Is a company’s post-breach forensic report subject to discovery in subsequent breach related litigation? That is the question that John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, examines in the following guest post. A version of this article originally appeared on Securities Docket. I would like to thank John for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Imagine that you have a history of heart disease in your family, so you hire a cardiologist each quarter to undergo various testing and to discuss the best exercise, diet and other steps to stay healthy. Naturally, the relationship with your cardiologist grows in familiarity, importance and confidence. Now imagine that you suddenly suffer a heart attack but are told you should not visit your trusted cardiologist and must instead engage an entirely new cardiologist to help recover from the heart attack.
Of course, this makes absolutely no sense — but helps puts into context a recent and troubling judicial order involving post-breach digital forensic reports in class actions.
The order, handed down on May 26, 2020 by Magistrate Judge John F. Anderson, pertains to the Capital One Financial Corporation (“Capital One”) class action multi-district litigation (MDL), which consolidated over 60 cybersecurity-related class actions relating to a data security incident announced by Capital One on July 29th, 2019.
Specifically, Judge Anderson granted a motion filed by the plaintiffs in the consumer class action track to compel production of a post-breach digital forensics report drafted by Mandiant, a data breach response firm that Capital One had engaged to help investigate the incident. Judge Anderson found that Capital One failed to meet its burden of establishing that the Mandiant report was entitled to protection under the work product doctrine, because, among other things, Mandiant had a long-standing and pre-existing relationship with Capital One, dating back to at least 2015, to perform essentially the same services.
The consumer plaintiff’s April 24, 2020 Motion to Compel Production of the Mandiant Report can be found here; Capital One’s May 6, 2020, Opposition can be found here; Capital One’s May 12, 2020, Reply to the plaintiff’s opposition can be found here; the May 15, 2020 transcript of the hearing can be found here; and Judge Anderson’s May 26, 2020, Memorandum Opinion and Order can be found here. (Capital One’s June 9, 2020, motion to set aside Judge Anderson’s order can be found here, which is opposed by the plaintiffs in a June 12, 2020 response found here, which of course, garnered a June 16, 2020, reply from Capital One found here — — but we will get to that later.)
Judge Anderson’s ruling evidences a disturbing trend, where judges are taking a hard look at the confidentiality of highly sensitive and confidential post-breach digital forensic reports, now routinely sought by the army of class action lawyers that typically descend upon a victim company within 24 hours after a cyber-attack becomes public. As a result, the question of whether post-breach digital forensic reports are subject to attorney-client privilege and the work product doctrine has begun to divide courts around the country.
Class action lawyers and consumer advocates argue that the reports provide a unique and rare chance to peel back veils of corporate secrecy and understand what really happened before and after a data security incident. But corporate defense lawyers have fought tooth and nail against public or even judicially sealed disclosure of the reports, arguing that the reports are protected by hallowed, historically established and core principles of the attorney-client relationship. Corporate defense lawyers assert that these sacred protections allow corporate executives to manage data security incidents without fear that their words could later be used against them in litigation.
Not surprisingly, amid post-breach litigation, there typically arises an intense battle over the confidentiality of post-breach digital forensic reports, forcing courts to interpret and nuance conventional notions of attorney-client privilege and work product doctrine in an entirely new context, which can sometimes result in inconsistent or disappointing court decisions.
Although only a handful of courts have addressed attorney-client privilege and work product protection in the context of post-breach forensic reports, trends and best practices are beginning to emerge and crystalize, providing some keen insight on how to keep forensic reports confidential. Along those lines, this article:
- Takes an analytical deep dive into the Capital One decision;
- Provides some background regarding digital forensic reports, explaining their evolution, iterations and inherent challenges;
- Discusses the evolving battle that now routinely occurs over post-breach digital forensic reports;
- Reviews the range of recent federal cases where judges have addressed the issue of the confidentiality of digital forensic reports, including several cases which are particularly troubling; and
- Offers some options and best practices going forward that companies and their legal teams can use to balance, on the one hand, the need for a report that codifies a cohesive, understandable, objective and unmerciful investigation of a data security incident, but on the other hand, contemplates the inevitable and excruciating weaponization of that report by class action lawyers.
The Capital One Decision
Unlike some judicial orders concerning post-breach digital forensic reports, Judge Anderson’s decision is lengthy and thorough, and offers a panoramic view into the current legal landscape relating to the confidentiality of post-breach digital forensic reports.
Judge Anderson’s decision hinges on whether Mandiant’s work was merely general consulting services and directed by Capital One (and thereby not protected by the work product doctrine) or was instead in anticipation of litigation and directed by counsel (and thereby considered attorney-client work product).
The work-product doctrine is a court-created exemption of materials from discovery, preventing an opposing party from reviewing those materials through its counsel which it has prepared for prosecution or defense of a claim. Federal Rule of Evidence 502 defines work-product protection as “the protection that applicable law provides for tangible material (or its intangible equivalent) prepared in anticipation of litigation or for trial.”
The Capital One/Mandiant Engagement Timeline
In deciding whether Mandiant’s work constitutes attorney work product, Judge Anderson focuses on the lynchpin concept of “anticipation of litigation” and explores in detail the nature of the relationship between Capital One and Mandiant. Simply stated, if the Mandiant report was not created in anticipation of litigation, then per Judge Anderson, it is not subject to the work-product doctrine protection. Thus, Judge Anderson intensely focuses upon the following Capital One/Mandiant engagement timeline:
November 30, 2015: Capital One enters into a master services agreement (“MSA”) with FireEye, Inc. and Mandiant, and thereafter enters into periodic statements of work (“SOW”) and purchase orders with Mandiant pursuant to the MSA. For Capital One, one purpose of the MSA and associated SOW was to ensure that Capital One could “immediately respond to any potential compromise of the security of its systems.”
July 19, 2019: Capital One determines that there was unauthorized access by an outside individual who obtained certain types of personal information relating to consumers who had applied for its credit card products and to Capital One credit card customers.
July 20, 2019: Capital One retains a law firm to provide legal advice in connection with the data security incident.
July 24, 2019: The law firm and Capital One sign a letter of agreement with Mandiant where Mandiant agrees to provide services and advice concerning “computer security incident response digital forensics, log, and malware analysis; and incident remediation.“ The letter agreement provides that the payment terms were to be the same as those set forth in the most recent Capital One/Mandiant SOW dated January 7, 2019. Furthermore, Mandiant and the parties would abide by the applicable terms in the SOW and MSA between Capital One and Mandiant dated November 30, 2015. While the new letter agreement provided for the same services to be performed by Mandiant under the same terms as the SOW and MSA, the new letter agreement now provided that the work would be done at the direction of counsel and the deliverables would be provided to counsel instead of Capital One.
July 26, 2019: An addendum to the letter agreement was prepared whereby the engagement of services would also include penetration testing of systems and endpoints.
July 29, 2019: Capital One issues a public announcement concerning the data breach, which affected approximately 100 million individuals in the United States and approximately 6 million in Canada. The information included personal information Capital One routinely collected at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. The attacker also obtained about 140,000 Social Security numbers of credit card customers and about 80,000 linked bank account numbers of secured credit card customers. The following day the first of over 60 class action lawsuits were was filed against Capital One asserting various claims based on the data breach.
September 4, 2019: Mandiant submits to counsel a digital forensics report detailing the technical factors that allowed the criminal hacker to penetrate Capital One’s cybersecurity defenses. The Mandiant report is initially sent to the law firm, who in turn provided the report to Capital One’s legal department and Capital One’s Board of Directors. The plaintiffs claim that at least 50 Capital One employees, an accounting firm and a slew of regulators (Federal Deposit Insurance Corporation, Federal Reserve Board, Consumer Financial Protection Bureau and Office of the Comptroller of the Currency), were also provided copies of the Mandiant report.
October 2, 2019: The Judicial Panel on Multidistrict Litigation rules orders that the over 60 class actions pertaining to the Capital One data breach are to be consolidated and sent to federal court (near Capital One’s headquarters) in the Eastern District of northern Virginia. Judge Anthony J. Trenga of the U.S. District Court for the Eastern District of Virginia is selected to preside over the consolidated cases. Judge Trenga follows his usual practice with respect to the role of the magistrate judge and all non-dispositive motions not requiring a ruling by Judge Trenga are initially referred automatically to Magistrate Judge John F. Anderson for consideration.
December, 2019: Expenses associated with the work Mandiant performed relating to the data breach are re-designated as legal expenses and deducted against Capital One’s legal departments budget. Prior to this change: 1) For its initial work under the letter agreement Capital One paid Mandiant out of the retainer already provided to Mandiant under the January 7, 2019 SOW between Mandiant and Capital One; and 2) For its work after the retainer amount became exhausted, Capital One paid Mandiant directly through its budget for the cyber organization.
The Crux of Judge Anderson’s Ruling
In short, according to Judge Anderson, Capital One could not meet its burden that the work-product doctrine applied because: 1) the SOW and MSA provided for virtually identical services to be performed before and after the discovery of the Capital One data breach; and 2) Capital One would have likely ordered Mandiant’s report even if it did not expect legal action.
In other words, Judge Anderson found the determinative issue was whether the Mandiant report would have been prepared in substantially similar form “but for the prospect of that litigation.” Even though the Mandiant investigation was done at the direction of outside counsel, Judge Anderson noted that he retention of outside counsel does not, by itself, turn a document into work product:
“Capital One had a long standing relationship with Mandiant and had a pre-existing SOW with Mandiant to perform essentially the same services that were performed in preparing the subject report. The services to be provided in the January 7, 2019 SOW are the same services described in the letter agreement. Capital One’s senior manager of the cybersecurity operations center and the person responsible for managing Capital One’s relationship with Mandiant acknowledged that as a financial institution that stores sensitive financial and other sensitive information, it is critical that it be positioned to immediately respond to any potential compromise of the security of its systems. The retainer paid to Mandiant was considered a business critical expense and not a legal expense at the time it was paid. While the fact that the Mandiant report was provided to four different regulators and to Capital One’s accountant may not necessarily constitute a waiver, it does show that the results of an independent investigation into the cause and the extent of the data breach was significant for regulatory and business reasons. This independent investigation was also used internally for Sarbanes-Oxley disclosures and was referenced in draft FAQs prepared by a senior vice president for finance prior to the public announcement of the data breach. The only significant evidence that Capital One has presented concerning the work Mandiant performed is that the work was at the direction of outside counsel and that the final report was initially delivered to outside counsel . . .”
Judge Anderson otherwise demurrers on the issues of “waiver” and “substantial need” (The work product privilege may be waived, and a party seeking attorney work product may obtain the material by showing a substantial need for the document and undue hardship in obtaining substantially equivalent information.) Judge Anderson stated in a footnote:
“Given the ruling on the work product issue based on the quote “because of” standard, it is not necessary to address the waiver or substantial need issues discussed by the parties in their briefs. That said, it appears that the waiver argument may have some merit given the lack of evidence presented in this motion concerning the distribution of the Mandiant Report and what protections were taken to avoid having the Mandiant Report with the information contained therein disclosed to a party or entity in an adversarial relationship. As the substantial need, while it would be more efficient for the plaintiffs to have the results of Mandiant’s investigation, based on current record, it appears that the events logs and network diagrams reviewed by Mandiant may be available to the plaintiff.”
Post-Breach Digital Forensic Reports Generally
Like any other security incident at a company, in the aftermath of a cyber-attack, companies typically conduct an investigation of the incident. The company’s investigation often culminates with a “digital forensics report,” which just like a physician’s physical examination report, must be independent, methodical and seek the truth.
In the end, just like a physician’s blood tests and other medical analysis can provide critical guidance for the remediation, and future prevention, of health issues, digital forensic investigative findings and other high-tech analysis can provide critical guidance for the remediation, and future prevention, of cyber-attacks and other data security issues.
But conducting digital forensic investigations is more of an art than a science and even the most damning post-breach digital forensic reports might not necessarily be inculpatory or trigger liability. Given the challenges associated with data breach investigations, digital forensic reports can also contain a patchwork of hypothesizing, speculation, supposition and simple old-fashioned guesswork, sometimes rendering them overly subjective, skewed or even mistaken.
Digital forensic evidence of a data security incident is rarely in plain view; it can rest among disparate logs (if they even exist), volatile memory captures, server images, system registry entries, spoofed IP addresses, snarled network traffic, haphazard and uncorrelated timestamps, Internet addresses, computer tags, malicious file names, system registry data, user account names, network protocols and a range of other suspicious activity. Evidence can also become difficult to nail down — logs are destroyed or overwritten in the course of business; archives become corrupted; hardware is repurposed; and the list goes on.
Just like medical reports, digital forensic reports can sometimes be spot-on and definitive; can sometimes be on shaky ground and replete with high-tech gumshoe conjecture; and can sometimes reside somewhere in-between the two.
The Battle Over the Post-Breach Digital Forensic Report
To class action plaintiffs, just like an Italian opera’s libretto can provide a valuable guide for non-Italian speaking neophyte spectators, a digital forensic report can provide the same plain English post-mortem for lawyers (and jurors) in the aftermath of a cyber-attack. Therefore, despite their inherent subjectivity and varying degrees of reliability, class action lawyers still clamor for post-breach digital forensic reports, heralding the reports as the kind of smoking gun evidence that can prompt a quick and hefty settlement.
Meanwhile the victim companies that engage digital forensic firms to help investigate data security incidents are equally loathe to produce post-breach digital forensic reports to class action counsel. First off, post-breach digital forensic reports contain some of the most proprietary, secret and intimate details pertaining to a company’s technological infrastructure and corporate governance. Second, at first glance, post-breach digital forensic reports can appear to provide a roadmap of potential negligence, recklessness or even intentional wrongdoing by a victim corporation. Finally, plaintiffs’ lawyers can sometimes exploit post-breach digital forensic reports for their own advantage, at the expense of a company’s sincere effort to beef up their cybersecurity and thwart future cyber-attacks.
The Digital Forensic Report as Attorney Work Product
Given the litigation onslaught that typically follows a data breach at any organization, the legal teams conducting post-breach investigations will typically attempt to shield from discovery documents protected by the attorney-client privilege and the work product doctrine – especially post-breach digital forensic reports.
Historically, the involvement and direction of counsel in the context of any investigation, including investigations of data security incidents, would ensure the confidentiality of the work product produced not only directly by the legal team but also by the legal team’s outside advisors, such as digital forensic investigators. However, the law in this area has become somewhat blurred, causing data breach response lawyers to pause and perhaps rethink their approach towards the engagement of, and collaboration with, digital forensic firms.
Class action plaintiffs in particular now commonly challenge claims of privilege/work product and routinely seek a broad range of documents in discovery about data breaches, including analyses, communications and, of course, forensic reports. In turn, federal courts have begun to apply a heightened degree of scrutiny to the intricate and interwoven relationships of companies, their legal teams and their forensic investigatory experts.
To date, a limited but growing hodgepodge of legal precedent has begun to take shape concerning the confidentiality of post-breach digital forensic reports in particular. In addition to the Capital One decision, the issue has also arisen in data breaches at Experian; Premera BlueCross; Dominion Dental; Marriott; Arby’s; Target; Genesco; and Albertsons (each discussed below).
In re Experian Data Breach Litig., Case No. SACV 15-01592 AG (C.D. Cal. May 18, 2017) (“Experian”)
In Experian, Judge Andrew J. Guilford reaches a different conclusion from Capital One, under very similar circumstances – including the common fact that Capital One and Experian both engaged Mandiant to investigate a data security incident.
After a data breach at Experian, the company’s outside counsel retained Mandiant for a breach analysis. Experian asserted that the sole purpose of Mandiant’s work was to assist its law firm with legal advice provided to Experian regarding the attack. A class action lawsuit followed the breach announcement, and during discovery, the plaintiff sought Mandiant’s digital forensic report and other documents related to the Mandiant investigation.
Like Capital One, Experian claimed that the work product doctrine barred the plaintiff’s request and Judge Guilford agreed. According to Judge Guilford, even though Experian had independent business duties to investigate any data breaches and it hired Mandiant to do exactly that, the retainer did not somehow bar Experian’s lawyers from asserting that the Mandiant report was attorney work product. The Mandiant team conducted their investigation and prepared their report in anticipation of litigation, which was enough to warrant confidential attorney work product protection. In Experian, unlike in Capital One, the fact that Mandiant had already done work for Experian did not alter Judge Guilford’s conclusion.
In Capital One, Judge Anderson distinguished Experian because the complete Mandiant report was not provided to the incident response team or for other non-legal needs, and there was no pre-existing relationship with Mandiant to the same extent as in Capital One. Judge Anderson stated:
“One significant difference between the facts in Experian and the facts in this case is that Capital One had an existing SOW and MSA with Mandiant at the time of the data breach that was effectively transferred to outside counsel. As set out in the SOW and letter agreement, the work to be performed by Mandiant was the same, the terms were the same but the work was to be performed at the direction of outside counsel and the final report delivered to outside counsel The retention of outside counsel does not, by itself, turn a document into work product. While it is true that in Experian the report was not given to Experian‘s response team, it appears that at least several members of Capital One’s cyber technical, enterprise services, information security and cyber teams were provided with a copy of the Mandiant report, and that it was used by Capital One for various business and regulatory purposes. As each case must be determined on its own facts and circumstances, the court cannot come to the same conclusion as the court in Experian that the work performed by Mandiant would not have been done in substantially the same form or with the same content.”
In re Premera Blue Cross Customer Data Sec. Breach Litig., 296 F. Supp. 3d 1230 (D. Or., October 27, 2017) (“Premera”)
In March of 2015, Premera, a not-for-profit Blue Cross Blue Shield licensed health plan provider based out of Washington State, issued a press release stating that it had been the victim of a data breach. Premera disclosed that there were potentially 11 million victims, that the breach was discovered in January 2015 but took place eight months earlier, and that compromised data included medical and financial information of current and former customers.
Over thirty class actions were filed against Premera, which were eventually consolidated before Judge Michael H. Simon, in the U.S. District Court for the District of Oregon. Premera also announced that it was working with Mandiant, as well as the FBI to investigate the attack. In discovery, plaintiffs sought documents relating to work performed by Mandiant. Judge Simon ordered Premera to produce a large chunk of the requested documents prepared by Mandiant, including a post-breach Mandiant digital forensics report.
Like Capital One, Premera had originally hired Mandiant before its data breach (in October 2014) for a statement of work that included reviewing the data security of Premera’s data management system. On January 29, 2015, Mandiant discovered the existence of malware in Premera’s system, and on February 20, 2015, Premera hired outside counsel in anticipation of litigation as a result of the breach. The next day, on February 21, 2015, Premera and Mandiant entered into an amended statement of work that shifted supervision of Mandiant’s work from Premera to outside counsel. However, the amended statement of work did not otherwise change the scope of Mandiant’s work from what was described in the Master Services Agreement between Mandiant and Premera entered into on October 10, 2014.
The court found that that the materials were not protected by the work product doctrine because the amended statement of work failed to evidence that Mandiant’s focus shifted to an investigator working on behalf of outside counsel.
From Judge Simon’s perspective, the scope of the work did not change and the nature of the investigation remained the same, which eviscerated any protection as attorney work product. Judge Simon wrote:
“Primera argues that Mandiant is the equivalent of a private investigator or other investigative resource hired by an attorney to conduct an investigation on behalf of them of an attorney, and that Mandiant’s work is privileged and protected as work product . . . The flaw in Primera’s argument, however, is that Mandiant was hired in 2014 to perform a scope of work for Primera, not outside counsel. That scope of work did not change after outside counsel was retained. The only thing that changed was that Mandiant was now directed to report directly to outside counsel and to label all Mandiant’s communications as “privileged,” “work product” or “at the request of counsel.”
Judge Simon distinguished Experian from Premera, because unlike Experian, where outside counsel was hired by the company and outside counsel then hired Mandiant, Premera had already hired Mandiant, which was performing an ongoing investigation under Premera’s supervision before outside counsel became involved. Judge Simon held that Premera had the burden of showing that Mandiant changed the nature of its investigation, and failed to meet that burden. Judge Simon did allow that Premera could properly withhold materials that were not “dual purpose,” were prepared “for the purpose of communicating with an attorney” for legal advice, or did contain “the mental impressions of counsel prepared in anticipation of litigation.”
The Plaintiff’s in Capital One cited Primera to support their motion while Capital One attempted to distinguish Primera from its own. Judge Anderson sided with the plaintiffs, noting:
“Capital One attempts to distinguish [Primera] on the basis that at the time of the data breach Mandiant was not performing an ‘ongoing’ investigation.’ While it is true that there was no ongoing investigation at the time of the data breach or a subsequent discovery, the court finds the fact that there was an existing SOW with a paid retainer that obligated Mandiant to perform 285 hours of service for Capital One in 2019, at the time of the data breach and its discovery, to be significant. Again, Capital One has not carried its burden of showing that Mandiant’s scope of work under the Letter Agreement with outside counsel was any different than the scope of work for incident response services set forth in the existing SOW and that it would not have been performed without the prospect of litigation.”
In re Dominion Dental Servs. USA, Inc. Data Breach Litig., 429 F. Supp. 3d 190 (E.D. Va. Dec. 19, 2019) (“Dominion Dental”)
As he did with Premera, Judge Anderson found the Dominion Dental decision “particularly helpful.” In Dominion Dental (also in the E.D.Va.), Judge Michael S. Nachmanoff found that Dominion Dental had failed to show that a Mandiant report would not have been completed in substantially similar form but for the prospect of litigation and granted the plaintiffs motion to compel.
Similar to Capital One, before suffering a data breach, Dominion Dental had hired Mandiant “to investigate, prevent, and remediate data breaches.” Specifically, when Dominion Dental experienced a cyber-attack, Dominion Dental and it’s outside counsel had a statement of work with Mandiant whereby Mandiant was to provide incident response services including “computer incident response support, digital forensics support, advanced threat act support, and advanced threat front/incident assistance.“
After the data breach was discovered, Dominion Dental’s outside counsel then entered into another statement of work with Mandiant incorporating the previous statement of work and master services agreement and including virtually the same deliverables as the statement of work that was in existence prior to the breach. Dominion Dental noted a reference in a list of talking points to retain Mandiant to investigate the incident and that the Mandiant report appears to have been used with Dominion Dental’s regulators.
Dominion Dental argued that the Mandiant report was created “to inform legal counsel and litigation strategy” and was therefore protected work product. But Judge Nachmanoff found that Dominion Dental had failed to show that the Mandiant report would not have been completed in substantially similar form but for the prospect of litigation and granted the plaintiffs motion to compel.
Despite a statement in an affidavit from Dominion Dental that the Mandiant report would not have been prepared in a substantially similar form and may not have been necessary at all without the threat of litigation, Judge Nachmanoff still held that Dominion Dental had failed to meet its burden, relying heavily upon the fact that the description of services in the statement of work in existence prior to the day to beach was “almost identical quote to the services in the post data breach statement of work.”
Capital One attempted to distinguish Dominion Dental but did not persuade Judge Anderson, who noted that in Dominion Dental, the fact that the post data breach statement of work indicated that the work was to be under the direction of counsel did not alter the business purposes of the work to be performed. Moreover, Judge Anderson clearly believed that when Capital One changed Mandiant’s SOW to be “under the direction of counsel,” Capital one was undertaking a self-serving ploy “designed to help shield the report from disclosure.” Judge Anderson wrote:
“Capital One’s attempts to distinguish the Dominion Dental decision are unpersuasive. First, Capital One has not shown that the nature of the work Mandiant had agreed to perform changed when outside counsel was retained . . . The statement of work and master services agreement provided for virtually identical services to be performed before and after the data breaches were discovered . . . Capital One argues that ‘there was no evidence in Dominion dental that the fruits of Mandiant work were used for legal purposes.’ However, the record in Dominion Dental included an affidavit that the Mandiant report would not have been prepared in substantially similar form without the threat of litigation and that the statement of work was modified to provide that the work was to be performed under the direction of counsel and if requested by counsel.”
In re Marriott International Inc. Customer Data Security Breach Litigation, MDL No. 2879 (District of Maryland, Aug. 30, 2019) (“Marriott”)
Though involving an entirely different type of post-breach digital forensic report, a PFI Report (explained more fully below), Marriott is yet another example of the calculus and thought process Judge’s undertake when considering the confidentiality of digital forensic reports and is worthy of some analysis.
By way of background, on November 30, 2018, Marriott announced a data security incident involving unauthorized access to the Starwood guest reservation database containing information relating to as many as 500 million guests. Since then, Marriott claims that attackers who breached its Starwood Hotels unit’s guest reservation system stole personal data from up to 383 million guests — including more than five million unencrypted passport numbers.
In Marriott, the class action frenzy since these events has been nothing short of astounding. A total of 176 plaintiffs from all 50 U.S. states have filed suit against Marriott relating to the Marriott breach. Meanwhile, consumers, financial institutions and governments in various states have filed dozens more, including a securities class action. Ultimately all of the class actions were consolidated into an MDL in Maryland (where Marriott’s has its headquarters).
The Marriott PFI Report
Once a data security incident occurs where credit card information is compromised, an investigation ensues in order to determine whether the company must incur any of penalties or pay for any system modifications required to achieve PCI-DSS compliance. PCI-DSS is a set of requirements created to help protect the security of electronic payment card transactions that include personal identifying information of cardholders, and operates as an industry standard for security for organizations utilizing credit card information. PCI-DSS applies to all organizations that hold, process or pass credit card holder information and imposes requirements upon those entities for security management, policies, procedures, network architecture, software design and other critical measures that help to protect customer credit and debit card account data.
When a cyberattack targets electronically transmitted, collected or stored payment card information, whether the retailer has met PCI-DSS compliance quickly becomes an intense area of inquiry. For instance, the card brands may levy significant fines and penalties on retailers that are not in compliance with PCI-DSS. Along these lines, the retailer is contractually obligated to hire a specially certified PCI-approved forensic investigative firm, also known as a PFI, from a small and exclusive list of card brand approved “Qualified Security Assessor companies” (currently composed of about 22 companies). The PCI Security Standards Council maintains an in-depth program for forensic companies seeking to be certified as PCI Forensic Investigators and placed on this list, and must be re-certified as PFIs each year.
The PFI team then performs a specified list of investigative tasks including writing a final report about the data security incident — the PFI report — that is issued to both the retailer and the various credit card companies. The PFI report then becomes the basis used by the card brand companies to calculate potential fines that will be levied against the acquiring banks. These fees are then passed along to the victim company in the form of indemnification.
Class Action Motions Concerning the Marriott PFI Report
Since a PFI report is not necessarily prepared in anticipation of litigation, it is arguably not work-product and can be discoverable (though perhaps redacted) during a class action or any other litigation. However, in the Marriott matter, the issue of when and not if, the class action plaintiffs could view the report was at issue – which is important in particular in the context of securities-related class actions (where, per the Private Securities Litigation Reform Act, discovery is typically stayed until after the ruling on any motion to dismiss.)
Though presenting an altogether different issue than Capital One, Experian and the rest, the Marriot decision is still an important decision worthy of analysis through a different lens, i.e. the public’s right to access post-breach digital forensic reports.
In the Marriot MDL, there are five case “tracks” (Government, Financial Institution, Consumer, Securities and Derivative). In accordance with the The Private Securities Litigation Reform Act of 1995 (PSLRA), Judge Grimm ordered that all discovery for both the Securities and Derivative Tracks be stayed, until the resolution of Marriott’s pending motion to dismiss. Judge Grimm also provisionally granted a motion to seal Marriott’s motion to dismiss the Government Track action, which included a copy of the Marriott PFI Report as an exhibit.
Much to the dismay of Marriott and in an unexpected Marriott MDL twist, the lead securities class action plaintiffs sought production of the Marriott PFI Report in their track, before the deadline for amending its complaint, stating:
“Requiring production of the PFI Report and other investigative reports related to the Data Breach prior to the deadline for amending complaints will promote efficiency by ensuring that the allegations conform to the available facts, thus eliminating unnecessary discovery and motion practice over allegations based on “information and belief” that may be inconsistent with facts already developed in the PFI and other investigations . . . [and] will greatly facilitate all parties’ ability to frame the issues in the case for the Court.”
The lead securities class action plaintiffs also argued that the First Amendment mandated the unsealing of the Marriott PFI Report, stating:
“It is settled law that the First Amendment and common law protect the public’s access to judicial records . . . Merely attempting to avoid embarrassment, legal liability, or a harm to future business prospects are insufficient reasons under either standard to justify keeping information in judicial records from the public . . . Defendants have articulated why they want the materials kept under seal – (1) danger from potential hacking of their systems, (2) competitive harm, and (3) that it would undermine current investigations . . . None of these reasons satisfy the high burden Defendants must meet to rebut the presumption of access and maintain these judicial records under seal.”
Marriott argued against the unsealing of the PFI Report, stating:
“Plaintiffs’ motion is an attempted end-run around the PSLRA’s discovery stay. The PSLRA, which governs the Securities and Derivative Tracks, imposes an automatic stay on all discovery pending resolution of motions to dismiss. Plaintiffs now seek to expose confidential discovery materials in public court filings, so that they can access discovery that federal law bars them from obtaining at this juncture. [In addition], 1) Sealing the information protects it from criminals that could use it to perpetrate “future cyberattacks.” Disclosure of the sealed information could, for instance, help hackers hone their strategies . . . 2) The compelling governmental interest in shielding ongoing investigations requires keeping certain information sealed; . . . and 3) Marriott’s concern about offering “competitors insight into certain aspects of Marriott’s internal business practices”
Judge Grimm’s Decision
In an August 30, 2019 “Letter Order,” Judge Grimm sided with the plaintiffs, and ordered the unsealing of the Marriott PFI Report, while assigning a magistrate judge to determine if it should contain any “narrowly tailored” redactions.
With respect to Marriott’s PSLRA arguments, because the unsealing of the Marriott PFI Report was of no monetary cost to the Marriott defendants, Judge Grimm noted that the spirit of PSLRA remained intact and respected. Moreover, because Marriott had attached the Marriott PFI Report to their earlier pleading, Marriott had rendered the Marriott PFI Report a “pleading” and not “discovery material” which did not run “afoul with the PSLRA discovery stay.”
With respect to Marriott’s other arguments, Judge Grimm wrote:
“Defendants argue (without explaining how) that the information could help hackers attack systems Defendants currently use by studying “network infrastructure for handling cardholder data, systems and strategies for securing such information and thwarting attacks, encryption and decryption processes and protocols, and activity logging.” . . . This justification for continuing to seal the entirety of the report is both speculative and generalized. Under this reasoning, none of the details of how the Starwood database was compromised could ever be revealed, which would prevent the public from understanding how the data breach occurred in the first place, and it would prevent other entities from learning how to better protect their networks from similar attack. This is hardly in the public interest . . . Second, Defendants’ assertion that unsealing the pleadings and PFI report would interfere with ongoing investigations is equally conclusory and speculative. While Defendants do claim that ongoing investigations would be jeopardized, it is unclear which investigations would be compromised, or how, and therefore this argument fails . . . Lastly, Defendants offer no particularized support for the proposition that sealing the entire PFI report and portions of the Pleadings is necessary to prevent disclosure of commercially sensitive data and internal business practices.”
For securities class actions and all other class actions, Judge Grimm’s letter arguably validates a class action plaintiff’s “First Amendment” right to see the PFI Report, which may prompt other judges to grant class action plaintiffs immediate access to it.
Other Relevant Decisions
The battle for post-breach digital forensic reports is just one of the litany of discovery-related squabbles that typically occur throughout litigation, which some judges might not deem worthy of a detailed and published decision. With this in mind, while the cases below might arguably lack the kind of judicial substance necessary for unshakable precedential value, each remain worthy of study nonetheless.
- New Albertson’s, Inc. v. MasterCard International, No. 01-17-04410, slip op. (Idaho 4th Dist. Ct., Ada Cty., May 31, 2019). In this matter, MasterCard filed a motion to compel certain documents, including a post breach digital forensics report, relating to the internal investigation Supervalu and Albertson’s conducted of the intrusion into Supervalu’s IT network in the summer and fall of 2014, and independent of the investigation performed by the separately engaged security firm, SecurityMetrics. MasterCard argued that Albertson’s and Supervalu could not provide a privilege cloak over an investigation that they would have done regardless of the threat of litigation. As in Target and Genesco (see below), the court held herethat certain work done by a forensic investigator engaged by two companies following a data breach was protected by the attorney-client privilege, because the work was done principally for a legal purpose. The court was “mindful that a party cannot protect an otherwise discoverable fact from discovery by retrospectively (or as a matter of pretext) claiming privilege,” but still held that that Supervalu and Albertson’s properly claimed and observed the privileges with respect to the Dell retention and that Supervalu and Albertsons acted under a common interest as defined by Idaho’s Rules of Lawyer-Client Privilege (IRE 502(b)) after August 1, 2014 with respect to the Dell retention and discussions with Dell. Although one of the companies had initially engaged the investigator directly (not through counsel), the company eventually engaged more experienced cyber-outside counsel who, in turn, entered into a new engagement with the investigator, and began directing the work of the forensic investigator in anticipation of litigation.
- In re Arby’s Rest. Grp., Inc. Data Sec. Litig, No, 1:17mi55555-WMR (N.D. Ga. March 25, 2019) (“Arby’s”). This decision is kind of a mixed bag. On the one hand, the court held that Arby’s hired Mandiant to produce a report in anticipation of litigation and for other legal purposes – so the report constituted attorney work product. On the other hand, the court held that the plaintiffs failed to prove that Mandiant’s analyses could not be duplicated by simply reviewing the underlying information used by Mandiant and two other digital forensic firms providing consulting services, CrowdStrike and Dell SecureWorks. Therefore, the court ordered Arby’s to provide the plaintiffs with the underlying information used by Mandiant in the Mandiant Investigation but the court concluded that final and interim analyses by Mandiant were work product and privileged attorney-client communications between Mandiant and counsel. The order in Arby’s offers little detail of the legal analysis for the conclusion.
- In re Target Corp. Customer Data Sec. Breach Litig., 2015 WL 6777384 (D. Minn. Oct. 23, 2015). In Target, the court held that documents relating to a forensic investigation performed to provide legal advice to the company was privileged and work product, primarily because of the dual track of two distinct digital forensic reports. Following its breach, Target established a task force at the request of Target’s in-house lawyers and its retained outside counsel to educate Target’s attorneys about aspects of the breach and facilitate counsel providing Target with informed legal advice. Because the matter involved credit cards, Target initiated two forensic investigations (both by the forensic firm, Verizon) – the first to enable counsel to advise Target in anticipation of litigation and regulatory inquiries and the second to complete the PFI Report, which (as described above in the Marriott discussion) was required by several credit card brands. Target conceded that the PFI Report was not protected by privilege or the work-product doctrine. The court allowed production of certain information (emails to Target’s Board of Directors which updated the Board on Target’s business-related interests), but held that information relating to Verizon’s investigation for the data breach task force was protected by the attorney-client privilege and work-product doctrine. The court reasoned that there were forensic images among the PFI documents that plaintiffs could use to learn how the data breach occurred and how Target responded. Because this order merely announces a ruling on several challenged documents following an in camera review by the court, it lacks concrete guidance addressing the issue of the work product doctrine and post-breach digital forensic reports.
- Genesco, Inc. v. Visa, Inc., No. 3:13-cv-00202 (M.D. Tenn. Mar. 25, 2015) (“Genesco”). In Genesco, the court denied Visa’s request for discovery relating to materials produced by two security firms that Genesco’s counsel engaged to, respectively: 1) investigate alleged past violations of PCI-DSS; and 2) assist in efforts to comply with PCI-DSS. The court ruled that both sets of materials were protected. The order refers to reasons stated in open court for its ruling’s and thereby lacks definitive substantive guidance on determining whether the work product doctrine applied. However, Genesco sets itself apart from the other decisions because the court directly addressed whether forensic reports are protected by attorney-client privilege (as opposed to the work product doctrine). The court reasoned that Genesco retained a digital forensic firm to provide consulting and technical services to assist counsel in rendering legal advice to Genesco and therefore the attorney-client privilege protected not only the attorneys’ factual investigations, but the privilege also protected attorneys’ communications with agents and experts who are retained for the purpose of providing legal advice. In short, the court held that the reports “fell comfortably within the protections of the attorney-client privilege” because they were: (1) prepared by the forensic firm at the direction of outside counsel; and (2) prepared to aide counsel in providing legal advice. In its original 2014 opinion, the court reasoned that in principle, cybersecurity consultants are no different that accounting consultants, whose work product and communications have traditionally been held to be subject to the attorney-client privilege because the “concepts are a foreign language to some lawyers in almost all cases . . . [h]ence . . . the presence of the [consultant] is necessary, or at least highly useful, for the effective consultation between the client and the lawyer which the privilege is designed to permit.
Four Engagement Options
Judges will always consider the issue of work product and post-breach digital forensic reports on a fact-intensive case-by-case basis. But taken altogether, Capital One and the rest of the above referenced cases offer some critical lessons for legal teams to consider when engaging digital forensic experts. Four options for the legal teams include:
- Start Anew. Upon the occurrence of a data security incident, engage a forensic firm that has never done any work at the victim company and draft a carefully written engagement letter and corresponding statement of work along those lines. This likely entails hiring two digital forensic firms with two distinct functions – one for mitigation (whose reports can be shared with regulators, auditors, etc.), and one for litigation (whose reports are kept confidential;
- Just the Facts, Ma’am. Instead of a post-breach report, direct the engaged forensic firm to draft a letter to the law firm laying out a summary of nonprivileged factual findings – such as the names and characteristics of any indicators of compromise, together with a discussion of any remnants, artifacts or fragments of any files left by the attacker. The letter should not contain any conclusions relating to exfiltration, attribution or even the precise parameters of the attack vector – those subjects can be covered during oral discussions. Forensics investigators should be instructed not to speculate. Nor should the letter’s language convey judgments – whether legal or based on recognized industry standards. Drafts of the letter, carefully labeled as privileged communications seeking legal advice and input, can be sent from the forensic firm to counsel. This approach actually makes sense under any circumstance — often the subject of intense debate, increasingly subjective opinions, lots of assumptions and suppositions and always meticulously qualified, conclusions relating to a cyber-attack are probably best suited for oral read-outs rather than the written word; or
- Skip Drafting a Report. If a report is not specifically required by contract or law, eschew the drafting of a forensic report altogether. Criminal defense lawyers conducting internal investigations of wrongdoing (from insider trading and employee theft to financial reporting fraud and money laundering) are notorious for presenting only oral reports to boards of directors. After all, aside from being extraordinarily expensive, written investigative reports not only invite litigation, they can also spark further debate, confusion and unnecessary management drag; or
- Roll the Dice. Hire the retained forensics firm to conduct the data breach investigation, but take some special steps in light of Capital One and other cases, including:
- Drafting appropriate incident-specific engagement documentation explaining that any new work performed by the forensics firm would not have been prepared in substantially similar form without the threat of litigation. The nature and scope of work should be distinct from generalized ongoing services and customized solely to manage the new breach;
- Taking actions that show the forensics firm’s investigation, and its report, were produced and disseminated for the purpose of legal defense and not for business operations or regulatory compliance. This will of course make little sense for a victim-company because an incident response report can, and probably should, be used to serve both a business purpose and a legal purpose. Indeed, failing to share a report’s insights across an executive suite will feel more akin to corporate negligence or even recklessness rather than a best practice;
- Modifying any existing statement of work to provide that the new work is to be performed solely at the direction of counsel and if requested by counsel – and describe in detail the work to be done for legal purposes. Avoid using boilerplate statements of work from forensic firm engagement letters and retainer agreements;
- Documenting expenditures to demonstrate that work is clearly being performed with outside counsel for a legal purpose in anticipation of litigation and not a business purpose Along these lines, and if possible, billing should be made to a company’s legal department and not it’s IT department;
- Ensuring that the forensic firm communicates directly (and only) with counsel in a consistent, secure and confidential manner, and designing effective communication protocols and procedures along those lines;
- Engaging any other non-litigation work (such as future penetration testing or remediation projects) in a separate and distinct statement of work;
- Remaining mindful of waiver hazards. In Leibovic v. United Shore Financial Services, LLC, 2017 WL 3704376 (E.D. Mich. Aug. 28, 2017) (which was affirmed on appeal to the 6th Circuit), a court held that the attorney client privilege cannot be used as both “a sword and a shield.” United Shore had disclosed the conclusions from its forensic firm’s reports, but asserted work product protection over the reports, and the court found that United Shore implicitly waived privilege and ordered production of documents relating “to how the investigation was conducted and what was considered during the investigation” (including communications between the company and/or its counsel and the forensic firm);
- Insisting that the forensic firm conduct its investigation based on documentation that can be provided to an adverse party for an independent investigation. (N.B. that work product protection can be overcome by a finding of substantial need by the adverse party); and
- Insisting that the forensic firm conduct its investigation based on documentation that can be provided to an adverse party for an independent investigation. Given that work product protection can be overcome by a finding of substantial need by the adverse party, this kind of preparation prepares a strong defense against such an assertion.
Best Practices Regarding a Forensic Report’s Distribution
No matter which option is pursued, counsel should design a strategy about with whom, internally and externally, incident response work is discussed and shared, limiting the report’s distribution and taking steps to ensure that anyone who receives the report does not use it for business purposes. When post-breach digital forensic reports are shared for “business” and “regulatory” purposes, as opposed to “legal” or “litigation-related” purposes, the risk of losing work product protections can increase significantly.
Counsel should bear in mind that limiting distribution of a digital forensic report is much easier said than done. External parties that will ask for copies include insurance carriers, external auditors, affiliate companies, and regulatory agencies, while internal parties may include a parent company, the incident response team, IT Department, and vendors or consultants retained by outside counsel. Best practice would be to limit distribution to in-house counsel, the Board, and perhaps a designated group within the cyber team who need to are helping prepare for litigation.
As an aside, in contrast to attorney-client privilege, work product protection is not automatically waived by disclosure to a third party. To determine whether work product protection is waived, most courts distinguish between disclosures to an adversary versus a non-adversary. For example, in Experian, Judge Guilford noted that forensic reports may be disclosed to third parties so long as the disclosure is “consistent with maintaining the secrecy against opponents.”
Given that saying “no” to requests from regulators, auditors and other critical constituencies can have bet-the-company consequences, there are some mitigating steps counsel can take to preserve a report’s work product status despite its distribution. For instance, if distribution is absolutely necessary: consider redactions; confidentiality and common interest agreements; if possible, omit from distribution the underlying investigative materials and any citations or references thereto; and implement strict governance and technological safeguards to deter any unauthorized circulation by recipients.
The inclination to retain, or keep on hand, a digital forensics firm that can quickly and knowledgeably combat a cyber-attack and restore systems is a commendable one. Yet, it now seems that when a company does so, the company is essentially penalized for their efforts and is forced to hire an entirely new firm when an actual cyber-attack occurs. This makes little practical sense and forces the company, already a victim of an attack, to become victimized again.
Capital One’s counsel has filed a powerful and compelling June 9, 2020, appeal to Judge Trenga, laying out in detail their many objections to Magistrate Judge Anderson’s decision (Capital One’s motion for reconsideration is opposed by the plaintiffs in a June 12, 2020, response, which can be found here.) Per Capital One’s counsel:
“Requiring a company to hire an unfamiliar vendor to deal with a data breach ‘makes little practical sense.’ Such a requirement would cause companies to waste precious time locating a vendor with available capacity, getting the proper business approvals, and then getting the vendor up to speed on the company’s security infrastructure [including, for example, any existing endpoint detection tools installed and monitored by the previous forensic firm]. While taking these steps might make any resulting report more likely to receive work product protection, the irony . . . is that the associated delay would also unquestionably be used by plaintiffs as additional fodder for their challenges to the company’s breach response and remediation efforts.”
If not set aside, Judge Anderson’s Capital One ruling could have profound implications. For instance, in the event of a data breach involving credit cards, best practice might require engaging three (!) different digital forensic firms to perform essentially the same work: the first being their previously retained cybersecurity vendor for business purposes; the second being a new cybersecurity vendor for litigation purposes; and the third being a vendor from the list of card brand approved “Qualified Security Assessor companies”) for PCI-related purposes. This is not just cripplingly costly – but it is also senseless and irrational.
Moreover, cyber-insurance providers advise and encourage (i.e. arguably require) companies to establish MSA’s with digital forensic firms in the event of a data security incident. This allows the insured to investigate immediately without expending valuable resources and time in an already urgent and chaotic situation. Expert digital forensics firms are few and far-between and like plumbers after a hurricane, are already working at capacity and over-extended. Hence, amid the early bedlam of a data breach, it can sometimes take weeks or even longer to successfully onboard a digital forensics firm.
To me, Judge Anderson’s ruling highlights the sad reality of data breach response. Despite the inevitability of data breaches, and the fact that many data breaches are acts of state-sponsored terror or hi-tech larceny, there nonetheless lies an instinctive tendency to blame the victim company.
For instance, when Senate majority leader Charles Schumer lambasted Equifax just days after its now infamous data security incident became public, he accused its executives of “the most egregious examples of corporate malfeasance since Enron.” The Senator’s hyperbolic rant sorely missed the point. For the public to expect companies like Equifax to avoid data breaches is not just unrealistic and lofty, it’s absurd. And vilifying the victim of a destructive and nefarious cyber-attack, is not just irresponsible and bombastic, it’s nonsensical.
Class action lawyers argue that their clients and the public deserve to learn the truth about a data breach – and a post-breach digital forensics report offers an uncommon opportunity to learn the truth about a data security incident from a presumably independent and expert source.
But Cybersecurity is an oxymoron, so post-breach investigations will undoubtedly identify problems and weaknesses, which can be too easily exploited by class action lawyers to infer liability and force a settlement. The truth is that no company enjoys perfect cybersecurity, no matter how sophisticated and vigilant.
Think of it this way: When school kids return home from class sick with a cold, it is not their fault, it is not their teacher’s fault and it is not the school’s fault. No one can protect a child from catching a cold; it is inevitable. The same goes for data breaches.
Others may argue that with the right amount of meticulous lawyering and legalese, a victim company can somehow keep a post-breach digital forensic report confidential and maintain its attorney work product protections. However, even under the most careful procedures and safeguards, protecting the confidentiality of any kind of forensic report can become a Herculean task for a range of reasons:
- First, regulators, auditors, insurers, partners, customers and many other constituencies will demand to see the report, creating complex waiver issues;
- Second, keeping forensic investigators, analysts, engineers, and other IT professionals from “blowing” the very delicate attorney-client privilege is similarly challenging, especially during the 24-7 highly charged, prolonged and volatile frenzy of a typical data breach response; and
- Third, like with any terrorist attack, the world wants to know what happened so the next attack can be prevented. And since the digital forensic report is presaged as an objective, fair and impartial view of the event, judges might not resist the urge to remove confidentiality protections so that the public can understand what happened.
The Capital One decision is more than troubling. It is yet another stark reminder of the upside down world of data breach response. For companies hit by a cyber-attack, it’s a virtual journey of Alice in Wonderland, where the perpetrators of a cyber-attack are rarely caught; where the ultimate victims of the cyber-attack are rarely identified; and where the victim-company is pilloried like a degenerate corporate criminal. Now, to make matters even worse, sacrosanct and revered legal rights and protections of attorney-client communications and work product have come under fire.
Some might contend that Capital One and their legal team were not meticulous enough in the procedures, protocol and documentation associated with Mandiant’s engagement — so Capital One’s conscientious and sensible efforts fatefully backfired. Others might (respectfully) assert that Judge Anderson misunderstood both the facts and the law and perhaps went slightly off the rails — so Judge Trenga needs to set his decision aside and get everyone back on track.
My take is that when a company like Capital One does the right thing by engaging a top-notch forensic firm to stand by in the event of a data breach, their keen and responsible preparation should be celebrated and not rebuked. Period, end of story.