing that Mandiant’s scope of work under the Letter Agreement was any different than the scope of work for incident response services set forth in the January 2019 Statement of Work or that the incident report would not have been prepared without the prospect of litigation. In short, Judge Armstrong held that Capital One would have prepared the report anyway, and in substantially similar format, as part of its regular business.
Several other courts have come to the same conclusion where the companies had an existing and ongoing relationship with a cybersecurity firm. In In re Premera Blue Cross Customer Data Sec. Litig., Judge Michael H. Simon in the District of Oregon found that documents relating to Mandiant’s work for Premera, including a data breach remediation report, were not protected work product when Mandiant was already conducting a review of Premera’s data management system at the time it discovered the data breach and Premera had not shown that the “documents would have been created in substantially similar form but for the prospect of litigation.” Similarly, in In re Dominion Dental Servs. USA, Inc. Data Breach Litig., the company, Mandiant, and the company’s counsel had executed a statement of work agreement nearly one year before the data breach at issue. That agreement “contemplate[ed] incident report services, including: ‘computer incident response support, digital forensics support, advanced threat actor support, and advanced threat/incident assistance.’” Because Mandiant had been retained before the breach, and was performing its work in the regular course of business, its report was not privileged work product and was ordered to be disclosed.
Statutory “cure” provisions
Asserting privilege over data-breach reports could also become more challenging because in some instances more transparency may be required to stave off consumer lawsuits. One such example is the CCPA’s “cure” provision, which permits companies to avoid private lawsuits where a security incident is “cured.”
The CCPA provides a private right of action to consumers whose nonencrypted and nonredacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure. While not all personal information covered by the CCPA is subject to this private right of action, “personal information” for purposes of the private right of action is still defined broadly, and includes many categories of information often collected by businesses. To prove the claim, a consumer must show the violation was the result of a business’s failure to implement and maintain “reasonable security procedures and practices” to protect the consumer’s personal information. Before a consumer can bring such a private lawsuit, however, the consumer must first provide the business 30 days’ written notice of the lawsuit and an opportunity to cure.
While the CCPA does not define “cure,” and there are still many questions surrounding what constitutes an acceptable “cure” for purposes of avoiding litigation, preparing a data-breach report to help the company understand what happened and what the company can do to fix it is an obvious first step. In doing so, however, the company may want to consider whether it would be willing to disclose the report’s contents to prove the cure. Plaintiffs’ lawyers will inevitably argue a company cannot prove that it has actually cured a noticed violation of its duty to implement and maintain “reasonable security procedures and practices,” and further proved that no further violation will occur, without disclosing the contents of the report.
Of course, there may be other ways to “cure” a violation without relying on or disclosing the substance of a data-breach report. Some commentators have suggested free credit monitoring services or offering to pay a potential plaintiff statutory damages before a lawsuit is filed as alternate “cures.” But neither would address the key issue of ensuring consumer confidence that such a breach has been remediated and is unlikely to happen again. Companies may therefore be left in the position of considering a possible privilege waiver by producing the report or having to face arguments that an alleged cure is not possible where the company declines to disclose exactly what happened and how.
So what can companies do to ensure their data-breach reports remain privileged in the face of ever-changing law? A few suggestions include:
- At the most basic level, companies should involve outside counsel in all aspects of its breach investigation, and counsel must hire the outside consultant to investigate the breach. If possible, the company should consider retaining a different cybersecurity firm than the company previously hired to conduct any prior review of the company’s data management systems. If challenged, this could allow the company to more clearly show the retention was specific to, and in anticipation of, ensuing litigation.
- If it is impossible or impractical for the company to retain a new firm, the company and the cybersecurity firm should use a separate team of experts dedicated exclusively to investigating the breach and dealing with any litigation that may arise.
- The company’s counsel should retain the new firm (or team) under a new engagement agreement, and not by way of a statement of work or addendum to an existing agreement. The new agreement should differentiate the firm’s services specific to the breach and investigation from any routine maintenance and testing services that the company may already be utilizing.
- Any breach reports prepared by the new firm should be focused on the litigation and shared only with the company’s legal team and those directly involved in the litigation. Non-sensitive information that is not privileged (and that can be shared in discovery) should be put in a second report to be circulated more broadly and, if necessary, produced.
- Finally, the company should consider if a report would provide benefits that outweigh the risks from disclosure. In some incidents, a report provides invaluable information about the nature of an incident, the effectiveness or ineffectiveness of controls, how the entity responded to the incident, and possible future issues. In other situations, this information may exist without the need to compile in a way that poses an unnecessary risk to the entity.
But even doing all of this still does not guarantee privilege, and in the new reality of transparent data collection, use, and security, companies may ultimately be forced to strike a careful balance between protecting their confidential and privileged information and complying with various laws requiring them to be transparent and to keep consumers informed.
Jim Shreve is the chair of Thompson Coburn's Cybersecurity group and has advised clients on cybersecurity and privacy issues for over 20 years. Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s Business Litigation group who has written and spoken extensively about data privacy litigation and regulatory risks. Steven Morphy is an associate in Thompson Coburn’s Business Litigation group.