Michael E. Kar
Associate, Wilson Elser Moskowitz Edelman & Dicker, LLP

Michael E. Kar, CIPP/US/E, is an Associate in the New York office of the law firm Wilson Elser. Michael focuses his practice on data privacy compliance, information security, and data breach incident response. Michael provides clients across various industries with comprehensive legal and business advice in connection with building and implementing data security policies and procedures, ongoing regulatory compliance, negotiation and due diligence of technology and commercial transactions, responding to regulatory inquiries and investigations, and immediate data breach incident response for insured and uninsured entities.

Ransomware and cybercrime against businesses large and small is front page news. In a world after Colonial Pipeline, network security incidents leading to business interruption and/or exposure of sensitive data are now receiving widespread media coverage, third-party claim activity, increased government attention, and a resulting expedited hardening of the cyber insurance market.

Impacted individuals and plaintiff-side attorneys are scanning the dark and deep web for leaked sensitive data. The increasing exposure and volume of these cyberattacks comes at a time when the privileged nature of a victim company’s own forensic investigation into the cyber incident is becoming less clear.

The shifting landscape for the discoverability of incident response forensic investigations, and its impact on future third-party claims, should be mitigated with four best practices across cyber claims.

Digital Forensic Investigations

A victim company that has experienced a network, hardware, or email compromise is in most circumstances advised to conduct a digital forensic investigation into the incident. These investigations are often conducted by specialized third-party cybersecurity, consulting, or digital forensic incident response firms (“DFIR Firm”). The DFIR Firm can be engaged by outside counsel on behalf of the victim company, and the engagement is typically outlined in a services proposal or statement of work (“SoW”). SoWs for DFIR Firms are not foreign to those in the insurance space. Cyber, tech E&O, and commercial carriers have competitive panels of DFIR Firms, and insurers’ risk exposure to third-party claims is directly impacted by the discoverability of these forensic findings.

Generally speaking, the DFIR Firm’s forensic investigation has two goals: (i) root cause analysis of how the incident occurred to determine the source and vector of the intrusion; and (ii) whether any sensitive data access or acquisition occurred, specifically, the tracking of manual activity within the environment as well as any evidence of obfuscation or data staging/exfiltration. Sensitive data includes proprietary or confidential information of the company or its clients, as well as personal individual data that may trigger breach notification requirements, such as state law and personally identifiable information (PII) or HIPAA and protected health information (PHI).

DFIR Firm forensic investigations move quickly and include a tremendous amount of data and analysis. Depending on the particular incident and the amount of forensic evidence maintained, incident response investigations can include a blueprint of the victim company’s network environment, determinations as to how the network was compromised, what protections were in place before and during the incident, and the extent of the unauthorized activity during the timeframe of the compromise. In the event of a third-party claim stemming from a compromise of sensitive data, the basic common law liability analysis will be: whether the protections in place to prevent sensitive data compromise were reasonable. The information gleaned by forensic investigators during the incident response efforts is critical, regardless of whether it is for business or legal purposes. When DFIR Firm investigations are guided by counsel with an eye towards litigation, the associated communications and findings go far beyond root cause, and are indispensable to a victim company’s legal strategy and exposure analysis.

Work Product Doctrine

Privileged materials and information are exempt from discovery, which is the legal process of adversaries requesting and producing written and oral information. Historically, root cause analysis and other forensic findings from DFIR Firms have been covered by work product privilege. The work product doctrine functions to protect materials prepared by or for an attorney in the course of providing legal services in anticipation of litigation. Federal Rule of Civil Procedure 26(b)(3) (“…a party may not discover documents and tangible things that are prepared in anticipation of litigation or for trial by or for another party or its representative (including the other party’s attorney, consultant, surety, indemnitor, insurer, or agent)”). This was the decision in the high profile Target data breach class action: In re: Target Corp. Customer Data Security Breach Litigation, 2015 WL 6777384 (D. Minn. Oct. 23, 2015).

The Target data breach litigation arose out of the 2013 breach of Target Corp.’s network, resulting in the compromise of over 40 million customers’ personal financial information. Target engaged Verizon to investigate the incident, leading to the notification of banks and customers that their data had been compromised. A class action suit was filed against Target and Plaintiffs’ counsel moved to compel production of all Verizon findings. Defendant Target opposed the disclosure on the basis that Verizon’s investigation consisted of two tracks. The first track was an investigation by Verizon, involving both Target’s existing IT team and the impacted banks, into how the breach occurred and what financial information was compromised. The second track was an investigation by a separate Verizon team, guided and directed by legal counsel, into the expected litigation that would follow.

The Court ruled in favor of Target, holding that: “the work of the Data Breach Task Force was focused not on remediation of the breach, as Plaintiffs contend, but on informing Target’s inhouse and outside counsel about the breach so that Target’s attorneys could provide the company with legal advice and prepare to defend the company in litigation….” Id. A similar result was reached two years later in In re Experian Data Breach Litig., 2017 WL 4325583 (C.D. Cal. May 18, 2017).

Shifting Legal Landscape

Three primary decisions at the federal level have clouded this precedent: (i) In re Capital One Consumer Data Sec. Breach Litig. 2020 WL 3470261 (E.D. Va. June 25, 2020); (ii) Guo Wengui v. Clark Hill, PLC, 338 F.R.D. 7 (D.D.C. Jan. 12, 2021); and (iii) In re Rutter’s Data Security Breach Litigation, 2021 U.S. Dist. LEXIS 136220 (M.D. Pa. July 22, 2021). While the specifics of these lawsuits differ, the court in each case ruled that plaintiffs were entitled to disclosure of the victim company’s post-breach forensic investigation.

The Capital One data breach involved unauthorized access to personal information for over 100 million Capital One customers in March of 2019, along with the theft of approximately 140,000 Social Security numbers. In response to the compromise, Capital One engaged one of their existing cybersecurity resources, Mandiant, to conduct the investigation. The Capital One Court applied a jurisdiction-specific “driving force” test to determine whether the root cause analysis report produced by Defendant’s DFIR Firm was privileged. In short, the Court found the DFIR Firm’s report discoverable because the report would have been commissioned for business purposes anyway, regardless of potential litigation. In pertinent part, the Court also noted that the operative SoW was between the victim company and the DFIR Firm, and did not involve counsel.

The first court to follow the Capital One deviation was Wengui. Plaintiff Wengui filed suit against the Defendant law firm after a breach to the law firm’s network resulted in Plaintiff’s personal information being leaked online. Defendant hired outside counsel, who then engaged a DFIR Firm to conduct an investigation. Again, Plaintiff moved for production of the DFIR Firm findings, and the Defendant victim company argued that the DFIR Firm was engaged through external counsel in order to “prepare for litigation stemming from the attack.” Defendant made the same two track argument that was successful in Target. One track of the response, handled by a separate outside consultant, investigated and remediated the attack while ensuring business continuity. The second investigation was by the DFIR Firm in order to gather information sufficient to render timely legal advice for litigation. The Wengui Court ruled against Defendant, and in favor of disclosure, because Defendant did not prove that a forensic investigation and report would not have been created in the ordinary course of business, irrespective of litigation. TheCourt rejected Defendant’s two track argument based on a minimal factual basis in the record, including deposition testimony.

Last, we have the July 2021 Rutter’s decision. Class action plaintiffs sued the convenience store chain following a network compromise leading to the breach of customer sensitive data, and again moved to compel the DFIR Firm’s findings. The Rutter’s Court similarly held the investigation discoverable based on a factual analysis and then conclusion “that the primary motivating purpose behind the [] Report was not to prepare for the prospect of litigation.” The facts used to support this determination included the language of the SoW, which was broad and did not mention litigation, and the deposition of the Defendant’s corporate designee, who stated in sum that he was not contemplating forthcoming lawsuits at the time and would have done the forensic investigation anyway.

Both the Wengui and Rutter’s decisions summarily sever and reject the attorney-client privilege argument on the basis that forensic findings and a DFIR Firm report do not fit within the “communications” protected by attorney-client privilege.

There is one excerpt from the Rutter’s decision that should be noted. The Court holds that:  “Without knowing whether or not a data breach had occurred, Defendant cannot be said to have unilaterally believed that litigation would result.” While this sentence serves as reasoning for the Rutter’s holding, it is also a warning shot across the bow for victim companies, incident response firms, data privacy compliance counsel, and insurers alike. Taking this reasoning in isolation and applying it to the modern world of cybersecurity and cloud computing is treacherous. A data breach is not car accident, where a passerby can spy a damaged fender and ambulance, and deduce the occurrence of an incident that may lead to a bodily injury lawsuit. In the world of incident response malicious data encryption, anti-forensics, log rollover, and threat actor obfuscation are all realities that conceal surface-level conclusions and require the immediate involvement of specialized digital forensic resources. With sophisticated threat variants, the full picture may never be clear.

Best Practices

The Capital One holding put the incident response industry on notice of this shifting landscape. As time has passed and courts continue to weigh in, we are able to glean four best practices to be implemented across the incident response and cyber insurance industry:

  1. Optimize language of engagement documents. Ensure that the incident response firm engaged to conduct a forensic investigation is contracting with outside legal counsel, on behalf of the client/insured, as part of a second-track of the response. All documentation should explicitly outline that the investigation’s purpose is to provide counsel with technical conclusions sufficient to render legal advice to client, in anticipation of litigation. Do not use existing pre-breach contracts. 
  • Control flow of written findings. Establish at the outset the goals and procedures of the DFIR Firm investigation. With an eye towards discoverability, the optimal flow of forensic findings is from forensics to outside counsel. Outside counsel can then provide advice to the victim company’s in-house legal representative, and that in-house legal contact can then guide the stakeholders on legal strategy. In practice, the timely business and IT security goals of the victim company may outweigh the risk of disclosure.
  • Silo forensic investigation. The two track argument that was successful in Target appears to have value so long as the record and applicable law support it. Keep the legal forensic investigation separate from the response that would be done irrespective of litigation, i.e., standard root cause analysis, IT restoration/remediation, and responsive network hardening. The data breach team directed by outside counsel should consist of a different team from the DFIR Firm.
  • Think twice about the report. The uncertainty of DFIR Firm discoverability is combined with the already opaque landscape of data breach claims with novel liability analyses, reactive new statutes, and splits on Article III standing to name a few. If a victim company understands how the incident occurred and how to fix it, and if data breach counsel understands the sensitive data compromise and the legal strategy assembled, then the value-add of reducing DFIR Firm findings to writing may be speculative.

It remains to be seen whether these three decisions are indicative of a full or partial shift towards discoverability of root cause investigations post-breach. What is clear is that implementing smart and up to date protocols for DFIR Firm forensic investigations may be the difference. This difference in discoverability could directly and imminently impact liability and/or damages analysis in third-party claim exposure.