In the following guest post, John Reed Stark President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a look at questions of confidentiality surrounding a discovery dispute between class action plaintiffs and a data breach victim company relating to forensic work conducted by Crowdstrike, Inc. in connection with a 2018 data security incident at Marriott International, Inc. As Stark notes, the issue of protecting the confidentiality of post-data breach forensic findings (when the forensic firm is typically engaged by counsel) has become of critical importance and has significant consequences. A version of this article previously was published on Cybersecurity Docket. I would like to thank John for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Here we go again (again).
For companies hit by a cyber-attack, it’s a virtual journey of Alice in Wonderland, where the perpetrators of a cyber-attack are rarely caught; where the ultimate victims of the cyber-attack are rarely identified; and where the victim-company is pilloried like a degenerate corporate criminal. Now, to make matters even worse, sacrosanct and revered legal rights and protections of attorney-client communications and work product are at risk.
This week there comes to light yet another discovery skirmish between class action plaintiffs and a breach victim company, relating to forensic work conducted by Crowdstrike, Inc. in connection with a 2018 data security incident at Marriott International, Inc.
Some Quick Background
On November 30, 2018, Marriott announced a data security incident involving unauthorized access to the Starwood guest reservation database containing information relating to as many as 500 million guests. Since then, Marriott claims that attackers who breached its Starwood Hotels unit’s guest reservation system stole personal data from up to 383 million guests — including more than five million unencrypted passport numbers.
In Marriott, the class action frenzy since these events has been nothing short of astounding. A total of 176 plaintiffs from all 50 U.S. states have filed suit against Marriott relating to the Marriott breach. Meanwhile, consumers, financial institutions and governments in various states have filed dozens more, including a securities class action. Ultimately all of the class actions were consolidated into an MDL in Maryland (where Marriott’s has its headquarters). In the Marriot MDL, there are five case “tracks” — Government, Financial Institution, Consumer, Securities and Derivative. (In re Marriott International Inc. Customer Data Security Breach Litigation, MDL No. 2879 (District of Maryland, Aug. 30, 2019))
The Engagement of Crowdstrike
According to the pleadings, on September 7, 2018, a program called the IBM Guardian database security reported the use of certain credentials to access data in a Starwood Guest Reservation Database. The IBM system reported this event to another company, Accenture, which investigated the alert.
Accenture contacted the user whose credentials had been used to access the Reservation Database, and that user advised Accenture that it did not access that Database. The Vice President and Senior Counsel, Global Compliance, Privacy and Data Security for Marriott, recognized that what Accenture had discovered could be a data breach, and realized that:
- Such a breach could trigger Marriott’s statutory obligations, both national and international, to report the breach;
- Federal, state, and international agencies might investigate the breach;
- “Data security incidents frequently result in significant litigation brought by individuals, as well as regulators and commercial entities, often in large class actions;”
- Marriott’s law department did not have the resources to analyze the obligations that Marriott had if there was a breach; and
- Marriott needed “outside counsel to advise Marriott on the numerous domestic and international legal issues potentially implicated by the potential data security incident.”
Marriott, therefore, retained an outside law firm “to advise Marriott about its legal obligations and exposure.” The outside law firm next “needed to engage a firm with computer forensics abilities and knowledge to explain Marriott’s technical information, including the information relevant to the potential data security incident so the law firm could fully advise Marriott about the legal obligations arising from and implications of the potential incident.”
Per the pleadings, the outside law firm, having been retained by Marriott, decided that it needed a digital forensics firm to “help us find and understand the facts of what occurred leading up to the Guardian event alert to advise Marriott about its legal obligations and strategy in anticipation of demands, litigation, and regulatory proceedings.” The outside law firm retained such a firm, Crowdstrike, for this purpose.
The agreement, hiring Crowdstrike, is among three parties, Crowdstrike, Marriott, and outside counsel. Its first few paragraphs specify the work Crowdstrike would do i.e. investigate what occurred and suggest remediation.
The Consumer Plaintiff’s Compel Crowdstrike’s Findings
The consumer plaintiffs have now demanded that Marriott produce the evidence of what Crowdstrike accomplished. More specifically, they demand the following:
- All agreements and statements of work entered into by and between Crowdstrike and Marriott/Starwood (or its counsel) pre- and post-dating the breach;
- All investigations, reports, assessments, decisions, findings, conclusions, and recommendations prepared or documented by Crowdstrike pursuant to its statement of work with Marriott following discovery of the breach regardless of form;
- All communications between Marriott and Crowdstrike regarding Crowdstrike’s investigations, reports, assessments, decisions, findings, conclusions, and recommendations, including meeting agendas, status reports, PowerPoint presentations, and related materials;
- All communications between Marriott employees regarding Crowdstrike’s post-breach investigations, reports, assessments, decisions, findings, conclusions, and recommendations; and
- All memoranda, notes, and communications prepared by Marriott’s employees, reflecting conversations between Crowdstrike and Marriott.
Marriott resists such discovery because it is protected by the attorney-client and work product privileges. The consumer plaintiffs insist that neither privilege applies.
The consumer plaintiffs believe they have a right to discovery from Crowdstrike, because Crowdstrike’s engagement, among other things, was for a business purpose and is therefore not entitled to any legal protection. The plaintiffs state:
“Plaintiffs have provided Your Honor with documents demonstrating that: 1) Marriott had a prior existing business relationship with CrowdStrike; and 2) it engaged CrowdStrike for similar business purposes here (determining the cause of the breach, remediating the breach, and providing security-based products and services to prevent future breaches—all which were necessary and consistent with Marriott’s ordinary business practices).”
Marriott disagrees stating:
“[Outside counsel] retained CrowdStrike so it could provide legal advice and in anticipation of litigation. CrowdStrike worked at the direction of [outside counsel] to help counsel understand the technical information relevant to the incident. CrowdStrike’s work included installing specialized tools across Marriott’s network and then analyzing and interpreting the collected information. This analysis was necessary for counsel to provide Marriott with legal advice about issues arising from the security incident.”
Marriott summarizes their objections in a chart within its pleadings:
Judge Facciola Throws a Wrench Into the Mix
Now it will be up to famed tech-savvy Magistrate Judge John M. Facciola, who, before he opines on the issue, wants Marriott to inform the court if Marriott plans to designate Crowdstrike as an expert.
It seems that Judge Facciola believes that the threshold issue is whether Crowdstrike will serve as a Marriott expert witness, and has issued a recommendation to presiding Judge Paul W. Grimm to order Marriott to indicate:
- Whether it intends to designate Crowdstrike as an expert pursuant to Fed. R. Civ. P. 26(2)(B) who will file the report required by that Rule; or
- If it does not, whether it intends to call Crowdstrike as a witness and expects to present evidence from Crowdstrike pursuant to “Federal Rule of Evidence 702, 703 or 705.” Fed. R. Civ. P 26(2)(A).
Judge Facciola writes:
“ . . . whichever way one turns, there will be a lot of time and money that will have to be spent. But, if Marriott denominates CrowdStrike as an expert witness, all of that money and time will have been spent even though plaintiffs may not be entitled to the information they seek. It makes much more sense to force Marriott’s hand and make it identify its experts now.”
You can read below complete copies of the various pleadings on the issue, which are filed in the form of letters to Judge Facciola, as well as Judge Facciola’s two Reports and Recommendations on the issue:
- July 17th, 2020 Consumer Plaintiff Letter here.
- August 14th, 2020 Marriot Response Letter here.
- August 27th, 2020 Consumer Plaintiff Response Letter here.
- August 27th, 2020 Marriott Response Letter here.
- September 1st Judge Facciola Report and Recommendation here.
- September 1st Judge Facciola Supplemental Report and Recommendation here.
Amid post-breach litigation, there now typically arises an intense battle over the confidentiality of post-breach digital forensic reports, forcing courts to interpret and nuance conventional notions of attorney-client privilege and work product doctrine in an entirely new context, which can sometimes result in inconsistent, disappointing and even unfair court decisions.
Indeed, there have emerged a string of cases relating to the confidentiality of post-breach forensic findings, including from data security incidents at: Capital One (Magistrate Decision affirmed in District Court Memorandum and Order); Experian; Premera BlueCross; Dominion Dental; Marriott (involving a PFI Report); Arby’s; Target; Genesco; Capital One (no written opinion, ordered from bench at end of hearing); and Albertsons. Historically, courts afforded deference to non-testifying experts retained by law firms to help with litigation, but the trend has clearly shifted. (You can read my thoughts on these cases and the issue of keeping post breach forensic findings confidential here, as well as some key practice tips along these lines here.)
So why the trend? Perhaps the weaponization of forensic findings by class action lawyers is something that has simply become more tolerable by federal judges. Or perhaps the procedures, protocol, contractual language and documentation associated with the hiring and retention of forensic firms was one of those “little things” that some legal teams historically undertook inattentively, and unwittingly waived confidentiality.
What has clearly complicated judicial calculus is that many digital forensic firms now offer a wide array of services including security-based products and other cyber-related monitoring/surveillance/testing services. Though engaged above all else to be on standby to help a legal team defend the litigation onslaught after the inevitable data breach, judges don’t always see it that way.
Instead, judges could find that these extraordinarily helpful, handy and beneficial cyber-service offerings arguably serve more of a business purpose than a legal purpose. Hence, a forensic firm’s findings, communications, heat-maps, remedial laundry lists and any other inculpatory communications can become discoverable in legal proceedings.
This creates challenging situations for companies, because digital forensic findings will always draw attention to security flaws, and some flaws will make sense to correct while others will not. After all, there is no such thing as perfect security: cybersecurity is an oxymoron. Nonetheless, class action plaintiffs will sniff out even the slightest weakness identified in digital forensic findings and exploit it as evidence of potential negligence, recklessness or even intentional wrongdoing.
It’s of course all quite maddening – just consider Marriott’s predicament. On the one hand, Marriott does the right thing by engaging Crowdstrike, a top-notch digital forensic firm to standby in the event of a data breach and keep a watchful, algorithmic eye on its technological infrastructure. Yet on the other hand, Marriott’s keen, responsible and often legally required preparation can ironically be used against them by class action firms.
Under any circumstance, my take is that, as retired U.S. Navy four star admiral William Harry McRaven stated so memorably in his legendary University of Texas at Austin 2014 Commencement Address, “If you can’t do the little things right, you will never do the big things right.” Moreover, good lawyers should anticipate class action warfare — and take steps to prepare for battle. Otherwise, fail not at your peril.
John Reed Stark is president of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He currently teaches a cyber-law course as a Senior Lecturing Fellow at Duke Law School. Mr. Stark also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of global data breach response firm, Stroz Friedberg, including three years heading its Washington, D.C. office. Mr. Stark is the author of “The Cybersecurity Due Diligence Handbook.”