Is Legal Privilege a Help or Hindrance Following a Data Breach?

What happened to Capital One

Napoleon, who knew a thing or two about crises, warned, “Il faut laver son linge sale en famille” (“we should wash our dirty linen in private”).

That thought was foremost in the mind of Rupert MacInnes, the Chief Counsel of banking services giant Capital One when in July 2019, his day was ruined by a tip off from a benign hacker about highly confidential Capital One customer data sloshing around the web.

In Capital One’s scramble for control, millions of Capital One accounts were locked; their owners were unable to process financial transactions, meet payments, or gain access to their financial records. Three months later, the investigation concluded that the security of 106 million accounts had been compromised.

The aftermath

Critics lambasted the bank’s effort to downplay the hack while investigations were ongoing, and described the bank as more concerned about its image than the needs of its clients. On social media and in the mainstream press, Capital One’s contradictory July 2019 press statement was mocked and lawsuits were filed against Capital One and its employees in federal and circuit courts.

Capital One is not alone. In the last 5 years, Equifax, Yahoo!, Target and Anthem have suffered similarly large-scale breaches. What makes this one interesting is a recent ruling by a federal court that the forensics investigation report conducted by a third-party investigator under the direction of an independent law firm appointed by Capital One, was not protected by ‘legal privilege’ and had to be made available to the plaintiffs.

Legal privilege

Legal privilege is a legal concept in Common Law that protects client-lawyer communications, preserving confidentiality in both civil and criminal cases. This privilege encourages open and honest communication between the client and their lawyer. Common Law is practised in the UK and many former colonies however, in the United States, not all state courts treat attorney communications as privileged.

Why legal privilege matters

Data breaches are expensive affairs and in deeply anxious times it is a comfort to have reassuring expensive lawyers to defend you. In the US, legal costs typically amount to ~15% of the total cost.

Following a data breach, the victim may face legal action by customers and shareholders if they can demonstrate that they have suffered a loss. Legal privilege matters because the information it protects may contain evidence of culpability or at least make the defendant ‘look bad’.

The table below shows that the average class action cost per company in the 10 largest data breaches in recent years, is $137M. These costs indicate that giving plaintiffs access to a forensic investigation report could cost the defendant tens of millions of dollars in more punitive damages and fines, and lost business arising from reputational impairment.

Class actions involving loss of financial or medical data attract compensation of $1.2 per record on average. Class actions that do not involve loss of financial or medical data attract much less compensation – typically 10 cents to 30 cents per record. (Note, as only a small fraction of users are involved in class actions, individual compensation is much higher).

Why did Capital One fail to obtain legal privilege?

Online legal journal JD Supra published on 9 June a well-written analysis of the reasons why. In summary, the court noted:

• Capital One had a long-standing relationship with Mandiant, the forensic investigation firm and had a pre-existing SOW;
• the retainer paid to Mandiant was a business-critical expense at the time it was paid;
• the Mandiant Report was provided to four different regulators and to an accountant, showing that the results of an independent investigation was significant for regulatory and business reasons (not solely in relation to impending legal action); and
• the Mandiant Report was used for Sarbanes-Oxley disclosures and was referenced in draft FAQs prepared by a senior vice president prior to the public announcement of the data breach.

The decision serves as a cold reminder on how fragile privilege can be, especially in cyber security matters.

A superficially obvious solution is not to publish a report: keep everything in draft, but this could be counterproductive. Reports documenting a thorough investigation provide affirmative evidence that an organisation has proper procedures in place to respond to a breach and demonstrate its duty of care.

The JD Supra article goes on to explain how to act to maximise the likelihood of preserving legal privilege, but is this ultimately the right course of action in the event of a data breach?

Is legal privilege a liability?

In the context of a data breach response, events can move fast. Law firm Freshfields has published some insightful analysis on just how fast: 28% of crises become international within 1 hour; 70% within 1 day. Financial markets will pick up on a crisis within the first 24-48 hours, but on average, it takes a corporation 21 hours to begin to respond. Assuming the IT Security team immediately informs counsel, do you want to hamper them as they try to bring the crisis under control in the hope that you can shield communications from potential litigants by legal privilege? It would be hard to convince a jury that a slow-moving investigation shows a duty of care to customers and shareholders. Far better to allow the IT Security team to react quickly and expend legal resource on ensuring appropriate and sensible language is used in communications by that team.

Controlling the language

1. A breach is not always a breach - calling a security incident a “data breach” triggers obligations under data privacy laws like the General Data Privacy Regulation (GDPR) of the EU. Until you are certain a breach has taken place, refer to it as an incident.
2. Consider using two investigation teams: one commissioned by external counsel to conduct a forensic investigations under legal privilege to educate the external counsel about aspects of the breach so that counsel can provide informed legal advice to its client; and if necessary, a second team to support the incident response team in: investigating and fixing the data breach regardless of any litigation, to appease its customers and ensure continued sales ; and discovering and removing vulnerabilities to protect itself against future breaches.
3. Think “what would this sound like in court?” - assume all data collected during an investigation (computer logs, reports, minutes, notebooks) may be used as evidence against the company so stick solely to the facts that are directly relevant to the investigation. Avoid speculation and opinion.
4. Keep formal documents in draft until they can be reviewed by the legal team: if an investigation report has to be issued, it should be reviewed first to ensure consistency and to eliminate unnecessary information.
5. Limit document distribution: once a report is finalised, its circulation should be limited. For example, the company should consider whether only certain parts of the report should be shared with specific teams.

Set in the context of class actions, share price depreciation and career impairment, modest investment in preparing for a crisis seems worthwhile.

Reducing the risk of a data breach – 6 strategic steps boards can take

The world is awash with advice on tactical things that organisations should do to manage cyber risk (awareness training, filtering suspicious emails, segregating and backing up sensitive data, patching software vulnerabilities, etc). The most authoritative advice is provided by national agencies like the UK National Cyber Security Centre, which is also comprehensible to humans.

Here is some strategic cyber security advice for the executive directors:

1. Favour discretion over rules: cyber security based on compliance to rules or standards may make it easier to get through client audits, but it may not make you secure. Standards take many years to agree and implement, by which the cyber threat has moved on, and they reflect the minimum capability that standard-setters consider to be generally appropriate, rather than an aspirational capability. Excessive emphasis on codes of compliance rather than responsibility gives rise to complacency and raises the risk of failure. Independently scrutinise standards set by consensus and create a logical, defensible cyber risk strategy, specific and appropriate to your organisation.
2. Have ‘skin in the game’: make those responsible for managing risk define the cyber risk management strategy: avoid the mistakes made by financial sector regulators in for example, allowing banks’ capital requirements be set by the ratings agencies. Not only are ratings agencies not responsible for managing banking risk, they are susceptible to market pressure. It is they who set disastrously low risk ratings to new and lethal financial products like collaterised debt obligations which caused the 2007 financial crisis. Execs need to have ‘skin in the game’.
3. Compensate for the biases that mar our risk judgements: we trust celebrity endorsements, people in suits, anything printed – especially charts and precise numbers even when they are wrong. We are prone to the illusion of certainty. Our risk perception frailties are well documented. Recognise them and compensate for them.
4. Adopt a barbell security strategy: a combination of high and low-risk management strategies, avoiding the middle ground. Protect the maximum extent possible IT systems that host your critical data and if necessary take more risk with the rest of your network.
5. Rehearse what you would do when a security incident happens: periodic testing of your security incident response fitness effectively vaccinates your business against a breach. Train your incident response team to control the language they use when they communicate as it could be used in court as evidence. The most resilient companies are those that have learned how to operate without internet access or even without IT. Make provisions for re-building your IT from scratch.
6. Insure yourself against the unanticipated: the only scenarios we can test are those that we can anticipate, so put in place cyber insurance to protect you from the unanticipated events.

It takes courage for executives to see a data breach as an opportunity, but Freshfields’ research shows that a crisis managed in the right way reinforces loyalty between board executives and shareholders. Whereas the normal attrition rate of corporate boards is 8% per year, boards that have successfully steered their business through a crisis will see the attrition rate halve. Boards that fail to manage a crisis well, experience a doubling of the normal attrition rate.

Although Napoleon had an aptitude for managing risk, his luck ran out at Waterloo. Abandoning his broken army, Napoleon returned to Paris and abdicated the following day. When he found his plans for escape to the United States frustrated by a British naval squadron, he surrendered himself and spent the remainder of his life in exile on the island of St. Helena.