Transcript Successfully Defending Software Audits

Investigating & Preserving Evidence in Data Security
Incidents
Robert J. Scott
Scott & Scott, LLP
214-999-2902
www.ScottandScottllp.com
Investigating & Preserving Evidence in Data Security Incidents
Potential Legal Implications of a Data
Breach
º
º
º
© 2007 Scott&Scott, LLP
Federal and State Statutory and Regulatory Issues
•
HIPAA Privacy and Security Rules
•
GLBA Safeguards Rules
•
Data breach notification laws
•
Data protection and destruction laws
Civil Liability
•
Unfair Trade Practice Claims
•
Negligence
•
Breach of Contract
•
Unlawful Trade Practices
Examples of pending, past, and potential cases
•
TJX
•
Radio Shack
•
BJ’s Wholesale Club
•
Choice Point
•
DSW
•
Monster
Investigating & Preserving Evidence in Data Security Incidents
Business Impacts of Data Breach
Bar Chart 9
Percentage difference betw een com panies that experienced a breach and
com panies that did not experience a breach
60%
54%
54%
Had breach
50%
30%
41%
37%
37%
40%
Did not have breach
27%
20%
23%
10%
15%
14%
9%
10%
2%
0%
Encryption
© 2007 Scott&Scott, LLP
Devices are
properly
cleaned
Legal counsel
Data leak
prevention
Training and
aw areness
Data inventory
Investigating & Preserving Evidence in Data Security Incidents
Evidentiary Risks in the Investigation of a
Data Breach?
º
º
º
º
© 2007 Scott&Scott, LLP
Discovery of a network security incident
investigation creates significant risk management
concerns
Attorney client privilege can be lost by involving third
parties
Internal investigations or investigations by outside IT
professionals alone could be discoverable under the
work product privilege
Internal investigations by in-house counsel must
avoid problems associated with dual business and
legal roles under the primary purpose test
Investigating & Preserving Evidence in Data Security Incidents
Using Attorney-Client Privilege to Protect the
Investigation
º
º
º
º
º
º
© 2007 Scott&Scott, LLP
Attorney-client privilege protects communications
between an attorney and the attorney’s client
Communication must be confidential and made for
the purpose of obtaining legal advice from the
attorney
Communications regarding investigation of data
breach facts is protected by privilege
Privilege held by the client not by the lawyer
Supreme Court’s subject matter test
Less protection may be afforded to in-house counsel
because of dual roles
Investigating & Preserving Evidence in Data Security Incidents
Using the Work-Product Privilege to Protect
the Investigation
º
º
º
º
º
º
© 2007 Scott&Scott, LLP
FRCP 26(b)(3) protects work-product from discovery
Opinion work-product consists of mental impressions,
opinions, conclusions, or legal theories of an attorney or
other representative of a party
Ordinary work-product, including raw factual information,
consists of preparation materials that do not disclose
opinions or impressions
Ordinary work-product discoverable on showing a
substantial need and inability to obtain the substantial
equivalent by some other means
The primary purpose test for anticipation of litigation
Documents created for a business purpose are not
protected even when the information developed may be
helpful in legal proceedings
Investigating & Preserving Evidence in Data Security Incidents
State Breach Notification Laws
© 2007 Scott&Scott, LLP
Investigating & Preserving Evidence in Data Security Incidents
Statutory Notification Obligations
º
º
º
© 2007 Scott&Scott, LLP
39 states and the District of Columbia have data
breach and/or identity theft statutory schemes and
recently enacted federal statutes may apply
All the statutes have been enacted in the last few
years, with little or no case law interpreting them
Interpretations must be based upon “good faith”
and should involve review of legislative history and
contain appropriate disclaimers regarding
deference to regulatory agencies interpretation
Investigating & Preserving Evidence in Data Security Incidents
The Problem of Over Reporting
B ar C har t 5
Immed iat e r esp o nse t o d at a b r each
70%
62%
60%
47%
50%
46%
40%
30%
22%
20%
10%
0%
Prompt notification by letter
© 2007 Scott&Scott, LLP
Assessed harm to victims
Offer credit monitoring services
Prompt notification by telephone
Investigating & Preserving Evidence in Data Security Incidents
Attorney-Client Privilege and Advice Regarding
Statutory and Regulatory Notice Obligations
º
º
º
© 2007 Scott&Scott, LLP
Attorney-client privilege should protect advice given
by an attorney when assessing whether a company
is required to give notice in each state where it does
business, where a potential loss of data may have
occurred, or under federal law
Attorney-client privilege should protect advice
regarding how notice is required to be given, when
notice should be given, the form notice should take,
and what the contents of any notice should be
Privilege is important to shield this decision-making
process from discovery in subsequent litigation
where plaintiffs may allege claims based on
inadequate notice
Investigating & Preserving Evidence in Data Security Incidents
Preserving and Collecting Evidence
º
© 2007 Scott&Scott, LLP
Ethical obligation of an attorney to avoid having the
client get into a spoliation situation
•
Litigants have an obligation to preserve
relevant evidence
•
Spoliation applies to electronic information as
well as other documents
•
Adverse inference instruction may be granted
even where party did not intentionally destroy
the evidence
Investigating & Preserving Evidence in Data Security Incidents
Ethical Implications of Discovery Obligations
in Data Breach Civil Litigation
º
º
º
© 2007 Scott&Scott, LLP
Duty to supplement disclosures and discovery
responses under FRCP 26(e)
New e-discovery rules
• Attorney with IT personnel on discovery team
can make certain all information is collected
and reviewed
Potential problems resulting from incomplete
compliance with obligations
• Sanctions under the rules
• Client’s litigation position could be affected by
failure to comply with discovery obligations
Investigating & Preserving Evidence in Data Security Incidents
Contact Information
Robert J. Scott
Scott & Scott, LLP
2200 Ross Avenue, Suite 5000E
Dallas, Texas 75201
Phone: 214-999-2902
Fax: 214-999-0333
[email protected]
© 2007 Scott&Scott, LLP