Court’s Ruling on Privilege Presents New Cybersecurity Challenges

A federal judge has ruled that a financial institution must provide litigants with an incident report detailing its forensics firm’s findings relating to a 2019 cyber attack, creating new uncertainty for companies and their legal departments.

 

In 2019 a former employee of a major bank’s cloud hosting company hacked into one of the bank’s servers, gaining access to “more than 100 million…accounts and credit card applications.”

 

In May, a federal judge ruled that the bank must provide litigants with an incident report from its cybersecurity forensic firm articulating the details surrounding the event and their investigation.

 

The surprise decision, in effect, determined that [the bank] would need to provide the forensic details…about the hack to attorneys representing a group of customers suing the bank. It’s the kind of report that, if made public, could highlight technical and procedural failures that made it possible for a single suspect to allegedly collect gigabytes of data about 100 million people from a bank with $28 billion in revenue.

 

Typically, hacked organizations are able to keep incident response reports private and avoid costly suits by shielding the details under attorney-client privilege. Not under this decision.

 

Having reviewed the decision and associated legal opinion, Optiv offers the following observations regarding the Memorandum Opinion and Order (“Order”).

 

  • The Court found the determinative issue was “whether the [incident response firm’s] report would have been prepared in substantially similar form but for the prospect of that litigation.” (Order at 7.) “[T]he fact that the investigation was done at the direction of outside counsel and the results were initially provided to outside counsel,” did not satisfy the “but for” formulation. (Order at 7.)

  • The bank failed to present “sufficient evidence to show that the incident response services would not have been done in substantially similar form even if there was no prospect of litigation.” (Order at 7.)

  • The bank had a long-standing relationship with the incident response firm and had a pre-existing SOW with the firm to perform essentially the same services that were performed in preparing the subject report - “incident responses services in the event such services were necessary.” (Order at 2.)

  • The retainer paid to the incident response firm was considered a “business-critical expense” and not a legal expense at the time it was paid. (Order at 8.)

  • While the fact that the incident response report was provided to four different regulators and to the bank’s accountant may not necessarily constitute a waiver, it does show that the results of an independent investigation into the cause and the extent of the data breach was significant for regulatory and business reasons.

  • The only significant evidence the bank presented was that the work was performed “at the direction of outside counsel and that the final report was initially delivered to outside counsel.” (Order at 8.)

  • The Court noted significant differences between the facts in this case and the 2017 Experian case, in which the incident response report was afforded the work product privilege.

    • In Experian, the full report was not given to the incident response team; however, the bank provided its report to several members of its business and used it for various business and regulatory purposes.

    • In Experian, the incident response firm was hired by outside counsel, whereas the bank effectively transferred an existing SOW and MSA to outside counsel.

 

Key Takeaways

The Court’s decision suggests both legal and operational implications.

 

  1. Past work for a company that experiences a cybersecurity incident, including prior work relationships and contracts, should be reviewed carefully to make sure the post-incident engagement is substantially distinct from prior engagements and that the forensic report would not be prepared “but for the prospect of that litigation.”

  2. It may be advisable for a company to hire two firms with distinct functions – one for business purposes (e.g., work necessary for containment, mitigation, and recovery) and one for legal purposes (e.g., forensics to determine potential legal obligations arising from the incident).

  3. The affected company needs to carefully consider who will see the forensic report and the purpose(s) for which it is used. Disclosure should be limited to those on a “need to know” basis whose input will be necessary to the delivery of legal advice or who will be advised by outside counsel based on the report.

  4. Companies should consult counsel immediately when a suspected incident occurs. Counsel should provide guidance on preservation requirements, how to maximize application of the attorney-client privilege and work-product doctrine (where appropriate), notification obligations that arise from the incident, and preserve rights via demand letters on third parties.

 

The complete Court order itself can be reviewed at CyberScoop.

 

The information provided in this article does not, and is not intended to, constitute legal advice. All information, content and materials available on this site are for general informational purposes only. Readers of this website should contact their attorneys to obtain advice with respect to any particular legal matter. No reader, user or browser of this article should act or refrain from acting on the basis of information on this site without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation.