These days, data breaches and cybersecurity attacks abound. With each news cycle, we’re confronted with stories about yet another big breach, at another big company, with the potential exposure of another big pool of individuals’ private personal information. Given the current threats to data privacy and cybersecurity, it’s no wonder that many companies—large and small—are taking proactive measures to guard against a data breach.
Across many industries, cybersecurity forensics firms are now being retained to conduct comprehensive data security audits, designed to ferret out vulnerabilities in a company’s network infrastructure. However, such audits beg a larger and more complex question: is the retention of a forensics firm best done through legal counsel? While there’s no silver bullet answer and there are a multitude of factors and variables to consider, the implications are significant, and in some cases, could leave a company worse off than it had been before a cyber assessment.
It’s no secret by now that a company’s internal documents concerning prior data breaches and prior knowledge of network vulnerabilities could be a treasure trove of information. A plaintiff might attempt to use such information to establish that the company is liable for negligence or, in some cases, breach of contract because it failed to take reasonable measures to ward off a data breach. Along these lines, in May of this year, a magistrate judge ordered Target, Inc. to produce this very information to a consortium of financial institutions that had sued the company for its massive 2013 data breach. In particular, the court ordered Target to disclose to plaintiffs the details of prior breaches that were similar in nature, how the hackers accessed information, what measures the company considered and took to secure network vulnerabilities, and the extent of financial damage incurred.[1]
Absent a basis for withholding the information, a company’s data security audit—even those conducted by a third-party vendor—will find its way into a plaintiff’s discovery request. In fact, cybersecurity information compiled through an assessment process, in some instances, provides a roadmap to a company’s most important and sensitive information, as well as steps taken by an organization to shore up its cyber defenses.
In many instances, the cyber assessment process is performed to aid counsel in assisting organizations to create incidence response plans and the like. Companies stand a better chance of fighting the disclosure of these sensitive materials—or, at least, some of them—if they take care to ensure that their third-party data-security experts are retained and directed by outside counsel. Earlier this year, in a case between Visa USA and retail holding company Genesco, Inc., a district court in the Middle District of Tennessee held that sensitive data-security audit materials conducted by third-party forensics specialists at IBM were protected by the attorney-client privilege. Visa objected to Genesco’s withholding of the documents, arguing that any factual material gathered by IBM was not subject to the privilege. The court disagreed. Though it noted that “[t]o be sure, the information sought in [Visa’s] motion to compel is relevant and probative[,] . . . Plaintiff retained IBM to provide consulting and technical services so as to assist counsel in rendering legal advice to Plaintiff. Thus, the IBM materials . . . [were] privileged.”[2]
The takeaway, here, seems obvious. In many instances, companies considering conducting a data audit should enlist outside counsel to:
• Engage the outside cybersecurity forensics firm;
• Direct the scope and depth of the audit; and
• Analyze and present the audit results.
Such actions, taken by a company’s in-house counsel, might also be privileged; but retention of outside legal counsel may help to defend against an opposing counsel’s likely argument that in-house counsel’s advice is not shielded by the attorney-client privilege because counsel was merely consulting on business—and not legal—matters.
Of course, a company faced with litigation concerning a data breach may eventually decide to waive the privilege (at least in part), and to voluntarily disclose the results of a data-security audit to demonstrate that it took multiple precautions and acted reasonably—and proactively—to avoid a data breach. But that’s a decision that most companies would prefer to make themselves, rather than having a court order disclosure on a motion to compel. Utilizing outside counsel in appropriate cases to direct and supervise the data security audit and to review its results is the best way to make that happen.
[1] See Order, In re Target Corporation Customer Data Security Breach Litigation, MDL No. 14-2522, Dkt. 435 (D. Minn. May 27, 2015) (Mag. J. Keyes).
[2] See Order, Genesco, Inc. v. Visa, Inc., No. 3:13-cv-00202 (M.D. Tenn. March 25, 2015). In a later decision on Visa’s motion for reconsideration, the court suggested that one spreadsheet—which documented “a number of changes made to the Genesco system” over a several year period—may not have been privileged but was, in any event, barred by the Court’s earlier rulings, which ruled that evidence on such changes was outside the scope of discovery in the case. See Order, Genesco, Inc. v. Visa, Inc., No. 3:13-cv-00202 (M.D. Tenn. July 15, 2015).
