One of the critical steps an organization often takes early on to investigate a cyber incident is to conduct digital forensics.
This type of forensic analysis, almost always carried out by a third-party firm, works similarly to how the detectives work on your favorite crime TV show: trained investigators pick apart every nook and cranny of the crime scene for any clues as to what happened. When the “crime scene” is a company’s IT system, that means lots of potentially sensitive information is revealed to investigators.
A recent decision in a class action suit against Capital One bank is sending waves through the world of cyber breach response because of how it impacts the confidentiality of digital forensics reports.
To learn more about how this case may change how companies handle breach response, we’re talking to Pasha Sternberg, an attorney at Polsinelli PC who specializes in handling cyber incidents.
Q&A with Pasha Sternberg
What is known about the underlying Capital One data breach?
Based on what we know from Capital One’s statements and news reports, in March 2019 an unauthorized third party was able to access Capital One’s systems and exfiltrate personal information of over 100 million individuals in the US and Canada.
The third party was able to get information submitted by individuals as part of their credit card applications. This included information such as names, addresses, phone numbers, emails, and income amounts. The third party also got access to credit scores and account information such as limits, payment history, and transaction data. For some individuals, the information included Social Security numbers and bank account numbers.
The data breach was the result of a misconfigured web application firewall that a former employee of the cloud service, which Capital One was using, was able to exploit in order to get into the database. Unlike most data breaches, an arrest was made in connection with this attack.
A recent decision in the case relates to the discoverability of a forensic report. Why all the fuss about a discovery order?
In May 2020, a magistrate judge ruled that a forensic report created by Mandiant as part of its incident investigation was discoverable and had to be turned over to plaintiffs in a class action against Capital One stemming from the breach. This decision was upheld by the District Court judge on June 25th.
This is significant because forensic investigations dive deep into the structure – as well as the vulnerabilities and failings – of a company’s computer network, and provide an explanation as to what led to a compromise of information during the incident. Companies and their attorneys use these reports, which are often created by computer forensics firms as part of their forensic investigation, to determine the company’s notification obligations after an incident, how to best remediate the situation, and what other steps to take in the future. As a result, in the past these types of reports have been treated as privileged documents that are protected against such disclosures.
What did the magistrate judge find, and why is that concerning to counsel and forensics firms who practice in this space?
For a variety of reasons, the magistrate judge found that the report was not privileged. Before the incident was discovered, Capital One had the firm that created the report, Mandiant, under retainer for incident response and other services. After Capital One identified the incident, it retained an outside law firm to assist it with its incident response process, and that law firm engaged Mandiant to conduct an investigation. Despite the outside counsel’s participation in the engagement, the updated engagement referenced the prior agreements between Capital One and Mandiant, and payment for Mandiant’s investigation was made out of the existing retainer and then out of Capital One’s cyber budget, although that budget was later reclassified as a legal expense.
Additionally, with some small differences, the services Mandiant provided mirrored those written out in the agreement Capital One had in place prior to the incident. Finally, after Mandiant provided the forensic report to the outside counsel, the law firm shared it first with Capital One’s legal team, but then also to Capital One’s Board of Directors, about fifty additional employees outside of the legal department, Capital One’s external audit firm, and four governmental regulators.
These facts led the magistrate judge to rule that the report was not created, and was not used, solely in anticipation of legal action, but rather for other business purposes. As a result, the magistrate found that it was not a privileged attorney work product and could be discoverable.
While this case is not binding, do you anticipate that attorneys will counsel their clients to engage forensics firms in a specific way as a result of this decision? What are the new “best practices” in this regard?
Although this is only one case and has some very specific facts that may be different in a lot of other instances, it is informative for companies, forensics firms, and outside counsel going forward.
First, it highlights the importance of separating the forensic investigation from pre-incident engagements a company may have with a forensics firm. A forensic investigation into a potential data incident should be narrow in scope to investigate the incident, be contracted for separately from any prior agreements, and be paid for out of the company’s legal budget or through a separate monetary stream such as the insurance budget — not IT.
Second, the decision makes it important to limit sharing of a forensic report both within and outside of a company. Reports stemming from a forensic incident investigation should only be used by the legal team to make decisions as to matters that could lead to litigation; they should not be used to inform general IT decisions or shared with outside parties.
Note: All Smart Cyber Insurance and Smart Tech E&O policies from Corvus come with breach response services including a “Breach Coach”, an attorney who helps to manage the response to an incident. The Breach Coach can help your clients navigate the critical steps of a data event, from retaining forensic professionals to notifying clients/customers who may have been affected.