John Reed Stark

As discussed in the following guest post from John Reed Stark, a recent development in the class action litigation arising out of the massive Marriott International data breach could have significant ramifications for other claimants asserting class action claims — including securities class action claims — based on data breaches or other cybersecurity incidents. Stark is President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. A version of this article originally appeared on Securities Docket. I would like to thank John for allowing me to publish his guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.

*******************************

The cybersecurity class action bar might be celebrating the holidays a bit early this year.

The enthusiasm stems from a recent (but barely noticed) judicial letter from Judge Paul W. Grimm, of the United States Federal District Court for the District of Maryland, who oversees class action litigation arising out of last year’s data breach of Marriott’s Starwood guest reservation database. In his letter, which is essentially a judicial decree, Judge Grimm ordered Marriott to make public a crucial third-party report that will reveal key details about the data breach.

Known formally as a “Payment Card Industry Forensic Investigative Report,” or “PFI Report,” the report in question can be one of the most evidentiarily powerful documents for data breaches involving credit card information. With respect to Marriott-breach related pending multidistrict class actions filed by consumers, financial institutions and governments, the Marriott PFI Report has previously either been severely redacted or sealed off to the public entirely. But now, per Judge Grimm, the First Amendment mandates the Marriott PFI Report’s public release (perhaps lightly redacted).

On the surface, Judge Grimm’s order might look like part of one of the many inconsequential discovery-related squabbles that typically occur during class actions and other litigation. But Judge Grimm’s decision could have significant ramifications for plaintiffs filing securities-related and other class actions following data breaches at retail companies.

This article drills down into Judge Grimm’s ruling, and:

  • Explains, beginning with PCI-DSS compliance, why a PFI Report can be the most critical documentary evidence relating to a data breach;
  • Discusses the class actions related to the Marriott data breach and the ramifications of Judge Grimm’s ruling, not just for Marriot but for any company that handles credit cards; and
  • Offers some salient advice for retailers who wish to avoid, or at least mitigate, the potential costs and other problematic issues associated with Judge Grimm’s ruling.

Retailers and PCI-DSS Compliance

Payment Card Industry Data Security Standards (PCI-DSS) is a set of requirements created to help protect the security of electronic payment card transactions that include personal identifying information (PII) of cardholders, and operates as an industry standard for security for organizations utilizing credit card information. PCI-DSS applies to all organizations that hold, process or pass credit card holder information and imposes requirements upon those entities for security management, policies, procedures, network architecture, software design and other critical measures that help to protect customer credit and debit card account data.

The Payment Card Industry Security Standards Council (PCI SSC), an international organization founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. in 2006, develops and manages certain credit card industry standards, including the PCI-DSS. In addition to promulgating PCI-DSS, the PCI SSC has developed a set of industry rules governing responses to payment card data breaches. These rules, known collectively as the Payment Card Industry Forensic Investigator (PFI) program, were intended to replace the programs established by the individual card brands.

In theory, PCI-DSS is good for retailers, establishing a minimum data security standard that all retailers must meet, discouraging competitors from cutting corners and allowing for some uniformity and stability. PCI-DSS not only protects the card brands but it also ensures that consumers feel safe when using credit and debit cards. However, adhering to PCI-DSS can become costly and onerous, especially for retail chains, and can subject retailers to the cybersecurity whims of the card brands, who enjoy a very strong bargaining position.

PCI-DSS and Data Breaches

When a cyber-attack targets electronically transmitted, collected or stored payment card information, whether the retailer has met PCI-DSS compliance quickly becomes an intense area of inquiry.

For instance, the card brands may levy significant fines and penalties on retailers that are not in compliance with PCI-DSS. Such penalties and fines, imposed separately by each card association, can include:

  • Hefty fines (in multiples of $100,000) for prohibited data retention;
  • Significant additional monthly fines (can be $100,000 or more per month depending on the nature of the data stored) assessed until confirmation is provided indicating that prohibited data is no longer stored;
  • Separate fines (in multiples of $10,000) for PCI-DSS non-compliance;
  • Additional monthly fines (likely $25,000 per month) assessed until confirmation from a qualified security assessor that the merchant is PCI-DSS compliant;
  • Payment of monitoring (can be as high as $25) and reissuing (up to $5) assessments for each card identified by the card association as potentially compromised; and
  • Reimbursement for any and all fraudulent activity the card association identifies as being tied to a security data breach.

The PFI Report

Once a data security incident occurs, in order to determine whether the retailer must incur any of the above penalties or pay for any system modifications required to achieve PCI-DSS compliance, the retailer is contractually obligated to hire a specially certified PCI-approved forensic investigative firm (also known as a “PFI”) from a small and exclusive list of card brand approved vendors (currently comprised of 22 companies).

The PFI team then performs a specified list of investigative work including writing a final report about the data security incident – the PFI Report — that is issued to both the retailer and the various credit card companies. The PFI Report then becomes the basis used by the card brand companies to calculate potential fines that will be levied against the acquiring banks. These fees are then passed along to the victim company in the form of indemnification.

More Art Than Science

Sometimes PFI Reports are the most thorough, comprehensive and authoritative analysis of a cyber-attack upon a retailer. But sometimes, albeit unintentionally, the PFI Report can be prejudiced, jaundiced, biased or otherwise flawed.

The findings and conclusions of PFI Reports typically derive from painstaking efforts of digital forensics and malware reverse engineering, which can consist of conjecture, hypothesizing, speculation, supposition and simple old-fashioned guesswork. In fact, both skill sets are more art than science, which can render PFI Reports overly subjective, skewed or even mistaken. Here’s why:

First off, while some data security incidents may provide key evidence early-on, most never do, or even worse, provide a series of false positives and other initial stumbling blocks. After a cyber-attack, there is rarely, if ever, a CSI-like evidentiary trail.

Indeed, digital forensic evidence of a data security incident is rarely in plain view; it can rest among disparate logs (if they even exist), volatile memory captures, server images, system registry entries, spoofed IP addresses, snarled network traffic, haphazard and uncorrelated timestamps, Internet addresses, computer tags, malicious file names, system registry data, user account names, network protocols and a range of other suspicious activity. Evidence can also become difficult to nail down — logs are destroyed or overwritten in the course of business; archives become corrupted; hardware is repurposed; and the list goes on.

Second, when a digital forensics investigator analyzes the virtual remnants, artifacts and fragments left within the attack vector of a company’s devices or systems such as “deleted recoverable files” residing in the more garbled sectors of a hard drive such as “unallocated and slack space” or the boot sector, facts and conclusions can be subject to interpretation and guided by the assumptions and experience of that investigator.

Consider for example the intricacies and complexities of malware-reverse engineering. “Malware” is oft defined as software designed to interfere with a computer’s normal functioning, such as viruses (which can wreak havoc on a system by deleting files or directory information); spyware (which can secretly gather data from a user’s system); worms (which can replicate themselves and spread to other computers); or Trojan horses (which upon execution, can cause loss or theft of data and system harm).

The definition of malware, however, is actually broader and a bit of a misnomer, and actually means any program or file used by attackers to infiltrate a computer system. Like the screwdriver that becomes harmful when a burglar uses it to gain unlawful entry into a company’s headquarters, legitimate software can actually be malware. Thus, malware reverse engineering, a crucial aspect of incident response, is also often the most challenging.

Finally, there also exists a massive cybersecurity labor shortage, with over three million cyber-related jobs remaining unfilled — which means there are quite a few inexperienced amateurs masquerading as incident response professionals, whose findings can be dubious.

This dearth of bona-fide data breach response experts should come as no surprise. The data breach response industry remains in its infancy – there are few academic degrees available in the realm of incident response and barely any incident response courses in college and graduate school curriculums. Many incident responders come from government, such as the Air Force’s Office of Special Investigations; the U.S. Computer Emergency Readiness Team (CERT) of the Department of Homeland Security; or the various cyber squads of the Federal Bureau of Investigation. Other incident response experts are simply self-taught from experience or from piecing together varying expertise of digital forensics, network engineering and security science.

The bottom line is that no matter where a data breach response worker starts out, it can take as much as a decade of apprentice work before becoming a bona-fide data breach response expert.

PFI Conflicts of Interest

Though the attacked retailer engages the PFI and is responsible for all fees and expenses associated with the PFI’s investigation, the PFI conducts the investigation on behalf of the third-party card brands and with their direct involvement. Thus, even the most trustworthy, conscientious and objective PFI team can have an inherent conflict of interest and be biased.

For instance, under PFI rules, each of the payment card brands is responsible for “Defining requirements regarding the use of PFIs and the disclosure, investigation and resolution of security issues” of the security incident. This supervisory role affords the card brands wide latitude in directing and controlling key aspects of the data breach response process.

In fact, PFI rules actually attempt to minimize involvement of the victim company in the response, stating outright that the company is not to control or direct the investigation. To ensure compromised entities fully understand this limitation, the PFI rules specifically require that the retailer acknowledge and agree in its contract with the PFI that “that the investigation is being carried out as part of the PFI Program, that all PFI Report information shall be shared with affected Participating Payment Brands throughout the investigation and that the investigation is not to be directed or controlled in any way by the Compromised Entity.”

To make matters even worse, if a retailer disagrees with any of the findings of the PFI, the retailer has limited, if any, recourse to dispute the PFI Report prior to the unfavorable facts being turned over to third parties. PFI rules require the contract to specify that the PFI has the authority to deliver all final and draft reports and PFI work papers to the card brands at the same time as the reports are sent to the victim retailer.

Retailers can comment on draft and final PFI reports but do not have “approval authority,” and any facts regarding the investigation with which the retailer fundamentally disagrees might not be part of the documentation that the PFI or the card brands provide to third parties.

Meanwhile, in stark contrast, the credit card brands enjoy unique input and control with respect to the documentation of a security incident, including approval rights over all PFI reports and the ability to reject any report that does not conform to all applicable requirements, such as templates and use of proper scoping methodology.

Dueling, Parallel Digital Forensic Investigations

Given the potential for bias, conflicts of interest and subjectivity (or even mistakes), retailers rarely stand-by quietly and simply accept the PFI’s findings on the data breach.

Instead, when hiring a PFI after a cyber-attack, most retailers engage a second “company-directed” forensic examiner to the investigation, one that is completely independent of the card brand approved PFI list. This second, company-directed forensic examiner typically reports to, and is formally engaged by, the retailer’s outside counsel or internal general counsel.

There can be tremendous advantages for a victim-retailer to engage their own forensic firm, in addition to the card brands PFI team. First, absolute technical accuracy and completeness of the report is of paramount importance given that this report may become the foundation for regulatory inquiry and litigation, and a victim company may need to challenge a PFI’s draft report’s findings.

Second, the involvement and direction of counsel in the context of the investigation will presumably apply to the work product produced by the digital forensic investigators, rendering their findings, conclusions and other communications protected by attorney-client confidentiality. The involvement of counsel also establishes a single point of coordination and a designated information collection point, enhancing visibility into the facts, improving the ability to pursue appropriate leads and, most importantly, ensuring the accuracy and completeness of information before it is communicated to external audiences.

Think of it this way: After experiencing a fire in a home, a homeowner may have concerns about the qualifications or credibility of the insurance adjuster or may believe the insurance adjuster’s report is biased or specious. So the homeowner hires their own expert to challenge the report of the insurance adjuster in order to receive a better insurance payout. The same principle holds true for PCI incident response.

However, there are also some disadvantages to this “dueling investigation” approach. Given the sanctity of the attorney-client privilege and work product doctrines, the retailer’s forensic firm and the PFI firm can rarely collaborate, or even be in the same room together, lest the retailer risk waiving attorney-client privilege.

The retailer may even go so far as to arrange for the PFI firm and the retailer’s firm to deploy different endpoint detection applications – thus paying for two almost identical software licenses. Thus, the retailer pays twice for a cyber-attack investigation and twice for each team’s expensive toolsets – which can add up to millions (or even tens of millions) of dollars. That’s like paying for an Uber car and a Lyft car to take one person home from a night out – it’s a bit maddening.

Welcome to the upside down world of data breaches: where actual perpetrators are rarely caught; where actual damages to specific customers are rarely identified; and where the retailer victimized by a cyber-attack must not only also pay the invoices of the PFI team (who reports solely to the card brands) but must also pay the invoices of the second external forensic expert (who reports solely to the retailer).

The Marriott Breach, the Resulting Class Actions and the Marriott PFI Report

Marriott International, Inc. (Marriott) is a multinational company that manages and franchises a broad portfolio of hotels and related lodging facilities around the world. On November 30, 2018, Marriott announced a data security incident involving unauthorized access to the Starwood guest reservation database containing information relating to as many as 500 million guests. Since then, Marriott claims that attackers who breached its Starwood Hotels unit’s guest reservation system stole personal data from up to 383 million guests — including more than five million unencrypted passport numbers.

Marriot also now asserts that attackers had unauthorized access to its Starwood network of reservations at W Hotels, Sheraton Hotels & Resorts and other properties dating back to 2014, prompting questions about Marriott’s cybersecurity governance and infrastructure as well as suspicion that Marriott negligently missed the breach during its due diligence process before acquiring Starwood in 2016 for $13.6 billion.

The class action frenzy since these events has been nothing short of astounding. A total of 176 plaintiffs from all 50 U.S. states have filed suit against Marriott relating to the Marriott breach. Meanwhile, consumers, financial institutions and governments in various states, such as California, Illinois, New York and Massachusetts have filed dozens more class actions, including a securities class action.

Given the vast scope and number of class actions relating to the Marriott data breach, the plaintiffs agreed to centralize the litigation at a hearing with the Judicial Panel on Multidistrict Litigation. The Judicial Panel: 1) determines whether civil actions pending in different federal districts involve one or more common questions of fact such that the actions should be transferred to one federal district for coordinated or consolidated pretrial proceedings; and 2) selects the judge or judges and court assigned to conduct such proceedings.

The Judicial Panel agreed that consolidating the class action lawsuits into multi-district litigation (MDL) was the best option, also noting that Marriott was headquartered in Maryland and most witnesses would be found in the area and ordering the MDL to reside before Judge Paul Grimm in the Federal District Court of Maryland. The Panel noted in its order:

“[W]e find that centralization…of all actions in the District of Maryland will serve the convenience of the parties and witnesses and promote the just and efficient conduct of this litigation . . . The factual overlap among these actions is substantial, as they all arise from the same data breach, and they all allege that Marriott failed to put in to place reasonable data protections. Many also allege that Marriott did not timely notify the public of the data breach.”

The Marriott Securities Class Actions

The securities class action lawsuit(s) against Marriott and certain of its senior executives assert claims under Sections 10(b) and 20(a) of the Securities Exchange Act of 1934, and SEC Rule 10b-5 promulgated thereunder, on behalf of all persons or entities who purchased or otherwise acquired Marriott common stock between November 9, 2016 through November 29, 2018.

In the first securities class action lawsuit involving Marriott, filed on December 1, 2018, less than one full day (!) after Marriott announced the data security incident, the complaint refers to statements in the company’s SEC filings about the importance of information technology security, alleging that certain statements in Marriott’s SEC filings were false and misleading because: “(1) Marriott’s and Starwood’s systems storing their customers’ personal data were not secure; (2) there had been unauthorized access on Starwood’s network since 2014; (3) consequently the personal data of approximately 500 million Starwood guests and sensitive personal information of approximately 327 million of those guests may have been exposed to unauthorized parties; and (4) as a result Marriott’s public statements were materially false and/or misleading at all relevant times.” Since its initial filing, the plaintiffs have amended their securities class action complaint, and added new and more complete allegations, with the most recent version found here.

Unlike more traditional securities class action lawsuits, the Marriott securities class action lawsuit does not involve allegations of financial or accounting misrepresentations. Instead, it involves allegations that Marriott suffered a significant reverse in its operations, alleging that the company failed to inform investors that the data security incident might occur and that if it did occur it would have a negative impact on the company.

A Brief Aside about the Disclosure of Cyber-Attacks by Public Companies

In particular, public company disclosures relating to cyber-attacks can provide ideal fodder for class action plaintiffs looking for negligent representations, insufficient assertions or misleading statements. There is confusion about not just when a public company should disclose a data security incident, but also what precisely the public company should say about the incident.

For example, per the U.S. Securities and Exchange Commission’s (SEC) February 26, 2018 interpretive guidance relating to disclosures about cybersecurity risks and incidents, when a company has learned of a cybersecurity incident or cyber-risk that is material to its investors, companies are expected to make appropriate disclosures, including filings on Form 8-K or Form 6-K as appropriate. Additionally, when a company experiences a data security incident, the 2018 SEC Guidance emphasizes the need to “refresh” previous disclosures during the process of investigating a cybersecurity incident or past events.

However, on the one hand, with respect to the actual content of a company’s data security incident’s disclosure, the 2018 SEC Guidance allows for a lack of specifics so as not to compromise a company’s security, stating:

“This guidance is not intended to suggest that a company should make detailed disclosures that could compromise its cybersecurity efforts – for example, by providing a “roadmap” for those who seek to penetrate a company’s security protections. We do not expect companies to publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident.”

But on the other hand, the 2018 SEC Guidance cautions companies not to use any sort of generic “boilerplate” type of language in its disclosures, stating somewhat opaquely:

“We expect companies to provide disclosure that is tailored to their particular cybersecurity risks and incidents. As the Commission has previously stated, we ‘emphasize a company-by-company approach [to disclosure] that allows relevant and material information to be disseminated to investors without boilerplate language or static requirements while preserving completeness and comparability of information across companies.’ Companies should avoid generic cybersecurity-related disclosure and provide specific information that is useful to investors.”

Given the SEC’s schizophrenic approach to disclosing cybersecurity-related events, rather than serving as  safe harbor for public companies, the SEC’s 2018 Guidance ironically has become a beacon for class action plaintiffs.

PSLRA Discovery Stay and the Marriot Securities and Derivatives Tracks

Congress enacted The Private Securities Litigation Reform Act of 1995 (PSLRA) to address perceived abuses in securities fraud class actions. Among those concerns was that the high “cost of discovery often forces innocent parties to settle frivolous securities actions.” In addition, Congress sought to prevent private securities plaintiffs from using frivolous lawsuits as a vehicle “to conduct discovery in the hopes of finding a sustainable claim not alleged in the complaint.”

In furtherance of those goals, the PSLRA provides that “all discovery and other proceedings shall be stayed during the pendency of any motion to dismiss, unless the court finds, upon the motion of any party, that particularized discovery is necessary to preserve evidence or to prevent undue prejudice to that party.”

In the Marriot MDL, there are five case “tracks” (Government, Financial Institution, Consumer, Securities and Derivative). In accordance with the PSLRA, Judge Grimm ordered that all discovery for both the Securities and Derivative Tracks be stayed, until the resolution of Marriott’s pending motion to dismiss.

Judge Grimm also provisionally granted a motion to seal Marriott’s motion to dismiss the Government Track action, which included a copy of the Marriott PFI Report as an exhibit. Currently, redacted versions of these pleadings appear on the docket, although the Marriott PFI Report remains sealed in full.

Class Action Motions Concerning the Marriott PFI

Rather than captioned as traditional orders and motions, to keep costs down, Judge Grimm’s has implemented a case management system in the Marriott MDL, which includes a July 16, 2019 order that any party seeking to file a motion shall first submit a letter, no longer than three pages, stating the facts and bases supporting such relief. This way, the Judge might just rule on the three page letter and avoid the costs of lengthy memoranda, motions, affidavits, etc.

Once a letter is filed, Judge Grimm determines whether to schedule an expedited telephone conference to discuss the requested motion and whether the issues may be resolved or otherwise addressed without the need for formal briefing. This expedited motions procedure apparently meant that Gibson Dunn, the law firm representing Marriott in the class actions, had limited time and space to argue against the release of the Marriott PFI Report (e.g. no room for expert affidavits, documentation of particularities, witness declarations and the many other details and minutia typically presented in an important litigation motion.)

Based on the currently 438 entries in the Marriott MDL docket, the two primary letters seeking the unsealing of the Marriott PFI Report appear to be the following pleadings:

In opposition to the Silverman Letter and the Labaton Sucharow Letter, Marriott submitted the following pleadings:

The Silverman Letter specifically seeks production of the Marriott PFI Report before the deadline for amending its complaint, stating:

“Our position on these matters is consistent with this Court’s emphasis on efficiency and avoidance of unnecessary litigation effort. Requiring production of the PFI Report and other investigative reports related to the Data Breach prior to the deadline for amending complaints will promote efficiency by ensuring that the allegations conform to the available facts, thus eliminating unnecessary discovery and motion practice over allegations based on “information and belief” that may be inconsistent with facts already developed in the PFI and other investigations . . . Early production of the PFI Report, other investigative reports, and all materials provided to government regulators investigating the Data Breach at issue by Marriott will greatly facilitate all parties’ ability to frame the issues in the case for the Court.”

The Labaton Sucharow Letter notes that Marriott had already attached a copy of the PFI Report in their July 15, 2019 motion to dismiss in the Government Track, but had placed the Marriott PFI Report under seal and also argued that the First Amendment mandates that Judge Grimm unseal the Marriott PFI Report.

“It is settled law that the First Amendment and common law protect the public’s access to judicial records . . . Merely attempting to avoid embarrassment, legal liability, or a harm to future business prospects are insufficient reasons under either standard to justify keeping information in judicial records from the public. The party seeking the sealing must overcome the interest of the general public, which includes the financial markets as Marriott is a publicly traded company . . . As an initial matter, these materials are clearly a matter of public interest to investors, consumers, and the American public. . . . Defendants have articulated why they want the materials kept under seal – (1) danger from potential hacking of their systems, (2) competitive harm, and (3) that it would undermine current investigations . . . None of these reasons satisfy the high burden Defendants must meet to rebut the presumption of access and maintain these judicial records under seal.”

The Gibson Dunn Letter reiterates the arguments of Marriott’s July 16 Motion to place the Marriott PFI Report under seal and adds an additional argument relating to the PSLRA discovery stay, stating:

“Plaintiffs’ motion is an attempted end-run around the PSLRA’s discovery stay. The PSLRA, which governs the Securities and Derivative Tracks, imposes an automatic stay on all discovery pending resolution of motions to dismiss. Plaintiffs now seek to expose confidential discovery materials in public court filings, so that they can access discovery that federal law bars them from obtaining at this juncture. [In addition], 1) Sealing the information protects it from criminals that could use it to perpetrate “future cyberattacks.” Disclosure of the sealed information could, for instance, help hackers hone their strategies . . . 2) The compelling governmental interest in shielding ongoing investigations requires keeping certain information sealed; . . . and 3) Marriott’s concern about offering “competitors insight into certain aspects of Marriott’s internal business practices”

Judge Grimm’s Decision

In an August 30, 2019 “Letter Order,” Judge Grimm sided with the plaintiffs, and ordered the unsealing of the Marriott PFI Report, while assigning a magistrate judge to determine if it should contain any “narrowly tailored” redactions (e.g. if Marriott can show with definitive particularity that publication of any portions/sentences of the Marriott PFI Report would “threaten existing operational database systems.”)

With respect to Marriott’s PSLRA arguments, because the unsealing of the Marriott PFI Report was of no monetary cost to the Marriott defendants, Judge Grimm noted that the spirit of PSLRA remained intact and respected. Moreover, because Marriott had attached the Marriott PFI Report to their earlier pleading, Marriott had rendered the Marriott PFI Report a “pleading” and not “discovery material” which did not run “afoul with the PSLRA discovery stay.”

With respect to Marriott’s other arguments, Judge Grimm found that “there is a First Amendment right to access portions of the PFI report and pleadings that cannot be shown to constitute a particularly identified, non-speculative harm.” Judge Grimm writes:

“Defendants argue (without explaining how) that the information could help hackers attack systems Defendants currently use by studying “network infrastructure for handling cardholder data, systems and strategies for securing such information and thwarting attacks, encryption and decryption processes and protocols, and activity logging.” . . . This justification for continuing to seal the entirety of the report is both speculative and generalized. Under this reasoning, none the details of how the Starwood database was compromised could ever be revealed, which would prevent the public from understanding how the data breach occurred in the first place, and it would prevent other entities from learning how to better protect their networks from similar attack. This is hardly in the public interest . . . Second, Defendants’ assertion that unsealing the pleadings and PFI report would interfere with ongoing investigations is equally conclusory and speculative. While Defendants do claim that ongoing investigations would be jeopardized, it is unclear which investigations would be compromised, or how, and therefore this argument fails . . . Lastly, Defendants offer no particularized support for the proposition that sealing the entire PFI report and portions of the Pleadings is necessary to prevent disclosure of commercially sensitive data and internal business practices.”

Judge Grimm then ordered the parties to confer expeditiously with U.S. Magistrate Judge Facciola to determine what portions of the Marriott PFI Report, if any, should be redacted, noting that he “will not wait indefinitely to implement this order [and] should the parties disagree, Judge Facciola shall make a report and recommendations to me for my ultimate determination.”

Judge Grimm Hands Over the Brass Ring

It should come as no surprise that the plaintiffs in the Marriott securities class action lawsuits asked Judge Grimm to unseal the Marriott PFI Report. For a class action plaintiff, the PFI Report is the brass ring of documentary evidence, containing detailed, well-documented and potentially inculpatory opinions and findings relating to the Marriott data breach.

Conducted without any direction, interference or influence from Marriott, and presented without any of Marriott’s objections, disagreements, opposition, etc., the Marriott PFI Report also provides a timely, unique and wholly unfettered analysis of the data breach. Moreover, obtaining a PFI Report early on in a class action can save a plaintiff millions of dollars in discovery-related expenses while also delivering a mammoth strategical advantage.

But herein lies the rub. While the credit card brands may have the very best of intentions, as set forth above, the reality is that the PFI Report is not necessarily the most reliable or even accurate set of findings. In summary:

  • The PFI team is owned and operated by the credit card brands, and is not only be biased but also operates under the cloud of a significant conflict of interest;
  • A retailer has little opportunity to object to the findings of the PFI Report, and is contractually bound not to participate in the PFI’s investigation but rather must stand-down and cooperate fully. In fact, a retailers diminished role in the PFI Report process can become an unexpected and unfair obstacle in determining the true nature and scope of the data breach;
  • If the retailer does disagree with any of the findings of the PFI, it has little ability to dispute the facts documented by the PFI prior to unfavorable facts being turned over to third parties, including class action plaintiffs;
  • The PFI Report typically contains no company addendum or other place to present any of a retailer’s objections or other opposition, even when a retailer has spent millions (or even tens of millions) by engaging their own professional forensics firm who has significant objections to the PFI Report;
  • The intended purpose of a PFI investigation is not necessarily to mitigate damages or help a retailer with an incident response, but rather the PFI’s goal is to minimize potential fraud losses to exposed cards and determine compliance with industry rules related to data security. In other words, the PFI team is on the hunt for negligence, carelessness, recklessness, fraud and blame — not incident remediation and future data breach defense; and
  • The PFI team will not only be conducting an investigation to determine the risk of payment card exposure from a cyber-attack, but also assessing the company’s compliance with the PCI-DSS, which can open up an additional can of worms, perhaps more damaging to a retailer than the data breach itself.

Going Forward

Retailers who experience data security incidents must already deal with a class action blitzkrieg, and Judge Grimm’s recent love letter to the class action bar only adds fuel to that firestorm.

On the one hand, Marriott arguably put the Marriott PFI Report in “play” by attaching it to their motion to dismiss, thereby providing Judge Grimm with a convenient rationale to rule that its release did not violate the PLSRA discovery stay. Perhaps in future securities class actions, if a defendant does not file the PFI Report as part of any pleading, the PSLRA’s statutorily required discovery stay will prohibit any plaintiff from seeing the PFI Report before an opportunity for a dispositive motion, like a motion to dismiss.

But on the other hand, for securities class actions and all other class actions, Judge Grimm’s letter validates a class action plaintiff’s “First Amendment” right to see the PFI Report, which may prompt other judges to grant class action plaintiffs immediate access to it. Such prompt and early access could curtail defendants hopes of winning early pre-trial dispositive motions, while potentially arming class action plaintiffs with an evidentiarily powerful litigation weapon.

Clearly, retailers should take heed of Judge Grimm’s Letter Order and try to prepare for its consequences. One preemptive option for retailers is to conduct “table-top” exercises of a data security incidents at their company, and engage a “mock PFI Team,” comprised of former PFI investigators, to create a “mock PFI Report.”

Reviewing a mock PFI Report could then provide a retailer with a better understanding of what to expect from a PFI Team and enable the retailer to develop the kind of corporate governance and technological infrastructure that would typically result in a more favorable PFI Report. The mock PFI investigation would also provide unique training for IT personnel and others who will have to work with PFI Teams, preparing a company’s employees for what is typically an extremely awkward experience, replete with hazards and pitfalls.

Think of it this way: When opening a new restaurant what better way to obtain an “A” health department rating than to hire a former health department inspector to conduct a mock inspection. The same goes for PCI-DSS compliance.

Table-top exercises also enable organizations to analyze potential emergency situations in an informal environment and are designed to foster constructive discussions among participants as they examine existing operational plans and determine where they can make improvements. Indeed, table-top exercises are a natural fit for information security because they provide a forum for planning, preparation and coordination of resources during any kind of attack.

Retailers should also spend more time on the due diligence of selecting a PFI from the 22 digital forensic companies currently on the PCI SSC List. Retailers should study carefully the credentials and track record of PFI team members, ensuring that their selected PFI team is experienced, fair, objective, meticulous and open to discussions and disagreement.

Not to be too cynical but it would also probably help if the law firm managing a retailer’s data breach response has prior experience with the PFI team and that the PFI team is concerned about their reputation with the law firm (i.e. that the PFI team relies on the law firm for other business). When there exist competing, outside economic interests at issue, it is only human nature for the PFI team to put their best and most fair foot forward during the course of their engagement.

Given that trying to avert a cyber-attack is like trying to prevent a kindergartener from catching a cold during the school year, retailers should anticipate a securities class action lawsuit filing within 24 hours of the announcement of their next (inevitable) data security incident — and they should take steps now to help facilitate an exculpatory PFI Report.

Otherwise, a class action liability skirmish may be over before the retailer has even had a chance to enter the battlefield.

__________________

John Reed Stark is president of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He currently teaches a cyber-law course as a Senior Lecturing Fellow at Duke Law School. Mr. Stark also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of global data breach response firm, Stroz Friedberg, including three years heading its Washington, D.C. office. Mr. Stark is the author of “The Cybersecurity Due Diligence Handbook.”