Legal Considerations for Cybersecurity Audits and Data Breach Response
In the United States, data breaches are at an all-time high.[1] Thankfully, advances in technology are making it increasingly more difficult for hackers to exfiltrate sensitive data from secure networks. While technological safeguards provide a necessary element of protection, standing alone, they still remain an incomplete solution. Companies should also implement robust administrative and physical controls to adequately safeguard valuable data (and corporate reputation). Regardless, as companies continue to implement cybersecurity best practices, corporate leaders should always remember the following maxim: cybersecurity not only is an IT issue but also is a legal issue.
This maxim is shown in today’s news cycle––where lawsuits and government investigations stemming from data breaches have become a regular occurrence. In the wake of a data breach, it’s also not uncommon to see plummeting stock prices and the inevitable publicity nightmare. In fact, this chilling reality only get worse as experts predict that global cybercrime damages may reach a staggering $6 trillion by 2021.[2] That’s less than three years from now. Fortunately, cybersecurity awareness is rapidly increasing among corporate executives, and data breaches are among the top concerns of chief legal officers and general counsel.[3] To that end, businesses that appreciate the legal dimensions of cybersecurity will likely be in a better position to deal the unfortunate consequences that often follow a data breach.
Last year, I wrote about some of the legal issues linked to penetration testing (“pen testing”) and why involving legal counsel may provide significant legal protections should an unforeseen event occur, such as the discovery of a data breach.[4] Yet, pen testing is only one tool in a company’s cybersecurity arsenal. Luckily, the rationale for involving outside counsel during pen tests may also apply to other cybersecurity measures. As revealed in In re Premera Blue Cross Customer Data Security Breach Litigation, Case No. 3:15-md-2633-SI, 2017 WL 4857596 (D. Or. Oct. 27, 2017), businesses who fail to consider cybersecurity audits/reviews as a legal process may be unable to take advantage of the protections afforded by the attorney-client privilege and work product doctrine should the discovery of a data breach result in a lawsuit.
Notably, in In re Premera, the court considered a number of issues relating to the attorney-client privilege and work product doctrine. However, the focus of this article is on the portion of the order relating to Premera’s desire to protect from discovery the cybersecurity company’s report and other documents (“Category 3 Documents”).[5]
In re Premera
In October 2014, Premera executed a master services agreement with a cybersecurity company (“Cyber Company”) to review its data management system. During the review, in January 2015, the Cyber Company discovered malware on that system. On February 20, 2015, Premera hired an outside law firm in anticipation of litigation stemming from the data breach. The next day, outside counsel engaged the Cyber Company, and the parties amended the Cyber Company’s statement of work with Premera to reflect that outside counsel would be tasked with supervising the project. Notably, the amended statement of work did not otherwise modify the scope of the Cyber Company’s duties. Several weeks later, the Cyber Company issued a report of its findings.
Shortly thereafter, on March 17, 2015, Premera publicly disclosed that it suffered a data breach. During the putative class action litigation that followed, plaintiffs sought to compel, and Premera sought to protect from discovery, certain documents identified as Category 3 Documents. Premera’s argument was simple. It argued that the, “[Cyber Company] . . . [was] hired by an attorney to conduct an investigation on behalf of an attorney, and thus that [the Cyber Company’s] work is privileged and protected as work-product.”[6] In support of this argument, Premera relied on two cases: In re: Target Corporation Customer Data Security Breach Litigation, No. 14-2522 (D. Minn. Oct. 23, 2015) and In re Experian Data Breach Litigation, 15-01592 (C.D. Cal. May 18, 2017).[7] However, as discussed below, the court determined that Premera’s argument was not “supported by the amended statement of work” and that Premera’s reliance on both cases was unpersuasive.
First, unlike Target, where a cybersecurity company performed a two-track investigation, Premera hired the Cyber Company to perform only one investigation. By way of background, after suffering a data breach, Target implemented a two-tracked investigation with its cybersecurity company. One track involved a non-privileged investigation on behalf of credit card companies, and the other track was created to educate Target’s legal counsel for the purpose of providing legal advice relating to the breach. Here, the court distinguished Target, finding that despite the supervisory shift, the scope of the Cyber Company’s work “did not change after outside counsel was retained.” The court stated that, because the scope of work had stayed the same, a mere “change of supervision” wasn’t enough to protect the Category 3 Documents from discovery. Next, the court turned to Premera’s reliance on Experian.
Second, unlike Experian, where the company engaged outside counsel to hire the cybersecurity company, Premera had done the opposite. That is, Premera had already engaged the Cyber Company to conduct a security review before involving outside counsel in response to the data breach. The Premera court noted that Premera had the burden of showing that the Cyber Company not only “changed the nature of its investigation at the instruction of outside counsel” but also that its scope of work and purpose changed because of anticipated litigation. The court distinguished this case from Experian, noting that Premera had already hired the Cyber Company before outside counsel and finding that Premera had not demonstrated its burden in order to protect the Category 3 Documents from discovery.
Ultimately, Premera’s failure to appropriately amend the statement of work––i.e., to change in the nature of the investigation––was terminal to its efforts protect many of the Category 3 Documents from discovery. Importantly, the Court echoed Premera’s concerns regarding the applicability of the attorney-client privilege or work product protections for some of the Category 3 Documents. The court noted that there may be specific documents, or portions of documents, that were created “for the purpose of communicating with an attorney” for legal advice or contained “the mental impressions of counsel prepared in anticipation of litigation.” As such, the court recognized that those documents, or portions thereof, may be withheld.
Takeaway
In re Premera illustrates some of the legal implications relating to cybersecurity audits and it underscores the importance of involving legal early in the process. With heightened public scrutiny and the foreseeable litigation that often follows a data beach, corporate leaders must appreciate how the technical and legal issues of cybersecurity are intertwined. Proper planning at the onset may help businesses protect key documents from discovery should a data breach lead to a lawsuit or governmental investigation.
In the end, In re Premera invites one central question worth considering: If Premera had first hired outside counsel, who then hired the Cyber Company to perform the security audit, would all of the Category 3 Documents have been protected under the attorney-client privilege or the work product doctrine? Interestingly, this question and, certainly, others share something in common––each requires thoughtful consideration to arrive at an answer that isn’t always clear.
______________________
[1] 2017 Annual Data Breach Year-End Review, Identity Theft Resource Center, https://www.idtheftcenter.org/2017-data-breaches (last visited Aug. 2, 2018) (noting a record number of data breaches in 2017).
[2] Cybercrime Report, Cybersecurity Ventures, https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016 (last visited Aug. 3, 2018).
[3] Association of Corporate Counsel, Chief Legal Officers 2017 Survey, http://www.acc.com/vl/public/Surveys/loader.cfm?csModule=security/getfile&pageid=1449472&page=/legalresources/resource.cfm&qstring=show=1449472&title=ACC%20Chief%20Legal%20Officers%202017%20Survey%20%20Executive%20Summary&recorded=1 (last visited Aug. 2, 2018).
[4] A penetration test, or “pen” test, is a highly useful tool in which cybersecurity experts are given permission to test––i.e., authorized to attack––an organization’s computer systems. The purpose of pen tests can vary as they can be used to establish a security baseline, to assess the organization’s security controls, or to uncover cybersecurity weaknesses. Link to my article: Legal Considerations and Penetration Testing.
[5] The court notes that it was not clear on whether the “Remediation Report,” which plaintiffs sought discovery of, and the “Intrusion Report,” which Premera provided, were two different documents.
[6] Generally, the attorney-client privilege protects from discovery the communications between and attorney and her or his client where such communication from the client is for obtaining legal advice. See generally Newman v. Highland Sch. Dist. No. 203, 186 Wash. 2d 769 (2016); see RCW 5.60.060(2)(a); see also Upjohn Co. v. United States, 449 U.S. 383 (1981). The work product doctrine is a qualified immunity that protects documents and tangible things from discovery where such documents are prepared in anticipation of litigation. See Admiral Ins. Co. v. U.S. Dist. Court for the Dist. of Ariz., 881 F.2d 1486, 1494 (9th Cir. 1989) (citing Fed. R. Civ. P. 26(b)(3)). In analyzing Premera’s work product claims, the court discussed the “dual purpose” or “because of” test to determine whether the work product doctrine applied. Simply put, the test looks at the totality of circumstances to determine whether adocument “can be fairly said to have been prepared or obtained because of the prospect of litigation. See U.S. v. Richey, 632 F.3d 559, 568 (9th Cir. 2011); see also Fed. R. Civ. P. 26(b)(3).
[7] For a discussion on Target and Experian, please check out my article, The Meteoric Impact of Data Breaches and Why Outside Counsel is Indispensable.
DISCLAIMER: This post is for informational purposes only and may be construed as attorney advertising in some jurisdictions. The information provided above is not intended to be legal advice and should not be construed or relied upon as legal advice. If you need legal advice, please consult an attorney.