DATA BREACH COUNSEL: LEARN YOUR JOB
Mark Twain said: “It ain’t what you don’t know that gets you in trouble. It’s what you know for sure that just ain’t so.” Socrates said, “You don’t know what you don’t know.” It is tough to decide which famous quote best describes certain players in cybersecurity law.
Cybersecurity is a hot area of law, with hordes of law firms promoting new practices, some at outrageous hourly rates. Many firms have the knowledge and appreciate the learning curve demanded by the technology. However, others jump into shark-infested waters and the clients get eaten first.
A few days ago, an article containing an opinion from the United States District Court for the Eastern District of Virginia was sent to me on LinkedIn. In In Re Capital One Consumer Data Security Breach Litigation, United States Magistrate Judge John F. Anderson determined that a cybersecurity incident report prepared by a managed service provider (called Mandiant) would not enjoy the work product doctrine privilege and was discoverable by the opposing party in litigation.
Generally, the work product doctrine, also referred to as the attorney work product doctrine, provides that an adverse party may not discover materials prepared by or for an attorney during legal representation, especially in anticipation of litigation.
Discovery disputes (questions of what must be produced to an opposing party) are critical in litigation to defend and pursue claims. Most defendants seek to protect as much information as possible from the opposing party’s purview to preserve and embolden defenses.
While the application of the work product doctrine is fact-dependent, the problematic facts that prevented the application of privilege in the Capital One matter should have been anticipated and resolved in an incident response plan, co-authored by competent data breach response legal counsel, before any breach occurred. Indeed, the following facts obstructed any claim of work product doctrine privilege regarding Mandiant’s report:
Mandiant had a standing service agreement with Capital One prior to the breach, which was unchanged in response to the breach. Accordingly, Mandiant’s statement of work did not distinguish between its normal services and its breach response services.
Capital One, not its legal counsel, paid Mandiant for the data breach response services. And, the breach response services were initially paid out of the operating budget, as opposed to its legal budget.
Mandiant’s data breach response report was provided to Capital One’s employees that were conducting an internal investigation, negating the position that the report was prepared in anticipation of litigation.
The Mandiant report was provided to Capital One’s board of directors, an accounting firm, and several federal regulatory agencies. It was also not subject to restricted access on Capital One’s network. Thus, it was not treated like privileged material by those claiming it should be privileged.
With legal issues concerning data breaches changing daily and the absence of comprehensive federal legislation in this area, no attorney can anticipate all land mines. However, those in Capital One were foreseeable. A better approach for Capital One looked like this:
Data Breach occurs, legal counsel is immediately notified.
Legal counsel retains Mandiant (or another MSP) under a separate service agreement and statement of work, specific to the individual breach and potential litigation arising therefrom.
Capital One stops work by Mandiant on its standard services.
All invoices generated by Mandiant are exclusively sent to legal counsel and exclusively paid by legal counsel.
An attorney from Capital One’s law firm works alongside Mandiant, writing the report for Mandiant, as the data is compiled (KEY MATTER). This tenet requires the law firm to have a cybersecurity attorney capable of speaking to the service providers. He/she must have a basic understanding of technical network operations and intrusions.
The final report is created by the law firm, not Mandiant, and is not provided to the internal incident response team for Capital One.
The report is not shared with any accounting firm unless an accountant-client privilege exists.
Cyber threat indicators and defensive measures may be shared with appropriate federal agencies under the Cybersecurity Information Sharing Act, but unless in Louisiana (La. R.S. 51:2105 - you’re welcome Louisiana businesses), the sharing entity forfeits state law legal privileges (a nuance often overlooked).
Ensure that when planning for or facing a cybersecurity incident, your chosen attorney is qualified to discuss the matter, both technically and legally. As seen from Capital One’s folly, experience with the Financial Industry Regulatory Authority is insufficient when dealing with cybersecurity law.