Data breach “horror” stories have become a new staple in today’s business environment. The frequency of attacks which threaten (or compromise) the security of business networks and information systems continually increases — in the health care space alone (which holds the dubious honor of Most Likely To Be Attacked), a FBI and HHS’ Office for Civil Rights report notes that ransomware attacks occur at the rate of 4,000 per day, a four-fold increase from 2015. Experienced data breach forecasters continue to predict that cyber-attacks will continue to increase in frequency. Although data security and breach response are constantly in the headlines, studies demonstrate that organizations remain unprepared to effectively respond to a data breach.
For entities that are covered under HIPAA (or their business associates), or other state or federal cybersecurity regulations (such as the NYS DFS regulations we previously discussed in our articles, Getting Prepared for the New York Department of Financial Services’ Proposed Cybersecurity Regulations, and New York Releases Revised Proposed Cybersecurity Regulations) breach response preparedness is required. This would include periodic assessment and development of an effective incident response plan. Breach response readiness is not only required for many organizations, it is just sound business practice in today’s environment.
Is your organization ready? It may have an incident response plan, drafted a couple of years ago, adorning a forlorn shelf (blow the dust off carefully), but perhaps the plan has not been updated or tested, or staff has not been trained (and re-trained) — or legal counsel may not have provided input on the plan.
Legal counsel is valuable not only to provide input on legal definitions, notification processes, and third party contract provisions in the incident response plan. Another important benefit to including legal counsel in the planning process (as well as data breach response) is to ensure that the incident response plan is drafted to appropriately address legal counsel’s role, thereby protecting attorney-client/work product privileges. These protections are not absolute – in fact, there is significant case law discussing how and when they apply. Therefore, legal counsel should be involved in plan development and the plan should clearly provide that investigations are initiated and overseen by legal counsel as part of the breach response (and litigation risk assessment) process.
A May 18, 2017 decision of the United States District Court in the Central District of California underscores the benefits of legal counsel in breach response preparation and planning. In this decision, rendered in the context of the Experian breach litigation, the plaintiffs sought access to a forensic consultant’s report. The forensic consultant had been retained by Experian’s legal counsel immediately after the breach was discovered by Experian, and the report was used by legal counsel to develop a legal strategy for Experian’s response to the breach. The plaintiffs claimed the report should be disclosed because it was also used for the purpose of meeting Experian’s legal duty to investigate the data breach.
Despite the fact that the forensic consultant had previously worked for Experian (doing a very similar analysis), the court noted when the forensic consulting firm was retained by legal counsel, as well as the way legal counsel directed the form and content of the report (so that only portions could be disseminated to Experian’s incident response team, ensuring privilege was not waived), and held that this demonstrated that the report was work product and should not be disclosed to the other side.
The decision discusses another important point – whether the plaintiffs were entitled to disclosure of the report because they would not be able to re-create the investigation of the servers as it was performed on “live” operating networks, and therefore would suffer a substantial hardship. In this case, however, the report was prepared using server images, rather than the live systems. Consequently, the court held that there was no substantial hardship calling for the report to be disclosed.