You may recall Eric’s recent post here, about whether big companies have a legal and/or ethical requirement to report data breaches to the SEC. As he concluded, you’re supposed to disclose “material” data breaches, but the definition of the word “material” is left wide open. Last week, a Wall Street Journal article and video highlighted a new trend in breach disclosures – bringing in the lawyers. Nationwide Insurance, which suffered a pretty substantial cybersecurity hit last fall, has retained the services of a big law firm to investigate. Why? As The Verge writes:
[Nationwide] has hired a legal firm to conduct an investigation of the security breach, granting the results the protected secrecy of attorney-client privilege… The new practice is being adopted by many companies that have fallen victim to cyberattacks, leading some law firms to begin specializing in this type of data-breach investigation. Frequently, the legal counsel will contract a data security firm to perform the actual analysis.
With the large number of affected customers, and the sensitive data that is often compromised, it’s very possible that class action lawsuits may arise from this kind of data breach. (We’ve talked about online retailers, gaming networks, hospitals, universities, state governments and banks all getting hacked, and we’ve only been operating for a few months!) The higher the potential for lawsuits, the more likely it is that a company’s – possibly flawed – cybersecurity policies will be called into question, and discoverable. So it’s easy to see the appeal of getting the lawyers to conduct an investigation after-the-fact: all their findings will be kept under the veil of privilege, and therefore not available to plaintiffs.
As discussed in the video, more and more law partners are now touting their expertise as “cybersecurity” experts, and this area of law is referred to as “the next big thing, business-wise”. We will doubtless be covering this topic again as the trend continues to grow.