Lawyers, Data Breaches and Electronic Discovery: A Mis-Match Made in Heaven or …? Preservation, Privilege and Other Potentially Problematic Priorities for Counsel and Client. By Adam Cohen, JD CISSP CCSP CEH
ESI preservation and collection can be challenging in the aftermath of an information security compromise (or “data breach”). Any imperfections in the process, as well as the discoverability of investigative materials related to breach response, may stoke the fires of eventual class-action litigation, where they will be regarded with 20/20 hindsight. Victims of cyber-attacks may find that malicious actors infiltrated their systems years prior to discovery and that, unfortunately, the historical records of activity on the compromised systems, known as logs, are regularly purged on a much shorter schedule (or purged or altered by the attacker covering tracks). In these cases, re-creating the details of how defenses were evaded or overcome may be impossible, diminishing confidence in the completeness of remediation efforts. At the other end of the spectrum, preservation or collection of ESI may need to take place at the same time the target organization is defending an ongoing attack and/or on a “live” system. Lawyers chattering about the duty to preserve are the last thing stressed-out and resource-stretched I.T. first-responders want to see.
Data breaches also present different sources of ESI. In tracing the movement of attackers and data flow through networks, there are a host of potential sources which could contain relevant ESI not typically relevant in other kinds of cases. These sources include the rich variety of logs mentioned above, which can take different forms, reside in different kinds of storage media and require different software for use and analysis.
In today’s world of mass enterprise I.T. migration to the big public cloud computing services and the predominant business use of Software-as-a-Service, logs are just as likely to be with a third-party service provider. Whether any logs, or what kinds of logs, are available to customers may be different than those to which the provider has access, for example, with “Infrastructure-as-a-Service” through the cloud. Logging may be part of services that the provider sells and to which the customer may not have subscribed. In our increasingly inter-connected world, public policy questions may be raised when I.T. service providers do not share logs that could help remediate a data breach involving “sensitive” or “private” data, especially where the largest cloud service providers achieve their incredible economies of scale through “multi-tenancy”—a form of virtual co-habitation.
Note, however, that cloud service providers are far from the least likely sources of discovery in many data breach episodes, as the graphic below illustrates:
Some of the relevant data may have to be obtained from volatile memory on network devices, requiring specialized expertise and tools. Concerns about investigative forensics activity alerting an attacker to discovery, or interfering with the operational performance of the business, can add unwanted complexities. Forensic investigators may also be creating large volumes of additional ESI by performing packet captures to analyze high volumes of network traffic, which may be subject to disclosure...which brings up the point of protections from disclosure, for reasons of attorney-client privilege or work product.
While counsel should be directing, overseeing or at least actively involved in incident response given the variety of potential legal consequences for any organization, there is no guarantee that the work of forensic investigators brought in to help is immune from discovery. Given the sensitivity or volatility of certain data sources noted above, digital forensics investigators responding to a data breach may as a practical matter be the only people who had access to the most important ESI available. Whatever these hired (hopefully by legal counsel) hands preserved may be the only electronic evidence representing the technical facts known about the incident. Accordingly, the notion that this evidence should remain confidential as related to legal advice is open to question—a question that should be anticipated and answered by a carefully planned process designed to demonstrate, clearly and emphatically, the relationship between the forensic investigation and the provision of legal advice.
In Genesco, Inc. v. Visa U.S.A., Inc., 302 F.R.D. 168 (M.D.Tenn. 2014), plaintiff sought to withhold materials generated by an investigation in the aftermath of a data breach, conducted by an outside digital forensics firm. The court agreed that the information was protected, relying largely on an affidavit from the general counsel and the engagement letter with the outside forensics firm, which both recited, explicitly, that the whole point of the engagement was to help with legal advice in anticipation of litigation. Similar submissions were made effectively by Target, which also succeeded in protecting its data breach investigative materials. In re Target Corp. Customer Data Sec. Breach Litig., 2015 WL 6777384, at *1-2 (D.Minn. Oct. 23, 2015). However, Genesco was ordered to produce relevant information regarding its remediation efforts. Genesco, 302 F.R.D. at 194.
The Target court also rejected the argument that “anticipation of litigation” should not favor protection of investigative materials as work product, where the plaintiffs argued that: a) Target would have had to investigate and remediate the data breach regardless of litigation; and, b) the facts in the investigative report were meant for business and not legal advice. In re Target Corp., 2015 WL 6777384, at *1. Target succeeded in protecting disclosure about the investigation its outside counsel supervised, which included counsel’s hiring digital forensics help. A separate investigation team “walled off” from the “legal advice” investigation team performed an investigation for the credit card companies pursuant to various commercial agreements and industry standards, deemed non-privileged.
However, earlier this year the Sixth Circuit filed an order in In re United Shore Financial Services, LLC, 2018 WL 2283893 (6th Cir. Jan. 3, 2018) requiring production of materials related to a data breach investigation even if properly classified as attorney-client privileged. The matter was before the Circuit Court of Appeals on a writ of mandamus petitioned for by co-defendant United Shore Financial Services, LLC (“United Shore”), effectively asking that the higher court vacate two District Court orders (the first directing production of the documents and the second seeking clarification of the first). The claims relate to a cyber-intrusion in a system of co-defendant Xerox Management Services, Inc. (“XMS”), on which United Shore stored PII for potential borrowers.
United Shore claimed, by affirmative defense, that XMS was at fault, based on the opinion of forensic investigators engaged by its counsel. Naturally, considering the basis for United Shore’s allegations, XMS expected United Shore to produce the documents regarding the investigation. United Shore, however, resisted and the District Court granted the XMS motion to compel.
The Sixth Circuit wasted little space in denying United Shore’s petition. Among other things, the court simply stated that by disclosing the conclusion of the investigation in support of an affirmative defense, United Shore had sealed its own fate:
The district court correctly concluded that the attorney-client privilege can be implicitly waived. In re Lott, 424 F.3d 446, 452–53 (6th Cir. 2005). “Litigants cannot hide behind the privilege if they are relying on privileged communications to make their case” or, more simply, cannot use the privilege as “a shield and a sword.” Id. at 454 (quoting United States v. Bilzerian, 926 F.2d 1285, 1292 (2d Cir. 1991). “Thus, the privilege may be implicitly waived when defendant asserts a claim that in fairness requires examination of the protected communications.” Bilzerian, 926 F.2d at 1292. Here, United Shore cited XMS's action or lack of action as an affirmative defense. And it commissioned an investigation that concluded that XMS was at fault. Thus, it attempted to prove a defense by disclosing or describing the attorney-client communications. See In re G–I–Holdings, Inc., 218 F.R.D. 428, 433 (D.N.J. 2003). Once waived, the privilege is waived with respect to all communications involving the same subject matter. Id. The district court did not clearly err in compelling disclosure of the privileged documents.
In re United Shore Financial Services, LLC, 2018 WL 2283893, at *2.
These cases would appear to provide a fairly straightforward set of recommendations for protecting against disclosure of data breach investigative materials, to the extent they are a subject of proactive consideration. Nonetheless, many clearly articulated, self-evidently prudent information security practices are regularly ignored. For example, thorough planning for incident response is a classic, long-in-the-tooth information security recommendation that has found its way into many different legal requirements. Yet, the tendency to procrastinate regarding this (and other) proactive, risk mitigation “to-dos” is familiar to many information security professionals. Where appropriate planning for incident response is omitted, the likelihood of a mis-step (overall, but especially)--in constructing the right conditions for attorney-client privilege and work product protection--is vastly increased.
 Adam is a trusted advisor to business enterprises and their legal counsel wherever information technology and the law intertwine. Using proven methodology and complementary technology, he brings Digital Discipline to information governance, cyber-security, electronic discovery, data privacy and records management. Adam is a Managing Director at Berkeley Research Group LLC in New York.