CPW has been tracking since last year the Capital One data breach multidistrict litigation (remember that privilege ruling?).  Well, today the federal judge overseeing the litigation granted Capital One’s motion to certify to the Virginia Supreme Court a question of whether there exists under Virginia state law a duty to use reasonable care to protect consumers’ personal information from disclosure.  Read on to learn more.

Recall that Capital One is a litigation involving consolidated cases transferred by the Judicial Panel on Multidistrict Litigation (“JPML”).  In all of the pending matters, Plaintiffs’ claims arise out of a cyber-attack that purportedly resulted in the theft of Plaintiffs’ personally identifiable information (“PII”) being held by Capital One (over 106 million individuals were impacted by the data event).

As relevant for purposes of the development today, Plaintiff’s claims include the assertion that Capital One was negligent with respect to the security measures it employed to protect Plaintiffs’ PII.  As a result, Plaintiffs assert they suffered certain economic harms, including the time and money spent to address actual fraud and to mitigate the risk of future fraud.  However (as with other data breach litigations), they do not allege that they suffered any physical harms or damages to their person or property.

In the Capital One litigation, the Court and parties agreed that Plaintiffs’ negligence claims are governed by Virginia law.  As such, as summarized by the Court, “[t]he viability of Plaintiffs’ negligence claim therefore depends on whether under the circumstances alleged Virginia law imposes an extra-contractual, tort duty to use reasonable care to protect consumers’ personal information from disclosure, either as an independent duty imposed by law or as one voluntarily assumed.”  However, the Court found that on this issue Virginia law is unsettled as “[t]here are no Supreme Court of Virginia or the Court of Appeals of Virginia decisions which have considered whether a tort duty of care exists with respect to the accumulation of PH under the circumstances of this case.”

Accordingly, the Court granted Capital One’s Motion to certify the following two questions of law to the Virginia Supreme Court:

  1. Whether the economic loss rule precludes Plaintiffs’ negligence claims under the facts and circumstances alleged?
  2. If not barred by the economic loss rule, does there exist under the circumstances alleged, a cause of action for negligence against Capital One based on either an extra-contractual, independent tort duty to use reasonable care to protect consumers’ personal information from disclosure or the voluntary assumption of such a duty?

Negligence claims are frequently litigated in data breach cases, making this an important issue to watch going forward.  Not to worry, CPW will be there!  Stay tuned.

On June 25, 2020, the United States District Court for the Eastern District of Virginia upheld a Magistrate Judge’s order, compelling Capital One to produce the Mandiant Report at issue in the matter of In Re: Capital One Consumer Data Security Breach Litigation (See MDL No.1:19md2915).

The decision put to rest the month-long dispute over the discoverability of a forensic report prepared for Capital One Financial Corp. by cybersecurity firm Mandiant Inc., following a cyber-incident that exposed 106 million applicants’ sensitive data last year.  This development reaffirms several key lessons that we recently wrote about for companies experiencing cyber incidents.

The sole issue before the District Court was “whether the Report is entitled to work product protection.”  The Magistrate Judge had previously held that it was not.  In its objection, Capital One argued that the Magistrate Judge’s recommendation “erred as a matter of law” for three reasons: (1) it “applied the second prong of the [test articulated in RLI Insurance Co. v. Conseco, Inc. (the “RLI test”)] whether the document would have been created in essentially the same form absent litigation) as part of the Fourth Circuit’s ‘driving force’ test”; (2) it “relied too heavily on the ‘pre-existing [statement of work (SOW)] with Mandiant to conclude that Mandiant would have performed essentially the same services as ‘described in the Letter Agreement’ with [outside counsel]”; and (3) it “relied on subsequent regulatory and business uses of the Report in determining that the Report is not entitled work product protection.”

Under the “because of” test applied in this case, a document will be protected as work product if it is shown to have been prepared “because of the prospect of litigation.”  A document that may be used for both litigation and business purposes is protected as work product only if litigation was “the driving force behind the preparation of” the document.  To determine whether litigation was the “driving force,” courts apply the two-prong RLI test, which asks: (1) whether the document at issue was created when litigation was “a real likelihood,” as opposed to being “merely a possibility”; and (2) “whether the document would have been created in essentially the same form in the absence of litigation.”  It was undisputed that there was “a real likelihood” of litigation following Capital One’s announcement of its data breach.  Thus, only the Magistrate Judge’s application of the second RLI prong was at issue.  In upholding the Magistrate Judge’s order, the District Court reaffirmed several key lessons for companies facing cyber incidents.

1.      To shield a forensic report as work product, a company must demonstrate that the report would not have been created in essentially the same form absent litigation.  This burden is more difficult to meet where the company has a pre-existing relationship with the cybersecurity vendor that prepares the report.

First, Capital One argued that litigation is necessarily the “driving force” behind the preparation of a document “where, as here, the work product documents are created only after the prospect of litigation arises” and the documents are “created in anticipation of litigation.”  Therefore, Capital One argued, under these circumstances, the document must be protected and application of the second prong of the RLI test is improper.  The court found that this argument “ignores the substance of the test,” as the second prong “captures one of the core inquiries identified by the Fourth Circuit in [articulating the ‘driving force’ inquiry]: whether the work product would have otherwise been produced in the ordinary course of business.”  It was thus proper for the Magistrate Judge to apply both prongs of the RLI test.

Second, Capital One argued that, in any event, the Magistrate Judge had improperly applied the second RLI prong by giving “dispositive effect to the pre-existing SOW with Mandiant.”  Mandiant changed “the nature of its investigation, the scope of work, and its purpose” at the direction of outside counsel and in anticipation of litigation, so “Mandiant’s investigation and report would have been very different if Capital One had engaged Mandiant to investigate the Cyber Incident for business purposes.”  Capital One pointed to its separate internal investigation and report as further evidence that the Mandiant Report would not have been prepared in substantially similar form but for the prospect of litigation.  Again, the District Court disagreed.

The Magistrate Judge properly applied the second RLI prong to conclude that the Mandiant Report was not protected work product, the District Court held, given that the scope of services was identical under both the pre-existing SOW between Capital One and Mandiant and the Letter Agreement they entered into with outside counsel following the data breach.  Based on the record, “it would be unreasonable to think, given identical contractual obligations under the pre- and post-data breach SOWs, that had Mandiant not provided to Capital One through [outside counsel] all the information required under the SOW concerning the breach, it would not have provided that same ‘business critical’ information directly to Capital One in discharge of its obligations under the pre-data breach MSA and SOW.”  Capital One’s internal report did not change this conclusion, as there was no evidence “that this internal report reflects what Mandiant would have produced absent [outside counsel]’s involvement,” and Capital One did not “provide[] sufficient evidence to explain whether any parallel investigation by Mandiant would have been substantially different in substance than the counsel-led investigation at issue here.”

In sum, “after the data breach incident at issue in this action, Capital One then arranged to receive through [outside counsel] the information it already had contracted to receive directly from Mandiant.”  Because Capital One “failed to establish that the Report would not have been prepared in substantially similar form but for the prospect of that litigation,” the Magistrate Judge properly applied the second RLI prong to conclude that the Report was not protected as work product.

This analysis reaffirms the crucial need for companies to keep pre-litigation investigations completely separate from business incident response services.  The safest route is to avoid engaging the same cybersecurity firm for breach response and litigation-related investigations as for business-related services.  Given the difficulty of vetting and onboarding a new cybersecurity firm in the aftermath of a cyber-incident, it may be prudent for counsel to separately engage a second forensic firm with which the company has no pre-existing relationship to support any litigation-related investigations that may become necessary.  Either of these steps would allow the company to clearly demonstrate that it has separate reports for business and regulatory purposes, on the one hand, and litigation purposes, on the other.  If neither of these steps is feasible, however, and a company decides to use the same vendor for both business and litigation-related services, it is critical to detail the vendor’s litigation-related services in a separate SOW whose scope and purpose clearly differ from those of any preexisting SOWs.  The SOW and any related documentation must clearly establish that the purpose and scope of the work to be performed is in anticipation of litigation and will be conducted under the direction and control of counsel for the purpose of providing legal advice.

2.      Disclosure of a forensic report to parties for non-litigation use may be considered evidence that the report was not initially produced “because of” litigation.

Finally, Capital One argued that the Magistrate Judge had erred in relying on the company’s “subsequent regulatory and business uses of the Report in determining that the Report is not entitled work product protection.”  The court pointed out, however, that “post-production disclosures are appropriately probative of the purposes for which the work product was initially produced.”  And the Magistrate Judge did not hold that Capital One’s subsequent disclosures of the Mandiant Report destroyed its work product protection; rather, the Magistrate Judge raised the issue “simply to underscore Capital One’s business needs for a Mandiant produced report.”  (Notably, while disclosure did not destroy work product protection in this case, the court expressly declined to reach plaintiffs’ alternative argument that Capital One had waived protection over the Report, since the court held that the Report was not protected in the first place.  Had the court held the Report to be protected, however, it is possible that Capital One’s disclosure of the Report might have jeopardized the Report’s protection in other respects.)

This reaffirms the importance of providing the full litigation-related report only to those who need it solely for litigation purposes and imposing clear controls on its use.  As a practical matter, companies can often create a separate and non-privileged report to be used for business and regulatory purposes.  Non-privileged reports should be distinct from the privileged forensic report (i.e., not a copy and paste) and should provide a summary of their findings rather than a detailed analysis.  Companies can further distinguish privileged forensic reports by paying for the reports and related services directly from their legal and/or litigation budgets and designating the expenses as legal.  At the very least, companies avoid paying from its cyber organization’s budget and designating it as a ‘business critical expense’ – as initially recorded by Capital One.

If your company experiences a data breach, it is imperative to immediately retain outside counsel who understands the nuances of cybersecurity events, the regulatory and legal obligations flowing from the event, and the potential claims that may arise to carefully navigate the difficult privilege issues that arise almost immediately following a breach.  SPB attorneys are here to help.

As has been widely reported, a magistrate judge in the Eastern District of Virginia recently ordered Capital One to produce a forensic report prepared by the cybersecurity firm Mandiant, holding that the report was not protected as attorney work product despite having been prepared at the direction of outside counsel.  On June 9, 2020, Capital One filed an objection to that order, arguing that the magistrate judge misapplied the controlling law and improperly relied on Capital One’s dual use of the Mandiant Report for business-related purposes.  In support, Capital One submitted several attachments, including a declaration by its Vice President, Senior Associate General Counsel who provides legal counsel for Technology, Cyber, Enterprise Products and Platforms, and Brand divisions of Capital One, and leads the Intellectual Property advisory team.  While the dispute regarding the discoverability of this forensic report continues, it is a good time to step back and focus on the critical steps companies must take to protect privilege at the outset of a breach response.

Why is a privileged forensic report important?

A forensic report is normally prepared by a cybersecurity firm following a thorough investigation into the nature and scope of a company’s cyberattack.  The report will generally detail, among other things, the critical vulnerabilities in a company’s IT environment that enabled the cyberattack.  By way of example, the Capital One forensic report “detail[ed] the technical factors that allowed the criminal hacker to penetrate Capital One’s security.”  Often a report will identify areas in which a company’s IT defenses were not compliant with best practices, regulations and/or industry standards.

While these findings can help a company anticipate and defend against potential causes of action (e.g., negligence, breach of contract, breach of warranty, breach of fiduciary duty, false advertising, and unfair or deceptive trade practices) and mitigate risk, plaintiffs can also use this information as evidence to substantiate their claims. Therefore, plaintiffs, like those in Capital One, will seek to discover the report, while defendant companies will argue it is protected under the attorney work product doctrine.

What are the practical considerations going forward?

In determining whether a forensic report is privileged, courts will look to the totality of the circumstances.  While Capital One’s objection disputes the court’s legal and factual reasoning, this debate provides a few practical takeaways to help make abundantly clear that a forensic report was created in anticipation of litigation.

  1. Ensure that your outside counsel retains a cybersecurity vendor with which you have no preexisting relationship.

A company should, if possible, ensure that its outside counsel engages a forensic firm with which the company has no preexisting relationship for incident response services.  Like Capital One, many companies enter into Master Service Agreements (MSA) and Statements of Work (SOW) with forensic firms to receive incident response services prior to a cyberattack as part of their cyber risk mitigation strategy.  Indeed, Capital One noted that “one purpose of the MSA and associated SOWs was to ensure that Capital One could quickly respond to a cybersecurity incident should one occur.”

To obtain attorney work product protection, a company has the burden of proving that a forensic firm’s work product was prepared “in anticipation of litigation.”  However, the ruling in Capital One suggests that, to truly anticipate litigation, the scope of the forensic services must be determined after a cyberattack.

The Capital One court found it “significant” that Capital One failed to “show[] that Mandiant’s scope of work under the Letter Agreement with outside counsel was any different than the scope of work for incident response services set forth in the existing SOW,” or “that the nature of the work Mandiant had agreed to perform changed when outside counsel was retained.”  Indeed, the court emphasized, “the statement of works and master services agreements provided for virtually identical services to be performed before and after the data breaches were discovered.”

In response, Capital One argues that the relevant issue is not “the nature of the work Mandiant could have done for Capital One under the pre-existing SOW,” but rather “the Report actually prepared by Mandiant under [outside counsel]’s direction.”  Here, the preexisting SOW “broadly outline[d] the general types of incident response services that might be needed,” leaving “the particular services” to be “determined on a case-by-case basis.”

Further, Capital One asserts that the services underlying the Mandiant Report were different from the services provided under preexisting SOWs for several reasons.  First, Capital One retained outside counsel to help the company prepare for anticipated litigation, who in turn hired Mandiant to draft the Report specifically “to inform and facilitate [outside counsel]’s investigation and advice.”  Further, unlike the work underlying the Report, “Mandiant did not do any incident response work for Capital One” for two years before the breach, during which time it “provided only training and consulting services.”  Finally, Capital One conducted separate “internal business investigations parallel to [the] protected investigations,” further distinguishing Mandiant’s “protected, legal work [from] Capital One’s ordinary-course, business investigation.”

As we await the District Court’s ruling, the magistrate’s order indicates that it may be prudent for companies to avoid engaging the same IT firm for litigation-related investigations as they rely on for business-related services.

  1. Consider preemptively retaining a second cybersecurity firm for litigation-related investigations.

Following a data breach, it may be unfeasible to engage a cybersecurity firm with no preexisting relationship.  As Capital One points out, under these circumstances, companies are “under the gun to determine whether there has in fact been an intrusion, the scope of the intrusion, and whether any sensitive data was exfiltrated.”  Had Capital One’s outside counsel used a vendor with which the company had no relationship, “it would have taken weeks to months to approve a new vendor due to bank data security and regulatory obligations, as opposed to the hours or days a company has to effectively respond to a potential data breach.”

To address these competing exigencies (i.e., clearing the regulatory hurdles of providing a new vendor access to sensitive information and systems, quickly responding to a cyber incident, and demonstrating that certain cybersecurity services are provided in anticipation of litigation), it may be prudent for counsel to engage a second forensic firm with which the company has no preexisting relationship.  This can provide a more thorough litigation and risk-mitigation focused review to supplement the incident response efforts, and allow the company to demonstrate it has separate reports for business/regulatory and litigation purposes.  By separating the businesses incident response from the pre-litigation investigation, it is easier to demonstrate that the second forensic firm’s analysis fits clearly within the work product protections.

  1. Change your approach to vendors with a preexisting relationship.

Depending on the circumstances, neither of the above measures may be possible (or desirable) in connection with a breach event.  If a company decides to use the same vendor for both business and litigation-related services, it is crucial to isolate the litigation-related services that the vendor provides and to detail them out in a separate SOW that makes clear how the scope and purpose of the litigation-related work differs from any preexisting SOWs.  The SOW should clarify, for example, that counsel is directing the work for the purpose of providing legal advice and guidance to the company in anticipation of litigation.  And the SOW should not include any unrelated work such as remediation that may be covered under preexisting SOWs.

  1. Use the report only for litigation purposes, and limit its disclosure to necessary individuals.

A company should use the forensic report solely for litigation purposes, and should limit its distribution to only those who need it for these purposes. Such individuals may include in-house counsel, the board of directors, and possibly a small group of cybersecurity employees who need to understand the full nature and scope of the attack and the vulnerabilities identified to assist counsel in the assessment of potential claims and defenses. Clear direction needs to be provided to everyone that receives the report that it is privileged, confidential, and not to be further disseminated. A company should not disclose a forensic report to third parties or the team responsible for incident response.

Generally, materials prepared in the ordinary course of business or pursuant to regulatory requirements are not documents prepared in anticipation of litigation.  In Capital One’s case, the magistrate judge emphasized that about fifty employees, four regulators, an accounting firm, and the “corporate governance office general email box” received a copy of the forensic report.  “[N]o explanation [was] provided as to why each recipient was provided with a copy” or “whether disclosure was related to a business purpose or for the purpose of litigation.”  Further, “Capital One anticipated using the Mandiant Report in making certain disclosures required under the Sarbanes Oxley Act” and provided the report to an employee “for 2nd line business need.”  Capital One also “fail[ed] to address what, if any, restrictions were placed on those persons and entities who received a copy.”  In considering these factors, the court ultimately determined that Capital One used the report for “various business and regulatory purposes.”

In its recent objection, Capital One does not dispute that the Mandiant Report was used for purposes beyond litigation, but maintains that such dual use does not destroy the work product protection. “Regardless of whether Capital One had other, business reasons to investigate the Cyber Incident, those reasons arose from the same set of facts that created the threat of litigation and occasioned Mandiant’s investigation.” Similarly, Capital One argues that its disclosure of the Report “to a limited number of recipients” is immaterial. It disclosed the Report to governmental regulators “because it is obligated to do so.” It disclosed the Report to its auditor, Ernst & Young (EY), and outside counsel directed Mandiant to communicate with EY, “to confirm that the Cyber Incident did not impact the integrity of Capital One’s internal controls over financial reporting.” It disclosed the Report to a “small number of employees” on a need-to-know basis, and distribution was “‘tightly controlled,’ ‘monitored,’ and ‘logg[ed]’ by Capital One’s Senior Associate General Counsel.” And it used the Report to make Sarbanes-Oxley disclosures for the “distinctly legal purpose” of “minimiz[ing] the risk of regulatory action and litigation.”

No matter the final decision, the safest course of action is to provide the full report only to those who need it solely for litigation purposes and provide clear controls on its use.  As a practical matter, companies can often create a separate and non-privileged report to be used for business and regulatory purposes.  Non-privileged reports should be distinct from the privileged forensic report (i.e., not a copy and paste) and should provide a summary of their findings rather than a detailed analysis.

  1. Pay for litigation-related cybersecurity services from your litigation or legal budget.

A company should pay for incident response services out of its litigation or legal budget to show that a forensic firm’s services were provided in anticipation of litigation, as opposed to a business expense.  Capital One paid for Mandiant’s services under the Letter Agreement from the preexisting SOW retainer until the retainer was exhausted and from its Cyber organization’s budget thereafter.  Capital One designated the fees as a “Business Critical” expense and not a “Legal” expense.  After the cyberattack, Capital One reclassified the expenses associated with Mandiant’s work on the data breach as legal expenses and deducted them from its legal department’s budget.  The court was not persuaded, finding that “the retainer paid to Mandiant was considered a business-critical expense and not a legal expense at the time it was paid.”  In considering this factor, the court ultimately determined that Capital One had requested the Report for various business purposes.

In response, Capital One points out that the company had classified the retainers paid to Mandiant before the data breach as “business critical” expenses rather than “legal” expenses, because regulations require the company to have a plan in place for cybersecurity incident response.  The expenses related to the Report were designated as “discovery and investigation costs related to the Cyber Incident” during the “routine year-end accounting reconciliation” process, and were accordingly paid from the company’s legal budget.

Irrespective of how the Court resolves this dispute, companies should pay close attention to how they pay and account for cybersecurity and incident response services to clearly differentiate business and legal functions.  When appropriate, retainers or similar payments should be allocated to a legal function and accounting entries should be written to demonstrate the legal purpose of the work to be undertaken.  In any event, before incurring the expenses, companies should consider designating the costs of incident response services to their legal budgets to show that such services are provided in anticipation of litigation.

Conclusion

If your company experiences a data breach, it is imperative to immediately retain outside counsel who understands the nuances of cybersecurity events, the regulatory and legal obligations flowing from the event, and the potential claims that may arise to carefully navigate the difficult privilege issues that arise almost immediately following a breach.  CPW is here to help.

Some would say that Commissioner Christine Wilson foreshadowed her resignation in her recent GoodRx concurrence. Indeed, Commissioner Wilson has been vocal in recent months about some of her concerns with how the FTC is doing business. Much of her criticism came after the Supreme Court’s AMG Capital Management, LLC v. FTC decision, which stripped the FTC of certain powers. Of course Privacy World has kept you in the know with how the FTC reacted to AMG HERE, HERE, and HERE. Much of the FTC’s reactions center on increasing rulemaking efforts, especially as the rulemaking impacts privacy and advertising programs, while also escalating its enforcement actions. Recently, the U.S. Chamber sent an open letter to Congress requesting more congressional oversight of the FTC in light of Commissioner Wilson’s resignation. Here are three points from the U.S. Chamber’s open letter that reflect what Commissioner Wilson’s resignation may mean for Congress and the FTC over the coming year: Continue Reading What Commissioner Wilson’s Resignation Means for the Year Ahead

With Ransomware becoming a household term you know it’s getting bad when you uncle or aunt calls to complain about the increase in cyber-attacks. Ransomware is a lucrative cyber-attack option for hackers and rapidly becoming the weapon of choice by Threat actors.  During this session, we will explore methods and technologies to get ahead of threat actors and what you can do to create strategies to protect your environment.

Panel members include:

  • Tony Scott. Consultant and Venture Capitalist (Former: Federal CIO, VmWare CIO, Microsoft CIO)
  • Brian Fielder. In his current role at Microsoft Brian leads and has responsibility for enterprise security standards, incubation of new security capabilities, enterprise assurance, and the execution of Red Team engagements.
  • Moderator: Ashley Tarver Co-Chairman CTO Circle ACG

When: Wednesday November 3rd

Time: 12:00-1:00pm Pacific time

Where: zoom (Please register here)

2021 was another year of high activity in the realm of data event and cybersecurity litigations with several noteworthy developments.  CPW has been tracking these cases throughout the year.  Read on for key trends and what to expect going into the 2022.

Recap of Data Breach and Cybersecurity Litigations in 2020

2021 heralded several developments in data breach and cybersecurity litigations that may reshape the privacy landscape in the years to come.  However, in many ways 2021 litigation trends were congruent with the year prior.  Before delving into where we may be headed for this important area of data privacy litigation in 2022, let’s do a short recap of where we were at the end of 2020.

Recall that the number of data events in 2020 was more than double that of 2019, with industries that were frequent targets of cyberattacks including government, healthcare, retail and technology.  In this instance, correlation equaled causation—as more entities experienced crippling security breaches, the number of data breach litigations filed also increased.  There were three trends that marked the cybersecurity landscape that we covered in CPW’s 2020 Year in Review:

First, in 2020 plaintiffs bringing data breach litigations continued to rely on common law causes of action (negligence and fraud, among others) in addition to asserting new statutory claims (although of course there were exceptions).  Challenges to a plaintiff’s Article III standing in the wake of a data event were pervasive, with defendants arguing that allegations of future speculative harm were inadequate to establish federal subject matter jurisdiction.

Second, in spring 2020, a federal court ordered production of a forensic report prepared by a cybersecurity firm in the wake of a data breach.  The report was found not protected as attorney work product despite having been prepared at the direction of outside counsel.  Commentators at the time wondered if this was a harbinger of future rulings regarding privilege in the context of privacy litigations.

And third, there were several warning signs that the legal fallout from a data breach can extend to company executives and the board.  As just one instance, in 2020 a company’s former Chief Security Officer (CSO) was charged with obstruction of justice and misprision of felony for allegedly trying to conceal from federal investigators a cyberattack that occurred in 2016, exposing the data of 57 million individuals.

Perhaps unsurprisingly, these earlier trends signaled in part what was on the horizon in 2021 as discussed in greater detail below.

Article III Standing in Cybersecurity Class Action Litigations

The past several years have seen a not-so-quiet revolution in standing jurisprudence, and 2021 was no different.  Standing under Article III of the U.S. Constitution, in the Supreme Court’s oft-repeated phrasing, is an “irreducible constitutional minimum” requiring that a party be able to demonstrate: (1) an injury in fact; (2) that the injury was caused by defendant’s conduct; and (3) that the injury can likely be redressed by a favorable judicial decision.

The standing issue that defined 2021 was “speculative future harm.”  In February, the Eleventh Circuit highlighted a long-running circuit split regarding whether plaintiffs had standing to assert claims based solely on the disclosure of their information couples with an increased risk of future harm.  In Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332 (11th Cir. 2021), the court found that standing required a concrete and particularized injury that was actual or imminent.  The Tsao plaintiff based his injuries on fear of future harm, as well as preemptive steps taken to ward off potential identity theft.  In line with the majority of circuits to have addressed the issue, the court found that none of these potential injuries conferred standing.

Other courts likewise joined in this skepticism of standing based on speculative future harm.  The Central District of Illinois expressed doubt in McGlenn v. Driveline Retail Merch., Inc., 2021 U.S. Dist. LEXIS 9532 (C.D. Ill. Jan. 19, 2021) whether speculative future harm could confer standing at all.  The Middle District of Florida, following Tsao, recommended in Hymes v. Earl Enters. Holdings, 2021 U.S. Dist. LEXIS 26534, (M.D. Fla. Feb. 10, 2021) that approval for a settlement be withheld based on a lack of standing based on injuries similar to those alleged in Tsao.  In March, the Eastern District of Pennsylvania likewise weighed in via Clemens v. Execupharm, Inc., No. 20-cv-3383, 2021 U.S. Dist. LEXIS 35178 (E.D. Pa. Feb. 25, 2021), reaching the same conclusions regarding speculative future harm.  In April, the Ninth Circuit joined the party, again finding in Pruchnicki v. Envision Healthcare Corp., 845 F. App’x 613, 614 (9th Cir. 2021) speculative future injury, coupled with lost time, worry, and purported loss of value of her information, was insufficient to confer standing.  Even some state courts got in on the fun: the Superior Court of Delaware, applying that state’s similar standing principles, found in Abernathy v. Brandywine Urology Consultants, P.A., No. N20C-05-057 MMJ CCLD, 2021 Del. Super. LEXIS 46 (Del. Super. Ct. Jan. 21, 2021) that the mere notice of a data breach coupled with speculative future harm was insufficient to confer standing.

In the midst of this growing chorus of cases rejecting speculative future harm as a basis for standing came the Second Circuit, which issued a massive opinion trying to harmonize years of precedent both finding and rejecting standing.  McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 297 (2d Cir. 2021) held that, in the abstract, a plaintiff could establish standing based on a substantial risk of identity theft or fraud, but that such an argument would be fact and case-specific.

Then came June’s Ramirez v. Transunion, 141 S. Ct. 2190, in which the Supreme Court revisited the question of what constitutes an “injury in fact” in the data breach context.  The Ramirez class consisted of affected individuals who, in the main, alleged only that inaccurate information existed on their credit files, with no corresponding dissemination to a third party or any harm resulting from that dissemination.  The Supreme Court determined that where the vast majority of a putative class suffered no actual injury, let alone the type of injury suffered by a class representative, no standing existed.  The Supreme Court also determined that “the mere risk of future harm, without more, cannot qualify as a concrete harm in a suit for damages.”

On a related note, while commentators worried that Ramirez would preclude data breach litigations from being brought in federal courts, such concerns have not yet materialized.  The courts in Blackbaud and Cotter v. Checkers Drive-In Restaurants, Inc., 2021 U.S. Dist. LEXIS 160592 (M.D. Fla. Aug. 25, 2021), distinguished Ramirez on procedural grounds.  Meanwhile, some courts have indicated that an impending injury or substantial risk could suffice for injury in fact in data breach litigation.  The court in Griffey v. Magellan Health Inc., 20210 U.S. Dist. LEXIS 184591 (D. Az. Sep. 27, 2021), found that plaintiffs alleged risks of future harm that were “certainly impending” and thus had standing.  All in all, however, pleading a data incident without something more probably does not survive a motion to dismiss.  That’s what happened in Legg v. Leaders Life Ins. Co., 2021 U.S. Dist. LEXIS 232833 (W.D. Okla. Dec. 6, 2021), where plaintiffs’ allegations of general risks of harm did not suffice.

Ramirez has also led to consideration of timing and cause-and-effect in data privacy litigation, with courts focusing not only on the existence of concrete harm, but whether the harm could have actually been caused by the breach itself.  The Eastern District of Missouri determined in Mackey v. Belden, Inc., 2021 U.S. Dist. LEXIS 145000 (E.D. Mo. Aug. 3, 2021) that the theft of a Social Security number, coupled with the filing of a false tax return after the theft occurred, was sufficient to confer standing, while the Central District of California determined in Burns v. Mammoth Media, Inc., 2021 U.S. Dist. LEXIS 149190 (C.D. Cal. Aug. 6, 2021) that standing requires a plaintiff show an actual connection between his or her damages and the breach, rather than simply speculating that any purported harm that occurred must have been the result of the breach.

Discovery Disputes Over Work Product and Attorney Client Privilege

2021 has also seen a continuation and cementing of 2020’s developments in how courts treat the attorney-client privilege and work product doctrines in connection with data breach litigation.  Specifically, courts have continued to scrutinize closely whether and how clients may protect post-breach forensic reports from production in subsequent litigation.  Two decisions this year – Wengui v. Clark Hill, 2021 U.S. Dist. LEXIS 5395 (D.D.C. Jan. 12, 2021) and In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220 (E.D. Pa. July 22, 2021) – have addressed these issues.

As a reminder, 2020 brought us the Capital One decision, In re Capital One Consumer Data Security Breach Litigation (Capital One), 2020 U.S. Dist. LEXIS 91736 (E.D. Va. May 26, 2020), aff’d, 2020 U.S. Dist. LEXIS 112177 (E.D. Va. June 25, 2020).  Capital One, though it logically followed from a number of attorney-client privilege and work product doctrine[1] cases, shook up how counsel had to approach privilege in data breach remediation and subsequent litigation.

If you recall, the Capitol One decision involved a motion to compel a report on a data breach prepared by Capital One’s pre-established security consultant.  Capital One, 2020 U.S. Dist. LEXIS 91736, at *12.  This was probably Capitol One’s biggest mistake: This “long-standing” business relationship became the key dispositive liability for keeping that report protected under the work product doctrine.  Id.  The court in Capital One scrutinized that business relationship as well as prior reports prepared for cybersecurity purposes and, as a result, ascertained that the consultant’s report would have been prepared in a similar form regardless of the litigation.  Thus, the report did not meet the “because of” litigation standard for work product protection.  Presumably because of the preexisting relationship, that decision did not need to address the narrow Kovel test for whether the report would be protected under the attorney-client privilege as work essentially prepared by the litigation counsel’s expert or paralegal.

Relying on the Capitol One decision, a D.C. district court decided Clark Hill earlier this year.  Clark Hill involved a cybersecurity attack directed at a law firm.  In attempting to avoid production of the breach report, Clark Hill sought to rely on the work product doctrine arguing that the report they sought to withhold was created “because of” anticipated litigation.  Clark Hill, PLC, 338 F.R.D. at 10.  Rather than simply assert that, given that case law exists noting that incident response reports serve business functions as well, Clark Hill attempted to make a more nuanced argument.  Specifically, Clark Hill argued, relying on a concept first introduced by In re Target, that two reports existed; one which was prepared for litigation and the other of which was to be used to address security concerns.  That distinction, while accepted by the Court, failed Clark Hill because their other report was nowhere near as substantive, was not described in the interrogatory responses as a basis for their response, and the report Plaintiff sought had been circulated outside of the circle of employees and lawyers who needed to know about it for the litigation.  Id. at 12.  Clark Hill similarly lost on the attorney-client privilege because, in attempting to invoke the Kovel Doctrine.  Clark Hill failed to meet the criteria of this test because the numerous security improvement recommendations in the breach report at issue demonstrated that the report was not prepared by an expert advising litigators on how to provide legal advice but was rather the result of independent vendors working to cure a business issue – Clark Hill’s cybersecurity deficiencies.  Clark Hill, PLC, 338 F.R.D. at 11.

Issued this summer, In Re Rutter is the third federal court decision addressing these issues.  While Clark Hill cited Capitol One in its analysis, In Re Rutter’s presents an independent analysis and arrives at the same conclusion.  The potential data breach at issue in In re Rutter’s concerned payment card information at the point-of-sale (POS) devices used by defendants.  Rutter’s received two alerts on May 29, 2019, which “detail[ed] the execution of suspicious scripts and indications of the use of potentially compromised credentials.”  In response, Rutter’s hired outside counsel, BakerHostetler, “to advise Rutter’s on any potential notification obligations.”  BakerHostetler in turn hired a third party security firm “to conduct forensic analyses on Rutter’s card environment and determine the character and scope of the incident.”    In re Rutter’s Data Sec. Breach Litig., 2021 U.S. Dist. LEXIS 136220, at *3.

Plaintiffs in In re Rutter’s learned about the defendant’s investigation and resulting report during the Fed. R. Civ. P. 30(b)(6) deposition of Rutter’s ill-prepared Vice President of Technology.  Following that deposition and as a result of the deponents framing of the process underlying the report, Plaintiffs sought production of the security firm’s written report and related communications.  Rutter’s objected, citing the work product doctrine and attorney-client privilege.  Applying the general work product doctrine precedent described above, the court held that the work product doctrine did not protect the security firm’s report and related communications from disclosure in discovery largely because of how that report was characterized at deposition as indistinct from a factual report prepared without involvement of counsel.

Thus, both Clark Hill and In re Rutter’s serve as sobering reminders that while reports prepared for and at the request of counsel in anticipation of litigation can be privileged, compliance officers and counsel must scrupulously avoid blurring the lines between “ordinary course” factual reports and reports genuinely prepared for assisting trial counsel.  In re Rutter’s also serves as a reminder that preparing 30(b)(6) witnesses can be critical as their testimony can be highly significant, if not dispositive, for a court when assessing assertions of privilege.

These two new cases further cement the widespread implications from Capitol One for both data privacy litigation strategy.   All three cases pose lessons for litigators and incident response counsel on the appropriate framing of incident response efforts before and during litigation.  For more a more in depth analysis of the facts underlying these cases and the take-away lessons from them, see our earlier publication here.

 Plaintiff-Side Developments

Data breach litigations continued to be filed at a brisk pace in 2021 in industries ranging from ecommerce, finance, mortgage providers, technology, and software cloud companies to healthcare, wellness, retail, and fast-food, among others.

Many of these litigations were dismissed at the pleadings stage, either for lack of Article III standing (discussed above) or for failure to plead a cognizable claim.  These cases reiterate that merely alleging that a data event or cyberattack occurred, without more, does not mean that plaintiffs automatically can go forward with a case.  Conclusory, ipse dixit allegations are not sufficient.  Plaintiffs are taking note of these decisions and increasingly relying on a blunderbuss pleading strategy (by raising multiple statutory and common law claims in a single complaint) in an effort to have their claims survive a motion to dismiss.

However, because plaintiffs (particularly those that allege merely speculative future harm as a result of a data event) have difficulty establishing the core elements of causation and damages, these efforts have met with mixed success.  Mere alleged misappropriation of personal information may not suffice for purposes of establishing a plaintiff’s damages.

Of course, it goes without saying that class action plaintiffs have also taken an expansive pleading strategy in the hopes that they will be able to cobble together a claim under one of the state or federal privacy statutes that provides for liquidated statutory damages upon establishment of a violation (the California Consumer Privacy Act (“CCPA”) and federal Driver’s Privacy Protection Act were two frequent targets).

Other Trends: Emergence of the Data Breach Consumer Pricing Dispute and a Decline in MDLs

Additionally, 2021 also saw the first instance in which a data event litigation was framed as a quintessential consumer pricing dispute—perhaps signaling that such cases may become more common.  In the wake of a ransomware attack involving the Colonial Pipeline, two groups of Plaintiffs filed suit alleging that the owners of the Colonial Pipeline failed “to properly secure the Colonial Pipeline’s critical infrastructure – leaving it subjected to potential ransomware attacks like the one that took place on May 7, 2021.”  See Dickerson v. CDCP Colonial Partners, L.P., Case No. 1:21-cv-02098 (N.D. Ga.); EZ Mart 1, LLC v. Colonial Pipeline Company, Case No. 1:21-cv-02522 (N.D. Ga.).  This included the assertion that Defendants “failed to implement and maintain reasonable security measures, procedures, and practices appropriate to the nature and scope of [Defendants’ business operations].”  Plaintiffs sought to certify a nationwide class consisting of “[a]ll entities and natural persons who purchased gasoline from May 7, 2021 through Present and who paid higher prices for gasoline as a result of the Defendant’s conduct alleged herein (hereinafter the “Class”).”  Will we see more of this going forward?  Time will tell.

Finally, although the Judicial Panel on Multidistrict Litigation (“JPML”) recently transferred and centralized over 40 data event and cybersecurity class actions brought against T-Mobile in the Western District of Missouri, data breach multidistrict litigations (“MDLs”) declined over prior years.  There were several instances in which the JPML declined requests to consolidate and coordinate pretrial proceedings in the wake of a data event.  Justifications given by the JPML in declining consolidation this year included that “centralization under Section 1407 should be the last solution after considered review of all other options,” which include “agreeing to proceed in a single forum via Section 1404 transfer of the cases and voluntary cooperation and coordination among the parties and the involved courts to avoid duplicative discovery or inconsistent rulings.”  When cybersecurity litigations have been primarily filed in the same forum or the parties are already coordinating, the JPML especially was disinclined to order MDL formation in 2021.

Looking Forward

In many regards, 2021 demonstrated the axiom “the more things change, the more they stay the same.”  Cybersecurity litigation trends in 2021 were a continuation of 2020.  Article III standing, privilege considerations and novel pleading strategies used by plaintiffs to survive a well-crafted motion to dismiss are expected to remain key issues in data event litigations in 2022.  Additionally, a larger development on the horizon remains the specter of liability to corporate officers and the board in the wake of a widespread cyberattack.  While the majority of cybersecurity litigations filed continue to be brought on behalf of plaintiffs whose personal information was purportedly disclosed, shareholders will increasingly look to hold executives responsible for failing to adopt reasonable security measures to prevent cyberattacks in the first instance.

Needless to say, 2022 should be another interesting year for data event litigations and for data privacy litigations more broadly.  Not to worry, CPW will be there to keep you in the loop.  Stay tuned.

CPW’s Kristin Bryan was interviewed recently by CyberScoop regarding the significance of the court’s decision in In re Rutter’s which ordered the production of a forensic report and related communications over assertions of privilege in data privacy litigationAs she explains, the court’s ruling (considered in conjunction with the Clark Hill and Capital One decisions) have widespread implications outside the context of data privacy and cybersecurity litigations.  You can check out her comments and the full text of the CyberScoop article here.

One developing area of the law that send shivers down the spine of data privacy litigators is a growing number of federal courts holding that the attorney-client and work product privilege do not apply to forensic reports and related communications regarding a data incident.  Knowledge of the circumstances involved in the Capital One and Clark Hill litigations—where it was held privilege did not apply—is essential at this point given the high stakes at play.  Yesterday another federal court ordered production of materials prepared in the wake of a data incident.  In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220 (E.D. Pa. July 22, 2021).  The case has widespread implications outside the realm of data privacy litigation.  While this case involves a cyber breach, its reasoning applies to any compliance-related investigation.  Read on to learn more.

First, the facts.  CPW has already covered the background of the data incident at issue in In re Rutter’s Data Sec. Breach Litig., which concerned a possible breach involving payment cards information at the point-of-sale (POS) devices used by defendants.  As relevant here, Rutter’s received two alerts on May 29, 2019, which “detail[ed] the execution of suspicious scripts and indications of the use of potentially compromised credentials.”  In response, Rutter’s hired outside counsel, BakerHostetler, “to advise Rutter’s on any potential notification obligations.”  BakerHostetler in turn hired a third party security firm “to conduct forensic analyses on Rutter’s card environment and determine the character and scope of the incident.”

Plaintiffs learned about this investigation during the Fed. R. Civ. P. 30(b)(6) deposition of Rutter’s Vice President of Technology.  Following that deposition, Plaintiffs in the data incident litigation sought production of the security firm’s written report and related communications.  Rutter’s objected, citing the work product doctrine and attorney-client privilege.

The work product doctrine applies to “documents and tangible things … prepared in anticipation of litigation or for trial by or for another party or by or for that other party’s representative.”  However, Rule 26(b)(3) of the Federal Rules of Civil Procedure specifies that “for the work product doctrine to apply, the document must be prepared ‘in anticipation of litigation.’” Additionally, the Third Circuit Court of Appeals has specified that aiding in “identifiable” or “impending” litigation must have been the “primary motivating purpose behind the creation of the document.” (emphasis supplied).  This involves a two-step inquiry: (1) whether the party which ordered or prepared the document had a “unilateral belief” that litigation would result and (2) the anticipation of litigation must be objectively reasonable.

Applying this precedent, the court held that the work product privilege did not protect the security firm’s report and related communications from disclosure in discovery.  This was because:

  • As set forth in the Statement of Work (“SOW”) in which the security firm was retained, “[t]he purpose of the investigation was to determine whether data was compromised, and the scope of such compromise if it occurred.” (emphasis in original). As such, Rutter’s “cannot be said to have unilaterally believed [as required by Third Circuit precedent] that litigation would” (emphasis in original).
  • This conclusion was additionally underscored by the testimony of Rutter’s corporate designee (who signed the agreement with the security firm involved).
  • The corporate designee testified that: (1) he was not “contemplating” forthcoming lawsuits as a result of the data incident the time the security firm was performing its work, (2) he was unaware of anyone else at Rutter’s contemplating such lawsuits and (3) (likely most damaging) the security firm “would have . . . done this work and prepared its incident response investigation regardless of whether or not lawsuits were filed.” (emphasis supplied).
  • Additionally, the court noted that there was no evidence that BakerHostetler received the report before Rutter’s once the security firm’s work was completed.

Rutter’s fared no better with its assertion of attorney-client privilege as precluding production of the materials Plaintiff’s sought.

Under Third Circuit precedent, attorney-client privilege attaches to: (1) a communication (2) made between privileged persons (3) in confidence (4) for the purpose of obtaining or providing legal assistance for the client.  Moreover, a communication is privileged only if its “primary purpose” is to gain or provide legal assistance.  The attorney-client privilege “does not protect the communication of facts.” (emphasis supplied).

Here, the court rejected Rutter’s assertion of attorney-client privilege because Rutter’s “does not carry its burden of establishing that the [security firm’s report] and related communications between [the security firm and Rutter’s had a primary purpose of providing or obtaining legal assistance”.  The court made the following factual findings:

  • The SOW at issue showed that the security firm was merely retained to “collect data,” monitor IT equipment, and determine whether the IT equipment had been compromised.
  • The court’s review of the record revealed that the security firm’s report and related communications “were either factual in nature or, where advice and tactics were involved, did not include legal input.” (emphasis supplied).

This case is a sobering reminder that while reports prepared for and at the request of counsel in anticipation of litigation can of course be privileged, compliance officers and counsel must be scrupulous to avoid blurring the lines between “ordinary course” factual reports and reports genuinely prepared for trial counsel for the purposes of assisting counsel in litigation.  And as was the case here, the testimony given by a 30(b)(6) representative can be highly significant, if not dispositive, for a court when assessing assertions of privilege.

For more developments concerning data privacy litigation as they occur in real time, stay tuned.  CPW will be there.

 

Last month, a federal court addressed the kind of harms that need to be included in a plaintiff’s complaint asserting claims under the Fair Credit Reporting Act (“FCRA”) and Fair Debt Collection Practices Act (“FDCPA”) to survive a motion to dismiss.  Magruder v. Capital One, Nat’l Ass’n, 2021 U.S. Dist. LEXIS 94804 (D.D.C. May 19, 2021).  Finding that the plaintiff had “barely” overcome the bar, the court reaffirmed the minimum pleading requirements necessary for such claims.  Read on for more details.

Plaintiff’s initial lawsuit brought claims against several financial institutions and debtor collectors.  Alleging that his attempts to resolve disputes with his credit reports had had him effectively running in circles, Plaintiff brought suit against all the defendants for violations of the FCRA, and against one defendant specifically for violations of the FDCPA.

Prior to going any further with the case, the court ordered Plaintiff to show that he had suffered an “injury in fact” sufficient to satisfy the threshold requirement of Article III standing.  This necessitated that Plaintiff show that he had been harmed in a real sense, that is, that he has personally affected, and the harm was not hypothetical or abstract.  [Note: Injury for purposes of Article III in some instances can include intangible harms, including emotional harms in very specific instances.]

In assessing Plaintiff’s injury claims, the court expressed repeatedly that his claims of a tangible harm were “thin by any measure.”  Plaintiff claimed that he had suffered economic losses, but provided no details explaining the amount of the losses, or how they happened.  Still, the court found that the bar was low enough that Plaintiff’s complaint was sufficient for a number of his claims, at least at this point.

Most notably, the court found that while Plaintiff had not claimed any tangible loss as a result of Trans Union’s alleged violation of FCRA, his emotional harm was enough.  Plaintiff alleged that Trans Union’s failure to follow reasonable procedures to assure maximum accuracy (§ 1681e(b)) and failure to conduct a reasonable investigation” (§ 1681i(a)) had caused him “embarrassment, humiliation and other mental and emotional distress.”

The court found that FCRA was, at least in part, designed with this specific kind of injury in mind.  Plaintiff claimed that his credit reports incorrectly said that he had outstanding debt, when he did not.  That false claim was spread to other parties, causing emotional harms.  “The FCRA was enacted to deter just this.”  The court also extended this to the FDCPA, noting that courts have previously ruled that a plaintiff may have standing in FDCPA cases if the alleged violation “caused anxiety” or “stress and inconvenience.”

Note that in the context of the FCRA and FDCPA, other courts have taken a contrary approach as to whether such damages suffice at the pleadings stage.  This issue is far from settled in this area of data privacy law.  Not to worry, CPW will be there to keep you in the loop.

In case you missed it, below is a summary of recent posts from CPW.  Please feel free to reach out if you are interested in additional information on any of the developments covered.

The Sedona Conference Commentary on Quantifying Violations Under U.S. Privacy Laws Published for Public Comment | Consumer Privacy World

BREAKING NEWS: In Capital One Data Breach Litigation Federal Judge Grants Capital One’s Motion To Certify Question to Virginia Supreme Court | Consumer Privacy World

Clearview Opposes BIPA Injunction, Saying Ban on Collecting Data Would Force Company to Stop Operating | Consumer Privacy World

Plaid Partially Successful in Tossing Out Class-Action Complaint – Privacy Allegations Still Remain | Consumer Privacy World

Plaintiff’s Second Bite at the Apple Fails: Court Dismisses FCRA litigation | Consumer Privacy World