Written by Tim Starks
In the past year, three judges have ordered companies that suffered data breaches to hand over internal forensic reports on how the incident happened — a trend that could lend new insights into incidents where consumers’ personal data is exposed, at the expense of companies that want to keep that information to themselves.
In July, a judge ordered the Rutter’s convenience store chain to deliver a forensic report on its data breach to attorneys in a class action suit brought by store customers. It was the kind of decision that could shed light on whether the company neglected cyber defenses leading up to a breach that affected customer credit card data at roughly 70 stores over the course of nine months.
A judge ruled in May 2020 that Capital One would need to provide a forensic report to attorneys for customers who sued the bank over a 2019 incident in which details about 100 million credit card applications were exposed. A judge also ruled in January that the Clark Hill law firm must provide a forensic report in a case brought by exiled Chinese businessman Guo Wengui, whom the firm was representing when it was hacked and his information was published online.
How the forensic reports benefited the aggrieved parties in both cases, if at all, remains unclear, though attorneys say a shift is underway. Forensic reports typically include details about whether a breach was the result of a hack, the scope of an incident and potential points of failure that made a data compromise possible.
“I think at this point now that we’re at three decisions, there is a definite trend we’re seeing towards the production of forensic reports in discovery,” said Kristin Bryan, a data privacy and cybersecurity litigator at Squire Patton Boggs.
Judges in all three cases dismissed the defendant’s arguments that the forensic reports were legally protected from disclosure in two different ways: as a “work product” document produced in anticipation of litigation, or under attorney-client privilege.
“For consumers in particular, the forensic reports help to determine the scope of the breach and what caused it, as well as the level of diligence that went into securing consumers data,” said Christine Hines, legislative director for the National Association of Consumer Advocates. “It would be that type of transparency that would be helpful for a consumer in terms of what they need to know in litigation with attorneys.”
The question of attorney-client privilege also came up at a June hearing of the House Homeland Security Committee, in which Colonial Pipeline CEO Joseph Blount testified about an investigation into the ransomware attack at his company.
“Did you or your legal team have any discussions about retaining Mandiant through counsel in order to place any of the findings that you’ve been able to obtain under attorney-client privilege?” asked New York Rep. Yvette Clarke, the Democratic chairwoman of the Cybersecurity, Infrastructure Protection and Innovation Subcommittee.
Blount said he didn’t know, but would look into the matter. “That’d be very interesting for us to know,” Clarke replied.
Clarke’s office didn’t answer questions from CyberScoop about whether she received an answer from Colonial Pipeline, or if she was concerned about that potential use of attorney-client privilege.
But the recent series of rulings could also warp how companies investigate breaches if they fear forensic reports could surface in court cases against them, said Megan Brown, a cybersecurity attorney at Wiley Rein. Companies might avoid producing written reports altogether.
“I am troubled by these three decisions, because I think they put companies in a really tough spot,” said Brown. “And it’s going to affect the incentive to really look at incidents. It may change the nature of the investigation, or you may shape the scope differently, if you fear that it’s going to be exposed later.”
Plaintiffs in future cases are likely to cite the judges’ rulings to bolster their arguments for providing forensic reviews as precedent, said Bryan, of Squire Patton Boggs. Defendants also have little recourse for challenging a judge’s decision at the procedural point in a case — known as discovery — when such information must be shared.
“Procedurally I think it’s going to be quite difficult to get the issue teed up for correction,” Brown said. “We’re all still sort of putting one foot in front of the other, trying our best to protect our clients. A lot of companies are going to kind of get screwed in the meantime.”
Customers whose information is exposed in data breaches often have little recourse, as tying an instance of identity theft to a single breach, and then proving harm, is notoriously difficult. Breached companies typically offer free credit-monitoring, a service that is hard to measure and insufficient, according to consumer advocates.
Even now, after the trio of recent cases in which judges ordered firms to provide their forensic reports, some remain cautious.
“You hate to be too optimistic,” said Hines, of the National Association of Consumer Advocates.
In the Rutter’s case, the judge rejected the claim of work product protection in part because of a “statement of work” in Rutter’s contract with Kroll to produce the forensic report.
“The overall purpose of this investigation will be to determine whether unauthorized activity within the Rutter’s systems environment resulted in the compromise of sensitive data, and to determine the scope of such a compromise if it occurred,” the statement reads.
That demonstrated that its primary purpose wasn’t anticipation of litigation — the standard for “work product” protection — along with testimony from a Rutter’s official that the company wasn’t anticipating lawsuits at the time of Kroll’s work, wrote Judge Karoline Mehalchick.
Similarly, she said that evidence suggested that Rutter’s didn’t obtain the Kroll contract with “a primary purpose of providing or obtaining legal assistance for Defendant,” the standard necessary for it to be protected under attorney-client privilege.
Fallout from the three rulings could have broader implications outside cybersecurity cases, Bryan said.
“While these three cases all deal with data events, you can imagine a number of other scenarios where, say, you have a company executive who is suspected of engaging in misconduct and there is an internal investigation looking into the executive behavior by an outside law firm or outside investigator, and then that report includes certain factual findings,” she said. “This issue could come up in a wide range of litigation contexts, outside of data privacy, so it’s very significant.”