top of page
Search
  • Writer's pictureSarah Anderson

3 LESSONS ON PRESERVING LEGAL PRIVILEGES FOLLOWING A “BREACH”



Murphy’s law guaranteed that the moment I deployed, U.S. Courts started rapidly issuing cyber law opinions. Nothing like using third world Wi-Fi to download written orders from .gov websites…


That said, a July 22, 2021, opinion from the Middle District of Pennsylvania really highlighted the need for businesses to start treating cyber like other high-risk area of liability. Indeed, 3 invaluable lessons emerge from the In Re Rutter’s Data Security Breach Litigation:


Therein, the court examined a discovery dispute regarding the production of the defendant, Rutter’s MSSP investigative report that examined a 2019 data breach. A press release from Rutter's said that the root of the breach was malware collecting data from payment cards swiped through point-of-sale (POS) devices installed inside convenience stores and at fuel pumps.


After filing a $5M+ suit for damages, Plaintiffs successfully compelled the cybersecurity consultant, Kroll Cyber Security, LLC (“Kroll”) and all related communications between Kroll and Rutter despite claims of two legal privileges: 1) Attorney-Client; and 2) Work-product doctrine.


Following the receipt of alerts from Carbon Black (EDPR software) on May 29, 2019, regarding suspicious script, Rutters hired the law firm of Baker Hostetler (“Baker”) to advise on notification obligations. Baker then hired Kroll to perform forensic analyses and investigate the origin of the breach. Likely based on the In Re Capital One data breach case, Baker, Rutter, and Kroll all believed that the reports and communications would be confidential since unlike Capital One, Rutter had its attorney retain Kroll and initially direct its work. However, the 4 material flaws in Baker and Rutter’s strategy were that Kroll and the Rutter often met privately, Rutter (not its attorney) paid Kroll directly, Kroll provided its report directly to Rutter (not Baker), and the contract with Kroll did not include necessary language.


Specifically, the work-product privilege failed because contract executed between Kroll and Rutter made clear that the investigatory report was to determine whether a breach occurred, its scope, and the sensitive information affected. The statement of work did not include any language indicating that the report was intended to prepare for potential litigation. This reasoning demonstrates a lack of understanding by the court about how close a link there is between breaches and future litigation, but still proves itself as a cautionary tale.


The court wanted to see evidence that Rutters had a “unilateral belief that litigation would result at the time it requested the Kroll Report” because “without knowing whether or not a data breach had occurred, Defendant cannot be said to have unilaterally believed that litigation would result.” It also did not help that in a corporate deposition of Rutter (the scariest discovery tool for any organization) the Rutter representative testified that the company was not “contemplating” future lawsuits. Whoops…. corporate depositions strike again!

The attorney-client privilege argument also failed. A communication may only be privileged if its primary purpose is to gain or provide legal assistance. The lawyer in the communication must be “acting as a lawyer” and not in another capacity. The Kroll contract stated that the purpose was to “collect data from Defendant’s equipment, to monitor Defendant’s equipment, to determine whether Defendant’s equipment was compromised and to what extent, and to ‘work alongside Rutter’s IT personnel to identify and remediate any potential vulnerabilities.’” And, more importantly, none of the individuals exchanging the communications were attorneys or discussing inherently legal issues.


To learn from another’s mistake, the lessons here are threefold:


1) Create a cyber incident response plan WITH AN ATTORNEY so that all those responding to the situation know who, and in which order, to call to ensure all legal remedies and privileges are preserved. If you are a liquid business with any capital or insurance, you will most likely be sued following a breach.


2) If you are breached, send out lots of internal corporate emails explaining something like the following: “With these indicators of compromise, I am concerned about facing future legal claims asserted by anyone affected by a potential data security problem. We need to contact our attorney at [NAME/PHONE NUMBER] so that he/she can retain a qualified forensic team to examine the matter, recommend future efforts, and prepare relevant data in the event of litigation or an investigation by a regulatory agency. Please also call the insurer.” Do NOT use the words “breach” or language suggesting fault of any individual employee. Do, however, ensure that the attorney hires, pays, communicates with, and draws up the contract with the forensic team. Any potential concerns about fault must be communicated over the telephone and not in written correspondence.


3) And while not a failsafe, ensure counsel is involved in meetings with the forensic team.

69 views1 comment

Recent Posts

See All

1 Comment


Frye Jacob
Frye Jacob
Oct 20, 2021

Candace Parker was recently featured on NBA 2K22 MT the cover for NBA2K22. Lisa Leslie, her former Los Angeles Sparks mentor and teammate, was the one that paved the way for Parker's inclusion in Backyard Basketball 2001. Here are the results of her inclusion and how Parker's focus could increase her exposure.


Candace Parker was chosen to take on the role of NBA2K22. This is the first time a woman's basketball player has received this distinction. Her Los Angeles Sparks mentor Lisa Leslie was the one who first opened the door for women to participate basketball in video games. Leslie was an Humungous Entertainment's Backyard Basketball player (2001) prior to the release of PlayStation 5 and 3.


While it was…


Like
Post: Blog2_Post
bottom of page