By: Drew Sorrell
Let us assume a company has done all the right things. Preemptive security was a concern, so the company tightened up its written cybersecurity controls and associated technical controls, including policies and procedures, endpoint detection and response, and training. Breach was a concern, so the company drafted its data breach response plan. Moreover, the company pre-emptively identified (and possibly retained?) a technical specialist to respond on short notice in case of emergency, along with a cyber attorney to provide advice and a critical communications specialist to talk the talk. Additionally, the company obtained appropriate cyber insurance to cover the likely breach scenarios and even understands its coverages (which may include the cost of the professionals identified).
But as these things happen, the company still suffered a breach (it wouldn’t be much of an article if nothing happened!). In investigating the matter, the CEO texted the CIO. The CIO then texted the systems engineer, who proceeded to text the forensics specialist. Given the inherent casual nature of text messages and the stress of the situation, word choice was not necessarily what you would want your mother to read, nor was it artfully crafted sufficient to satisfy a lawyer. Suffice it to say, the CEO was convinced that someone in IT was not only negligent, but grossly so, “Otherwise, this would never have happened!” and made his feelings known via text.
Also, regrettably, the systems engineer left a voicemail for a friend and coworker which was automatically transcribed and emailed to the coworker via the firm’s third-party email archiving system. This time, the systems engineer recounted his recent interaction with the CIO and provided to his friend and coworker a frank assessment of the CIO’s unilinear family tree and severe lack of educational accomplishment, finishing the message with a suggestion that the CIO attempt an improbable physical act with himself. Adding to it all, the systems engineer explained to his coworker that if the CEO had only approved the previously requested updated firewall budget, this whole breach would never have happened.
Finally, in a fit of creative inspiration, the crisis communicator transmitted draft versions of the attorney’s edits to various incident-related public communications to a coworker for his use with a different client. The documents were actually quite helpful in the other incident for the company’s other client.
On top of all that, the company’s forensics investigation revealed that Carl in the Accounting Department had picked up a thumb drive he found in the parking lot and plugged it in to see who it belonged to. Notably, this exact issue is something that the company trains it employees not to do. Somewhat luckily, the company’s technical software prevented the ransomware from spreading beyond the local workstation; however, Carl, in his infinite wisdom, had stored certain employee data on his workstation desktop. As a result, the personal information of 500 employees was lost to the cyber criminals.
The employees of course were “unhappy” to learn of this breach and have brought a class action against the company. The employee’s plaintiffs’ attorney served discovery and is seeking (1) the text messages, as well as (2) the voicemail, and the (3) communications of the persons who were working on the incident. The company’s hired defense attorney is tasked with responding to prevent this from happening. Three questions immediately arise: (1) whether the scope of discovery permits this request; (2) whether privilege protects any of the requested materials; and (3) the real question of whether the company is liable at all.
The short answer to the first question of whether discovery permits the plaintiffs’ attorney to seek and obtain the discovery is “yes.” Discovery in Florida state and federal courts permits a party to seek and obtain all information that is reasonably calculated to lead to the discovery of admissible evidence. Consequently, the requested information itself need not be admissible. Rather, it only must be “reasonably calculated” to lead to such evidence (even if it does not actually succeed).
Considering that the CEO’s text-string and the systems engineer’s voicemail/email are both directly relevant to whether the company was negligent (both are likely so-called “admissions against interest” or “statements of a party opponent”), then they are obtainable in discovery if not outright admissible at a trial. The emails of the crisis communicator to her coworker forwarding the cyber attorney’s edits to the crisis communications drafts are also likely discoverable, but not so clearly because what the edits would reveal is not explained.
The second question asks if the texts, voicemail and emails can be protected by a claim of privilege. While there are numerous privileges, in this context, we will focus on the attorney-client communications privilege and the attorney work product privilege. To the extent any of the three is actually a communication with an attorney for the purpose of seeking legal advice, then the attorney-client communication privilege would apply to protect the materials. Note, however, that merely copying an attorney as an “FYI” does not usually trigger the privilege. The second common privilege is the attorney work product privilege which serves to protect not only information the attorney her or himself creates, but also covers information and materials that the client(s) collects for the attorney at the attorney’s behest (or in order to seek legal advice for the communications privilege to apply). Thus, while we would want more information, the CEO text string “may” be protected. The systems engineer’s voicemail is likely not protected as having nothing to do with the legal issues of the matter. Further, the crisis communicator’s forwarding of the drafts containing materials that are clearly “attorney work product” served to destroy that privilege because the privilege is lost if the work product or communication is shared with an unrelated third party not related to further the matter.
So, what does this all mean? The soft underbelly of any breach response are the communications that ensue. The most disciplined and technically sophisticated response can be torpedoed if the various parties fail to consider their communications discipline. Accordingly, when you engage in your tabletop exercise to discuss and practice breach response, it would be a good idea to discuss how and what you are going to communicate.
And finally, what about the ultimate question of liability? As a defense attorney, I suggest that a company that takes security seriously, does all the right things, teaches its employees, follows its written policies and the like, is not per se negligent simply because a breach happens. In this case, Carl in Accounting ignored his training and specifically engaged in an act that the company trained against. This breach is defensible, but a lot more challenging to defend if the CEO suggests negligence “must have” occurred to permit the breach. Likewise, in this case, the systems engineer’s email suggesting “it was a budget issue” also makes the defense of the case more difficult but, ultimately, should be a red herring because the breach is unrelated to any firewall budget issue. Finally, any loss of attorney-related privilege gives rise to attorney-ulcers and is overall distracting, even if not ultimately damaging.
As my mother says, “Please choose your words wisely.” And, as my father used to say, “Your words, they can always be used against you.”