investigating & preserving evidence in data security incidents robert j. scott scott &...
TRANSCRIPT
Investigating & Preserving Evidence in Data Security Incidents
www.ScottandScottllp.comRobert J. ScottScott & Scott, LLP214-999-2902
Investigating & Preserving Evidence in Data Security Incidents
© 2007 Scott&Scott, LLP
Potential Legal Implications of a Data Breach º Federal and State Statutory and Regulatory Issues
• HIPAA Privacy and Security Rules• GLBA Safeguards Rules• Data breach notification laws• Data protection and destruction laws
º Civil Liability• Unfair Trade Practice Claims• Negligence• Breach of Contract• Unlawful Trade Practices
º Examples of pending, past, and potential cases• TJX• Radio Shack• BJ’s Wholesale Club• Choice Point• DSW• Monster
Investigating & Preserving Evidence in Data Security Incidents
© 2007 Scott&Scott, LLP
Business Impacts of Data Breach
Bar Chart 9Percentage difference between companies that experienced a breach and
companies that did not experience a breach
54%
37% 37%
23%
54%
14%
27%
10%15%
9%
41%
2%
0%
10%
20%
30%
40%
50%
60%
Encryption Devices areproperlycleaned
Legal counsel Data leakprevention
Training andaw areness
Data inventory
Had breach Did not have breach
Investigating & Preserving Evidence in Data Security Incidents
© 2007 Scott&Scott, LLP
Evidentiary Risks in the Investigation of a Data Breach?
º Discovery of a network security incident investigation creates significant risk management concerns
º Attorney client privilege can be lost by involving third parties
º Internal investigations or investigations by outside IT professionals alone could be discoverable under the work product privilege
º Internal investigations by in-house counsel must avoid problems associated with dual business and legal roles under the primary purpose test
Investigating & Preserving Evidence in Data Security Incidents
© 2007 Scott&Scott, LLP
Using Attorney-Client Privilege to Protect the Investigation
º Attorney-client privilege protects communications between an attorney and the attorney’s client
º Communication must be confidential and made for the purpose of obtaining legal advice from the attorney
º Communications regarding investigation of data breach facts is protected by privilege
º Privilege held by the client not by the lawyer º Supreme Court’s subject matter testº Less protection may be afforded to in-house counsel
because of dual roles
Investigating & Preserving Evidence in Data Security Incidents
© 2007 Scott&Scott, LLP
Using the Work-Product Privilege to Protect the Investigation
º FRCP 26(b)(3) protects work-product from discoveryº Opinion work-product consists of mental impressions,
opinions, conclusions, or legal theories of an attorney or other representative of a party
º Ordinary work-product, including raw factual information, consists of preparation materials that do not disclose opinions or impressions
º Ordinary work-product discoverable on showing a substantial need and inability to obtain the substantial equivalent by some other means
º The primary purpose test for anticipation of litigationº Documents created for a business purpose are not
protected even when the information developed may be helpful in legal proceedings
Investigating & Preserving Evidence in Data Security Incidents
© 2007 Scott&Scott, LLP
State Breach Notification Laws
Investigating & Preserving Evidence in Data Security Incidents
© 2007 Scott&Scott, LLP
Statutory Notification Obligations
º 39 states and the District of Columbia have data breach and/or identity theft statutory schemes and recently enacted federal statutes may apply
º All the statutes have been enacted in the last few years, with little or no case law interpreting them
º Interpretations must be based upon “good faith” and should involve review of legislative history and contain appropriate disclaimers regarding deference to regulatory agencies interpretation
Investigating & Preserving Evidence in Data Security Incidents
© 2007 Scott&Scott, LLP
The Problem of Over Reporting
Bar Chart 5Immediate response to data breach
62%
47% 46%
22%
0%
10%
20%
30%
40%
50%
60%
70%
Prompt notification by letter Assessed harm to victims Offer credit monitoring services Prompt notification by telephone
Investigating & Preserving Evidence in Data Security Incidents
© 2007 Scott&Scott, LLP
Attorney-Client Privilege and Advice Regarding Statutory and Regulatory Notice Obligations
º Attorney-client privilege should protect advice given by an attorney when assessing whether a company is required to give notice in each state where it does business, where a potential loss of data may have occurred, or under federal law
º Attorney-client privilege should protect advice regarding how notice is required to be given, when notice should be given, the form notice should take, and what the contents of any notice should be
º Privilege is important to shield this decision-making process from discovery in subsequent litigation where plaintiffs may allege claims based on inadequate notice
Investigating & Preserving Evidence in Data Security Incidents
© 2007 Scott&Scott, LLP
Preserving and Collecting Evidence
º Ethical obligation of an attorney to avoid having the client get into a spoliation situation • Litigants have an obligation to preserve
relevant evidence • Spoliation applies to electronic information as
well as other documents• Adverse inference instruction may be granted
even where party did not intentionally destroy the evidence
Investigating & Preserving Evidence in Data Security Incidents
© 2007 Scott&Scott, LLP
Ethical Implications of Discovery Obligations in Data Breach Civil Litigation
º Duty to supplement disclosures and discovery responses under FRCP 26(e)
º New e-discovery rules • Attorney with IT personnel on discovery team
can make certain all information is collected and reviewed
º Potential problems resulting from incomplete compliance with obligations• Sanctions under the rules• Client’s litigation position could be affected by
failure to comply with discovery obligations
Investigating & Preserving Evidence in Data Security Incidents
© 2007 Scott&Scott, LLP
Contact Information
Robert J. Scott
Scott & Scott, LLP
2200 Ross Avenue, Suite 5000E
Dallas, Texas 75201
Phone: 214-999-2902
Fax: 214-999-0333