4/28/2022
2022 Developments and Trends Concerning Data Breach and Cybersecurity Litigation and Related Matters
1
4/28/2022
Speakers
Kristin Bryan
Partner Cleveland, Ohio
Ericka Johnson
Senior Associate Washington, D.C
squirepattonboggs.com
Rafael LangerOsuna
Partner San Francisco, CA
Jesse Taylor
Senior Associate Columbus, Ohio
2
2
4/28/2022
AGENDA
Best practices for incident response and data breach preparedness
Emerging issues concerning officer and director liability in areas of cybersecurity and data privacy
How to protect the attorneyclient and work product privileges for cyber incident response
Trends concerning data breach and cybersecurity putative class action litigation and defense
squirepattonboggs.com
3
3
4/28/2022
Best Practices for Incident Response and Data Breach Preparedness
Appropriately Assessing Your Organization's Cybersecurity Risk Profile
squirepattonboggs.com
4
4/28/2022
Colonial Pipeline Ransomware Attack
squirepattonboggs.com
5
5
Overview of Cybersecurity Threat Landscape
4/28/2022
squirepattonboggs.com
6
6
4/28/2022
Robust Regulatory Environment Under the Biden Administration
Biden Executive Order on Improving the Nation's Cybersecurity DOJ's Cybersecurity Enforcement Initiatives for Government
Contractors OFAC Updated Sanctions Guidance for Virtual Currency Industry Cyber Incident Reporting for Critical Infrastructure Act 36 - Hour Breach Notification Rule for Banks Proposed SEC Rules
squirepattonboggs.com
7
7
4/28/2022
Trends in Cybersecurity Enforcement
U.S. Regulators across all industries are increasingly leveraging their authority to enforce cybersecurity regulations U.S. Securities & Exchange Commission ("SEC")
Pearson plc fined $1M for failure to disclose cybersecurity breach to investors (August 2021)
NY Department of Financial Services ("NYDFS")
Fined Residential Mortgage Services, Inc. ("RMS") a $1.5 million penalty to New York State for failing to report a cyber breach exposing New York residents' private data. (March 2021)
U.S. Health and Human Services ("HHS")
Fined health insurer, the Lifetime Healthcare Companies, $5.1 Million to settle data breach affecting over 9.3 million people (January 2021).
U.S. Department of Justice ("DOJ")
Fined Comprehensive Health Services, LLC (CHS) $930,000 for alleged violations of the False Claims Act (FCA).(March 2022)
squirepattonboggs.com
8
8
4/28/2022
Systematic Approach to Cyber Defense
Tone from the Top Step One: Identify the Risk
Conduct Security Threat Risk Assessment
Step Two: Map potential risks to possible outcomes and affected parties
Consider likelihood of occurrence Consider severity of impact
squirepattonboggs.com
9
9
4/28/2022
Systematic Approach to Cyber Defense
Step Three: Prioritize the most severe risks and determine control measures
Step Four: Implement controls and validate through testing
Step Five: Routinely re-evaluate risks, test controls, and update as needed
squirepattonboggs.com
10
10
4/28/2022
Systematic Approach for Incident Response
Develop an Incident Response Plan
Plan = control
Table Top Exercises
Practice = effective response
Cybersecurity Insurance
Financial benefit NOT your response plan NOT your response team
squirepattonboggs.com
11
11
4/28/2022
Emerging Issues, Including Officer and Director Liability, in Cybersecurity and Data Privacy
squirepattonboggs.com
12
4/28/2022
Data Privacy and Cybersecurity: A Federal Priority Across Agencies
Data privacy and cybersecurity is a strategic priority across federal agencies
Includes recent developments with: The Securities and Exchange Commission ("SEC") The Department of Justice ("DOJ") The Federal Trade Commission ("FTC") The Food and Drug Administration ("FDA"), among others
squirepattonboggs.com
13
13
4/28/2022
Key Takeaway in Shifting Landscape
As the regulatory landscape has evolved, so too has the legal risk associated with cyberrelated issues
This includes the potential for officer and director liability, as well as expanding litigation risk
squirepattonboggs.com
14
14
4/28/2022
February 2022: SEC Proposes Cybersecurity Regulations for Advisers and Funds
The SEC recently proposed new rules related to cybersecurity for registered investment advisers, investment companies and business development companies.
The SEC's proposal includes four areas of new rules specific to cybersecurity: Adoption of Written Cybersecurity Policies and Procedures Confidential Reporting by Advisers of Cybersecurity Incidents to the SEC Public Disclosure of Cybersecurity Incidents and Risks Recordkeeping Obligations
squirepattonboggs.com
15
15
4/28/2022
SEC Developments Consistent with Recent Enforcement and Litigation Trends
SEC Proposed Cybersecurity Rules consistent with recent enforcement trends In 2021, SEC stepped up cyberrelated enforcement activity concerning statements made in SEC filings and public statements regarding cybersecurity processes and practices Case studies
squirepattonboggs.com
16
16
4/28/2022
Other Related Developments
Accompanying rise in shareholder derivative lawsuits. Typically concerns:
Failure to maintain and implement appropriate cybersecurity controls and/or
Failure to respond to red flags
Additional increase in scrutiny from DOJ
FTC following suit
squirepattonboggs.com
17
17
4/28/2022
Recommended Best Practices
Reinforces need for appropriate internal controls
Additional considerations include:
Hire a Chief Information Security Officer ("CISO") with relevant cybersecurity experience
Training: Not limited to employees. Engage outside technical experts to conduct regular assessments and to educate officers and board members on data security.
Consider a board task force or committee to focus on data privacy and cybersecurity
Conduct routine audits--including of vendors
Ensure board appropriately prioritizes and deliberates on issues concerning data privacy and cybersecurity with documentation of decisions made
Care in any public statements or filings concerning materiality of cyber events and impact on company
squirepattonboggs.com
18
18
4/28/2022
Attorney-Client Privilege & Work Product Doctrines
squirepattonboggs.com
19
4/28/2022
Attorney-Client Privilege & Work Product Doctrines
What is the attorney-client privilege?
Privileged information is confidential information In-House Counsel Might Be More than Just Lawyers
Outside Counsel Retention
How to Bring Non-Lawyers Within the Privilege
What is the Work Product Doctrine?
Waiver
Information must REMAIN confidential How can you fix a problem without involving non-lawyers? FRE 502(d)
squirepattonboggs.com
20
20
4/28/2022
Why is a Privileged Forensic Report Important?
Details the critical vulnerabilities
Identifies where IT defenses may not be compliant with best practices, regulations and/or industry standards
Plaintiffs can also use this information as evidence to substantiate their claims.
squirepattonboggs.com
21
21
4/28/2022
What are the Practical Considerations?
In determining whether a forensic report is privileged, courts will look to the totality of the circumstances.
Entities should consider implementing several best practices.
squirepattonboggs.com
22
22
4/28/2022
In re Capital One Consumer Data Sec. Breach Litig., 2020 U.S. Dist. LEXIS 112177 (D. Va. June 25, 2020)
In 7/2019, Capital One disclosed a data breach
Retained outside counsel who retained prior service provider Mandiant
Plaintiffs sought report Magistrate/Judge granted motion
to compel as not work product
Capital One did not meet its burden Court found that Mandiant's report
would have been prepared in substantially similar form, regardless of whether or not litigation followed the cyberattack.
squirepattonboggs.com
23
23
4/28/2022
In re Capital One: Key Take-Aways
Ensure that outside counsel retains a cybersecurity vendor with which you have no preexisting relationship
Pay for litigation-related cybersecurity services from your litigation or legal budget
Use the report only for litigation purposes, and limit its disclosure to necessary individuals
squirepattonboggs.com
24
24
4/28/2022
Wengui v. Clark Hill, 2021 U.S. Dist. LEXIS 5395 (D.D.C. Jan. 12, 2021)
Clark Hill suffers attack 9/2017; client's data published online
Investigation involved: (i) firm's regular cybersecurity firm; (ii) outside counsel; and (iii) an independent cybersecurity firm retained by outside counsel
Court ordered production and ruled: Report was an "ordinary course" incident report Concluded, "discovering how [a cyber] breach occurred [is] a necessary business function regardless of litigation or regulatory inquiries" Court also found that purported "two track" process claimed by Clark Hill unsupported by the record
squirepattonboggs.com
25
25
4/28/2022
Wengui v. Clark Hill: Key Take-Aways
Consider limiting report disclosure to the in-house counsel
Do not include recommendations for remediation
Consider conducting a twotrack investigation and document that it is twotrack
squirepattonboggs.com
26
26
4/28/2022
In re Rutter's Data Sec. Breach Litig.,
No. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220 (E.D. Pa. July 22, 2021).
Concerned a possible breach involving payment cards information at the point-of-sale (POS) devices used by defendants
Rutter's hired outside counsel, "to advise Rutter's on any potential notification obligations," who hired third party security firm
Existence of report disclosed in 30(b)(6) deposition
No work product protection for report or related communications
SOW stated security firm's "purpose . . . was to determine whether data was compromised, and the scope of such compromise if it occurred"
squirepattonboggs.com
27
27
4/28/2022
In re Rutter's: Key Take-Aways
Be sure to adequately prepare a 30(b)(6) deponent
Reinforce the purpose of the litigation report
"The testimony provided by a corporate representative at a [Rule] 30(b)(6) deposition binds the corporation." Cipriani v. Dick's Sporting Goods, Inc., 2012 U.S. Dist. LEXIS 164721, at *3 (D. Conn. Nov. 19, 2012)
squirepattonboggs.com
28
28
4/28/2022
Preserving Privilege in Litigation
Be sure follow best practices regarding investigatory work.
Segregate work product from non-work product
Who needs to know? Follow Kovel doctrine
Just as critically, take prudent steps to preserve the privilege once litigation is underway.
502(d) stipulation Avoid waivers Prepare deponents, especially 30(b)(6)
deponents.
squirepattonboggs.com
29
29
4/28/2022
Trends in Data Breach Litigation
30
4/28/2022
Data Breach Litigation Trends
Increased Litigation, Even In Absence of Identity Theft/Actual Harm
Litigation Involving A Defendant's Failure To Maintain Reasonable Security
Other Trends In Data Breach Litigation
squirepattonboggs.com
31
31
4/28/2022
Increasing Litigation, Decreasing Harm
What is standing?
Constitutional requirement to bring suit Plaintiffs must demonstrated that they (1) suffered an "injury in
fact," (2) "caused by the defendant," which (3) "would likely be redressed by the requested judicial relief."
SCOTUS issued TransUnion LLC v. Ramirez in 2021
Only plaintiffs "concretely harmed" by a defendant's statutory violation (in this case, the FCRA) have standing to bring suit
squirepattonboggs.com
32
32
4/28/2022
The Standing Struggle
Post-Ramirez Standing Decisions
Some courts read "concrete injury" narrowly Some courts read "concrete injury" broadly Some courts avoid Ramirez altogether
squirepattonboggs.com
33
33
4/28/2022
Reconciliation?
In 2021, the U.S. Court of Appeals for the Second Circuit attempted to reconcile the "circuit split" with respect to standing in data breach cases McMorris v. Carlos Lopez & Associates (2021)
In practice, didn't really reconcile much
squirepattonboggs.com
34
34
4/28/2022
What Are Plaintiffs Actually Pleading?
Coming up with ever more creative theories of damages
Asserting state law claims and pleading around standing to avoid federal court
Basing claims solely on the disclosure of information/failure to maintain reasonable security procedures
squirepattonboggs.com
35
35
4/28/2022
Failure To Maintain Reasonable Security Procedures: California As Case Study
California Consumer Protection Act ("CCPA")
Statutory liquidated damages ranging from $100-$750 per consumer, per incident
Modified by the California Privacy Rights Act
What is "reasonable security" under the CCPA?
In re: Hanna Andersson and Salesforce.com Data Breach Litigation, Case No. 3:20-cv-00812 (N.D. Cal.)
First CCPA settlement (late 2020)
squirepattonboggs.com
36
36
4/28/2022
What Does A Data Breach Defense Look Like?
Defendants must be as creative in defending as plaintiffs are in pleading
Representative experience
squirepattonboggs.com
37
37
Questions
squirepattonboggs.com
4/28/2022
38
38
4/28/2022
squirepattonboggs.com
40
40
