D ATA M A N A G E M E N T A N D S E C U R I T Y
Security Incident Procedures
By Daniel M. Braude, Cinthia Motley, and Melissa K. Ventrone
Legal Holds in Response to Data Breaches
Perhaps there is no better way
to begin an article related to
cyber risk than with the admittedly clichéd attention grabber:
“There are only two types of companies:
those that have been hacked, and those that
will be.” Since spoken by then-FBI Director Robert Mueller in March 2012, this
refrain has evolved. As noted in a March
2015 opinion by District Judge John E.
Jones III of the Middle District of Pennsylvania, the only two types of companies are “those that have been hacked and
those that don’t know they’ve been hacked.”
For those in the latter category, ignorance
is bliss, at least in the short-term. Sooner
or later those companies will find themselves facing a host of difficult decisions,
including whether there exists a litigation-­
related duty to preserve potentially relevant evidence, including electronically
stored information (“ESI”).
In the immediate wake of a confirmed
security incident, an organization’s efforts
must be focused on containment, remediation, notification obligations, reputational damage, and other long-term
repercussions. Subsequent efforts may
require some documentation of the incident in connection with a potential investigation. Although preservation for this
purpose may be narrow in scope, broad
preservation efforts may be appropri-
ate in certain instances. For that reason,
an organization’s data breach response
■
“There are only two types
of companies: those that
have been hacked, and
those that will be.”
■
efforts may, depending on the circumstances, involve the issuance of a broad
legal hold in connection with the duty
to preserve and for defending against a
possible spoliation claim in the event of
litigation.
The vast majority of data breaches do
not result in litigation. See Romanosky, S.,
Hoffman, D. A., & Acquisti, A, Empirical
Analysis of Data Breach Litigation, 11 Journal of Empirical Legal Studies (2014). Then
how, as an organization proceeds through
the lifecycle of a security incident, can an
organization determine whether it must
comply with the litigation-­related duty
to preserve potentially relevant evidence?
Regardless of whether a litigation-­related
duty to preserve evidence arises, an organization should take immediate steps to
preserve electronic evidence to avoid the
loss of key information, such as file creation dates, security logs, or other infor-
mation that would enable the organization
to narrow down the scope of the event.
While there may be practical reasons to
preserve this type of information, the duty
to do so in anticipation of litigation is not
quite as clear.
Automatically issuing a broad legal
hold simply because a security incident
occurred could unnecessarily burden
organizations and their IT departments,
which are properly focused on responding to the incident. Fortunately, the mere
fact that a data security incident occurred,
standing alone, does not automatically
trigger the litigation-related duty to preserve. Rather, this duty is triggered only
when there is also reasonable anticipation
of litigation or an investigation as a result
of the breach.
This determination is highly fact-sensitive. In the context of a data security incident, organizations should consider the
nature of the breach, number of records
at issue, relevant jurisdictions, underlying
laws, whether the duty to notify impacted
individuals has been triggered, plus numerous other factors. The legal hold decision is
straightforward as to certain large-scale
and highly publicized incidents. But what
about smaller-scale breaches? While no
single factor is dispositive, a close review
of certain factors in the immediate aftermath of a breach will guide organizations
and their counsel as to whether there is
a reasonable anticipation of litigation or
investigation such that a legal hold should
be issued.
Daniel M. Braude is a partner in Wilson Elser’s New York Metro offices. Mr. Braude is co-chair of the firm’s e-­discovery practice and a member of its
Product Liability, Commercial Litigation and Data Privacy & Security practice teams. His practice focuses on complex litigation involving product liability
and commercial disputes. Cinthia Motley is a partner in Sedgwick, LLP’s Chicago office. Ms.
Motley focuses her practice on complex commercial litigation, ERISA, e-­discovery, and cyber
liability matters, as well as advising U.S and international clients on data privacy and security
risks. Melissa Ventrone is a partner in Wilson Elser’s Chicago office and chair of the firm’s
national Data Privacy & Security practice. Ms. Ventrone’s practice focuses on class action
privacy litigation, privacy breach response, and advising clients in identifying, evaluating, and
managing first- and third-party data privacy and security risks.
■■
36 In-House Defense Quarterly Summer 2015
■
■
© 2015 DRI. All rights reserved.
Anatomy of a Breach Response
Security incidents present in a variety
of forms, including physical theft or loss
of equipment that stores data, attacks to
obtain access to IT systems, acts of malicious insiders, and even the mere failure to properly safeguard information.
Regardless of an incident’s nature, the risk
to an entity is the disclosure of personally
identifiable information (PII) belonging to
customers, employees, business partners,
students or patients, or other confidential data such as trade secrets, intellectual property, or other sensitive corporate
information.
When faced with a security incident, an
entity must move swiftly. In short order,
an entity responding to such an incident
must:
• Trigger its incident response team, including identifying the appropriate
members of the team depending on the
scale of the suspected event;
• Conduct an investigation to identify
how the security incident occurred and
determine if it does in fact constitute a
data breach;
• Contain the breach and conduct remedial activities to minimize the possibility of subsequent incidents;
• Identify the type of information exposed;
• Determine and comply with internal
and external notification and reporting requirements, such as those related
to regulatory agencies, consumers,
patients, business partners, vendors, or
employees and board members.
A growing trend among regulators is
to inquire as to the steps and procedures
used by entities in determining the scope
of a breach and specifically the number
of affected individuals. Likewise, the filing of civil lawsuits related to breaches
has increased in recent years. For these
reasons, defensibility of process concerns
mandate that an entity take appropriate
steps to gather evidence with regard to
analyzing the cause and extent of a security incident. Besides merely following an
incident response plan, entities should, in
appropriate circumstances, document their
breach responses efforts and preserve such
documentation with regard to post-incident actions and the results of the ensuing investigation. But where litigation or
an investigation can be reasonably anticipated, entities may be obligated to preserve
much more.
The Duty to Preserve
More than a decade has passed since a
series of opinions in Zubulake v. UBS Warburg LLC, et al., 02-cv-01243 (S.D.N.Y)
■
A growing trend among
regulators is to inquire as to
the steps and procedures
used by entities in determining
the scope of a breach and
specifically the number
of affected individuals.
■
helped usher in a new era of litigation
by adding a duty of active supervision to
the litigation-­related obligation to preserve potentially relevant evidence electronically stored information. Although
the duty to preserve has long been firmly
rooted in common law, Zubulake and a
multitude of subsequent judicial opinions leave no doubt that a litigant is susceptible to a challenge to its preservation
efforts and perhaps spoliation sanctions
for failing to implement an appropriate legal hold process. Today, spoliation
sanctions are no longer associated primarily with willful or intentional destruction of data. Rather, litigants are expected
to take certain affirmative steps to preserve evidence, including ESI, once litigation or an investigation can be reasonably
anticipated.
Appropriate efforts to preserve may
include:
• Issuing a formal written legal hold;
• Confirming ESI locations and key
players;
• Conducting interviews with document
custodians and IT personnel;
• Suspending routine deletion practices;
• Monitoring employee compliance with
the hold;
• Amending and reissuing the hold as
additional information is obtained.
Litigants and potential litigants are best
advised to actively supervise the preservation process to enhance defensibility of
process and minimize the risk and severity of sanctions. As a result, where a duty
to preserve does exist, the mere issuance
of a hold is typically considered far from
sufficient. But of course, before reaching
this point there must be a triggering event.
The Sedona Conference explains that “[a]
reasonable anticipation of litigation arises
when an organization is on notice of a credible probability that it will become involved
in litigation, seriously contemplates initiating litigation, or when it takes specific actions to commence litigation. The
Sedona Conference Commentary on Legal
Holds, 2010.
To put it mildly, “reasonable anticipation” and “credible probability” are not
particularly well-­defined terms. Certain
events will almost always trigger a duty
to preserve, such as the occurrence of an
incident causing significant injury or property damage, receipt of a claim letter seeking damages, an internal determination
to initiate a lawsuit or, most obviously, the
receipt of an actual lawsuit. On the other
hand, it is not so straightforward whether
the occurrence of an incident causing no
actual damage—or minor or moderate
damages—triggers the duty. Further analysis will often be required, and the ultimate determination may hinge on the
past experience of the organization and
the industry as a whole. Expanding that
concept to the context of a data security
incident, it becomes necessary to consider
a host of factors that are likely to weigh
on whether or not litigation will follow a
breach.
Determining Whether There Exists a
Reasonable Anticipation of Litigation
Anthem, Home Depot, and Sony. Rattle off
the names of these companies to the average person on the street and the term “data
breach” may very well come to mind. But
determining whether or not there is a reasonable anticipation of litigation is not
as simple as playing word-­a ssociation
In-House Defense Quarterly Summer 2015 37
■
■
D ATA M A N A G E M E N T A N D S E C U R I T Y
games. Highly publicized security incidents involving tens of millions of records
will almost certainly result in at least
some litigation. The sheer volume and
scope of such incidents renders it nearly
impossible to defensibly avoid issuing a
broad legal hold and embarking upon document preservation efforts. Fortunately,
the typical data breach does not fit this
description.
While most data breaches do not result
in litigation, determining whether litigation can be anticipated requires a factsensitive analysis. In its simplest terms, is
the breach at issue more akin to a routine
fender bender or a four-car pile up resulting in multiple fatalities and life-altering
injuries? A wide range of factors specific to
the nature of data breaches must be considered, in addition to the type of exposed
information, notification requirements,
and potential statutory damages, among
numerous other factors.
Where a breach must be reported to regulators, there may exist a duty to preserve
at least basic response documentation in
instances where it is foreseeable that the
regulator may seek information on the
steps taken to contain the breach, remedial
measures taken, the types and number of
records affected, and so on. When notifica■
Litigants are expected to
take certain affirmative
steps to preserve
evidence, including
ESI, once litigation or
an investigation can be
reasonably anticipated.
Scope and Breadth of Breach
The most obvious factor in determining whether litigation can be reasonably
anticipated is the scope and breadth of the
breach. Incidents involving millions of
records will almost certainly result in at
least some litigation or regulatory investigation. However, this analysis is not as
easy where a breach is minimal in scope.
As a result, this narrow factor is far from
determinative.
Notification Requirement
The scope of a breach may have little bearing on a company’s obligation to notify
impacted individuals and offer identity
theft protection. A breach of the Health
Insurance Portability and Accountability Act (HIPAA) through disclosure of
protected health information (PHI) triggers a reporting duty to the Office for Civil
Rights (OCR) under the U.S. Department
of Health and Human Services (HHS) pursuant to the Health Information Technology for Economic and Clinical Health
(HITECH) Act regardless of the number of
affected individuals. For breaches impacting 500 or more individuals, not only is
notification required, but the entity will
most likely find itself listed on OCR’s “Wall
of Shame.”
■
tion to a large number of affected individuals is also required, and public awareness of
the breach is increased, the analysis begins
leaning in the direction of broader preservation efforts. But of course, predicting the
likelihood of such individuals filing a lawsuit may also require a consideration of the
type of data exposed.
Sensitivity of Exposed or
Stolen Information
The nature and sensitivity of exposed or
stolen data, coupled with a significant
number of records, may play a role in
whether affected individuals will bring
litigation, and whether the incident will
draw significant scrutiny from regulators. Exposure of dates of birth, social
security numbers, driver’s license numbers, and passport numbers may give
rise to identity theft concerns. Similarly,
a breach of a significant number of payment cards resulting from the “skimming” of these cards may result in class
action litigation. In addition, an entity
responsible for a widespread exposure
of PHI should not be surprised when a
lawsuit is filed when a jurisdiction pro-
38 In-House Defense Quarterly Summer 2015
■
■
vides for statutory penalties where such
a breach occurs.
Nature of Breach
The manner in which data is exposed may
also provide a suggestion as to whether
litigation or a significant investigation is
likely to ensue. Security incidents deriving
from the accidental temporary publication
of sensitive data to a website stand in stark
contrast to a deliberate attack and infiltration of a network. As to the latter, the use
of criminal means and the presumed existence of a criminal motive suggest that
exposed data may be used for a nefarious
purpose, potentially increasing the likelihood of litigation.
The determination of whether there is
a reasonable anticipation of litigation is
highly fact-­sensitive and should turn on
consideration of the above factors along
with the nature of potential litigation and
the past experience of the organization and
the industry as a whole. Regardless of an
entity’s initial determination as to whether
the litigation-­related preservation obligation has been triggered, the entity should
continue to monitor the situation. A preservation analysis two months following a
security incident, after additional information has been obtained, may indicate
that a radically different approach to preservation is required. But even where litigation appears unlikely, an entity should
follow the procedures outlined in its incident response plan for documenting its
response to an event. Such documentation
may be relevant to any potential ensuing
investigation regardless of whether litigation actually follows. Additionally, in the
event of a subsequent breach, regulators
may seek information about how an entity
responded to a prior incident.
Scope of Preservation
Once a determination is made that litigation can be reasonably anticipated, what’s
next? As a starting point, a formal, written
legal hold must be issued. After that, there
is no clear path to follow. Pursuant to preservation best practices, counsel should conduct interviews with document custodians
and IT personnel to identify ESI locations
and confirm that routine deletion practices
have been suspended. But this will not nec-
D ATA M A N A G E M E N T A N D S E C U R I T Y
essarily provide guidance as to the appropriate scope of preservation.
A shareholder derivative suit targeting directors and officers arising out of
the widespread exposure of PHI will place
at issue categories of ESI that may not
be implicated in a lawsuit by customers
asserting a risk of identity theft, employment discrimination claims by employees
subject to an adverse employment action
following a breach, or even a potential lawsuit against a contractor or third-party IT
provider. Companies should analyze different categories and locations of ESI separately since broad preservation may be
unwarranted.
An analysis as to categories and locations should consider the following:
• Proper forensic imaging of potentially
compromised systems. In addition, steps
should be taken to ensure that a chain
of custody of these efforts is properly
handled and documented. If an organization determines that its systems
need to be investigated, efforts should be
taken at the outset (perhaps even before
a determination as to potential litigation is made) to obtain proper forensic
images of the relevant devices. Entities
may want to consider retaining a thirdparty computer security expert to assist
with the process.
• Preservation of information related to
efforts taken to prevent a security incident. This includes information relating
to the state of IT systems in prior relevant years, policies and procedures, and
reports and/or findings related to the
entity’s information security.
• Preservation of investigations or reports
of prior security incidents or breaches, if
any.
• Communications (including email)
relating to third-party IT contractors.
Because entities are increasingly outsourcing management of their IT systems, it is important to take into account
information held by third-party vendors that is relevant to the entity’s information security. In addition, contracts,
statements of work, and information
related to technology services provided
to the impacted entity may be relevant.
• Preservation of documents related to
budgeting, financing, cost expenditures
or forecasting, and materials otherwise
related to the company’s investment in
its IT security.
• Active Directory server logs may be particularly relevant where there are indications of unauthorized access to a system.
• Preservation of communications (including email) concerning the breach,
ably anticipate litigation or an investigation. Such instances may warrant issuance
of a legal hold, but the scope of preservation may appropriately be limited to certain high-value or ephemeral data, at least
initially. Doing so will enable an organization to avoid unnecessarily costly and disruptive preservation efforts.
■
Conclusion
For good reason, the litigation-­related duty
to preserve potentially relevant evidence is
not an organization’s first concern immediately following notice of a security incident. But once appropriate steps have been
taken to contain the incident, the organization must turn its attention to longerterm concerns.
The mere fact that a data breach has
occurred does not automatically create
a reasonable anticipation of litigation
because the majority of data breaches do
not result in litigation. However, the duty
to preserve potentially relevant evidence
cannot be dismissed. Following a security incident, organizations must consider
the nature of the breach and the type of
exposed information, among other factors, to determine whether, and to what
extent, the duty to preserve has been triggered. Only then can an organization make
a timely and informed decision as to issuing a legal hold and implementing a plan
to appropriately preserve potentially relevant evidence.
For companies making the difficult
transition from “those that don’t know
they’ve been hacked” to “those that have
been hacked,” internal resources will
be spread thin. Immediate efforts upon
becoming aware of a breach should focus
on containing and responding to the security incident. At the same time companies
cannot lose sight of potential long-term
repercussions, including those related to
litigation. While it is impossible to prevent a litigation adversary from second-­
guessing preservation efforts, early
consideration of preservation and the
implementation of a measured and reasonable approach to this duty serve to
greatly enhance defensibility of process
and reduce the potential for claims of spoliation in the event of litigation.
Because entities are
increasingly outsourcing
management of their IT
systems, it is important to
take into account information
held by third-party vendors
that is relevant to the entity’s
information security.
■
as decisions and steps taken by an
entity may be questioned later on. These
include board of director meeting minutes and correspondence, privacy officer
correspondence and materials, postbreach correspondence and documentation, and correspondence and materials
for IT, HR, and management.
As with any other type of litigation,
notions of reasonableness and proportionality must govern a company’s preservation efforts as related to a data breach, and
may weigh in favor of a greater reliance on
preservation-­in-place versus actual document collection. While there is an inherent
risk in limiting the scope of preservation,
it is difficult to justify extensive and broadbased preservation efforts where a breach
involved exposure of relativity minimal
data or the nature of the data is unlikely to
result in either statutory damages or damages to the data subjects at issue.
During the containment phase immediately following notice of a security incident,
an organization may find itself without
a clear answer to whether it can reason-
40 In-House Defense Quarterly Summer 2015
■
■