On June 25, 2020, the United States District Court for the Eastern District of Virginia upheld a Magistrate Judge’s order, compelling Capital One to produce the Mandiant Report at issue in the matter of In Re: Capital One Consumer Data Security Breach Litigation (See MDL No.1:19md2915).

The decision put to rest the month-long dispute over the discoverability of a forensic report prepared for Capital One Financial Corp. by cybersecurity firm Mandiant Inc., following a cyber-incident that exposed 106 million applicants’ sensitive data last year.  This development reaffirms several key lessons that we recently wrote about for companies experiencing cyber incidents.

The sole issue before the District Court was “whether the Report is entitled to work product protection.”  The Magistrate Judge had previously held that it was not.  In its objection, Capital One argued that the Magistrate Judge’s recommendation “erred as a matter of law” for three reasons: (1) it “applied the second prong of the [test articulated in RLI Insurance Co. v. Conseco, Inc. (the “RLI test”)] whether the document would have been created in essentially the same form absent litigation) as part of the Fourth Circuit’s ‘driving force’ test”; (2) it “relied too heavily on the ‘pre-existing [statement of work (SOW)] with Mandiant to conclude that Mandiant would have performed essentially the same services as ‘described in the Letter Agreement’ with [outside counsel]”; and (3) it “relied on subsequent regulatory and business uses of the Report in determining that the Report is not entitled work product protection.”

Under the “because of” test applied in this case, a document will be protected as work product if it is shown to have been prepared “because of the prospect of litigation.”  A document that may be used for both litigation and business purposes is protected as work product only if litigation was “the driving force behind the preparation of” the document.  To determine whether litigation was the “driving force,” courts apply the two-prong RLI test, which asks: (1) whether the document at issue was created when litigation was “a real likelihood,” as opposed to being “merely a possibility”; and (2) “whether the document would have been created in essentially the same form in the absence of litigation.”  It was undisputed that there was “a real likelihood” of litigation following Capital One’s announcement of its data breach.  Thus, only the Magistrate Judge’s application of the second RLI prong was at issue.  In upholding the Magistrate Judge’s order, the District Court reaffirmed several key lessons for companies facing cyber incidents.

1.      To shield a forensic report as work product, a company must demonstrate that the report would not have been created in essentially the same form absent litigation.  This burden is more difficult to meet where the company has a pre-existing relationship with the cybersecurity vendor that prepares the report.

First, Capital One argued that litigation is necessarily the “driving force” behind the preparation of a document “where, as here, the work product documents are created only after the prospect of litigation arises” and the documents are “created in anticipation of litigation.”  Therefore, Capital One argued, under these circumstances, the document must be protected and application of the second prong of the RLI test is improper.  The court found that this argument “ignores the substance of the test,” as the second prong “captures one of the core inquiries identified by the Fourth Circuit in [articulating the ‘driving force’ inquiry]: whether the work product would have otherwise been produced in the ordinary course of business.”  It was thus proper for the Magistrate Judge to apply both prongs of the RLI test.

Second, Capital One argued that, in any event, the Magistrate Judge had improperly applied the second RLI prong by giving “dispositive effect to the pre-existing SOW with Mandiant.”  Mandiant changed “the nature of its investigation, the scope of work, and its purpose” at the direction of outside counsel and in anticipation of litigation, so “Mandiant’s investigation and report would have been very different if Capital One had engaged Mandiant to investigate the Cyber Incident for business purposes.”  Capital One pointed to its separate internal investigation and report as further evidence that the Mandiant Report would not have been prepared in substantially similar form but for the prospect of litigation.  Again, the District Court disagreed.

The Magistrate Judge properly applied the second RLI prong to conclude that the Mandiant Report was not protected work product, the District Court held, given that the scope of services was identical under both the pre-existing SOW between Capital One and Mandiant and the Letter Agreement they entered into with outside counsel following the data breach.  Based on the record, “it would be unreasonable to think, given identical contractual obligations under the pre- and post-data breach SOWs, that had Mandiant not provided to Capital One through [outside counsel] all the information required under the SOW concerning the breach, it would not have provided that same ‘business critical’ information directly to Capital One in discharge of its obligations under the pre-data breach MSA and SOW.”  Capital One’s internal report did not change this conclusion, as there was no evidence “that this internal report reflects what Mandiant would have produced absent [outside counsel]’s involvement,” and Capital One did not “provide[] sufficient evidence to explain whether any parallel investigation by Mandiant would have been substantially different in substance than the counsel-led investigation at issue here.”

In sum, “after the data breach incident at issue in this action, Capital One then arranged to receive through [outside counsel] the information it already had contracted to receive directly from Mandiant.”  Because Capital One “failed to establish that the Report would not have been prepared in substantially similar form but for the prospect of that litigation,” the Magistrate Judge properly applied the second RLI prong to conclude that the Report was not protected as work product.

This analysis reaffirms the crucial need for companies to keep pre-litigation investigations completely separate from business incident response services.  The safest route is to avoid engaging the same cybersecurity firm for breach response and litigation-related investigations as for business-related services.  Given the difficulty of vetting and onboarding a new cybersecurity firm in the aftermath of a cyber-incident, it may be prudent for counsel to separately engage a second forensic firm with which the company has no pre-existing relationship to support any litigation-related investigations that may become necessary.  Either of these steps would allow the company to clearly demonstrate that it has separate reports for business and regulatory purposes, on the one hand, and litigation purposes, on the other.  If neither of these steps is feasible, however, and a company decides to use the same vendor for both business and litigation-related services, it is critical to detail the vendor’s litigation-related services in a separate SOW whose scope and purpose clearly differ from those of any preexisting SOWs.  The SOW and any related documentation must clearly establish that the purpose and scope of the work to be performed is in anticipation of litigation and will be conducted under the direction and control of counsel for the purpose of providing legal advice.

2.      Disclosure of a forensic report to parties for non-litigation use may be considered evidence that the report was not initially produced “because of” litigation.

Finally, Capital One argued that the Magistrate Judge had erred in relying on the company’s “subsequent regulatory and business uses of the Report in determining that the Report is not entitled work product protection.”  The court pointed out, however, that “post-production disclosures are appropriately probative of the purposes for which the work product was initially produced.”  And the Magistrate Judge did not hold that Capital One’s subsequent disclosures of the Mandiant Report destroyed its work product protection; rather, the Magistrate Judge raised the issue “simply to underscore Capital One’s business needs for a Mandiant produced report.”  (Notably, while disclosure did not destroy work product protection in this case, the court expressly declined to reach plaintiffs’ alternative argument that Capital One had waived protection over the Report, since the court held that the Report was not protected in the first place.  Had the court held the Report to be protected, however, it is possible that Capital One’s disclosure of the Report might have jeopardized the Report’s protection in other respects.)

This reaffirms the importance of providing the full litigation-related report only to those who need it solely for litigation purposes and imposing clear controls on its use.  As a practical matter, companies can often create a separate and non-privileged report to be used for business and regulatory purposes.  Non-privileged reports should be distinct from the privileged forensic report (i.e., not a copy and paste) and should provide a summary of their findings rather than a detailed analysis.  Companies can further distinguish privileged forensic reports by paying for the reports and related services directly from their legal and/or litigation budgets and designating the expenses as legal.  At the very least, companies avoid paying from its cyber organization’s budget and designating it as a ‘business critical expense’ – as initially recorded by Capital One.

If your company experiences a data breach, it is imperative to immediately retain outside counsel who understands the nuances of cybersecurity events, the regulatory and legal obligations flowing from the event, and the potential claims that may arise to carefully navigate the difficult privilege issues that arise almost immediately following a breach.  SPB attorneys are here to help.

As has been widely reported, a magistrate judge in the Eastern District of Virginia recently ordered Capital One to produce a forensic report prepared by the cybersecurity firm Mandiant, holding that the report was not protected as attorney work product despite having been prepared at the direction of outside counsel.  On June 9, 2020, Capital One filed an objection to that order, arguing that the magistrate judge misapplied the controlling law and improperly relied on Capital One’s dual use of the Mandiant Report for business-related purposes.  In support, Capital One submitted several attachments, including a declaration by its Vice President, Senior Associate General Counsel who provides legal counsel for Technology, Cyber, Enterprise Products and Platforms, and Brand divisions of Capital One, and leads the Intellectual Property advisory team.  While the dispute regarding the discoverability of this forensic report continues, it is a good time to step back and focus on the critical steps companies must take to protect privilege at the outset of a breach response.

Why is a privileged forensic report important?

A forensic report is normally prepared by a cybersecurity firm following a thorough investigation into the nature and scope of a company’s cyberattack.  The report will generally detail, among other things, the critical vulnerabilities in a company’s IT environment that enabled the cyberattack.  By way of example, the Capital One forensic report “detail[ed] the technical factors that allowed the criminal hacker to penetrate Capital One’s security.”  Often a report will identify areas in which a company’s IT defenses were not compliant with best practices, regulations and/or industry standards.

While these findings can help a company anticipate and defend against potential causes of action (e.g., negligence, breach of contract, breach of warranty, breach of fiduciary duty, false advertising, and unfair or deceptive trade practices) and mitigate risk, plaintiffs can also use this information as evidence to substantiate their claims. Therefore, plaintiffs, like those in Capital One, will seek to discover the report, while defendant companies will argue it is protected under the attorney work product doctrine.

What are the practical considerations going forward?

In determining whether a forensic report is privileged, courts will look to the totality of the circumstances.  While Capital One’s objection disputes the court’s legal and factual reasoning, this debate provides a few practical takeaways to help make abundantly clear that a forensic report was created in anticipation of litigation.

  1. Ensure that your outside counsel retains a cybersecurity vendor with which you have no preexisting relationship.

A company should, if possible, ensure that its outside counsel engages a forensic firm with which the company has no preexisting relationship for incident response services.  Like Capital One, many companies enter into Master Service Agreements (MSA) and Statements of Work (SOW) with forensic firms to receive incident response services prior to a cyberattack as part of their cyber risk mitigation strategy.  Indeed, Capital One noted that “one purpose of the MSA and associated SOWs was to ensure that Capital One could quickly respond to a cybersecurity incident should one occur.”

To obtain attorney work product protection, a company has the burden of proving that a forensic firm’s work product was prepared “in anticipation of litigation.”  However, the ruling in Capital One suggests that, to truly anticipate litigation, the scope of the forensic services must be determined after a cyberattack.

The Capital One court found it “significant” that Capital One failed to “show[] that Mandiant’s scope of work under the Letter Agreement with outside counsel was any different than the scope of work for incident response services set forth in the existing SOW,” or “that the nature of the work Mandiant had agreed to perform changed when outside counsel was retained.”  Indeed, the court emphasized, “the statement of works and master services agreements provided for virtually identical services to be performed before and after the data breaches were discovered.”

In response, Capital One argues that the relevant issue is not “the nature of the work Mandiant could have done for Capital One under the pre-existing SOW,” but rather “the Report actually prepared by Mandiant under [outside counsel]’s direction.”  Here, the preexisting SOW “broadly outline[d] the general types of incident response services that might be needed,” leaving “the particular services” to be “determined on a case-by-case basis.”

Further, Capital One asserts that the services underlying the Mandiant Report were different from the services provided under preexisting SOWs for several reasons.  First, Capital One retained outside counsel to help the company prepare for anticipated litigation, who in turn hired Mandiant to draft the Report specifically “to inform and facilitate [outside counsel]’s investigation and advice.”  Further, unlike the work underlying the Report, “Mandiant did not do any incident response work for Capital One” for two years before the breach, during which time it “provided only training and consulting services.”  Finally, Capital One conducted separate “internal business investigations parallel to [the] protected investigations,” further distinguishing Mandiant’s “protected, legal work [from] Capital One’s ordinary-course, business investigation.”

As we await the District Court’s ruling, the magistrate’s order indicates that it may be prudent for companies to avoid engaging the same IT firm for litigation-related investigations as they rely on for business-related services.

  1. Consider preemptively retaining a second cybersecurity firm for litigation-related investigations.

Following a data breach, it may be unfeasible to engage a cybersecurity firm with no preexisting relationship.  As Capital One points out, under these circumstances, companies are “under the gun to determine whether there has in fact been an intrusion, the scope of the intrusion, and whether any sensitive data was exfiltrated.”  Had Capital One’s outside counsel used a vendor with which the company had no relationship, “it would have taken weeks to months to approve a new vendor due to bank data security and regulatory obligations, as opposed to the hours or days a company has to effectively respond to a potential data breach.”

To address these competing exigencies (i.e., clearing the regulatory hurdles of providing a new vendor access to sensitive information and systems, quickly responding to a cyber incident, and demonstrating that certain cybersecurity services are provided in anticipation of litigation), it may be prudent for counsel to engage a second forensic firm with which the company has no preexisting relationship.  This can provide a more thorough litigation and risk-mitigation focused review to supplement the incident response efforts, and allow the company to demonstrate it has separate reports for business/regulatory and litigation purposes.  By separating the businesses incident response from the pre-litigation investigation, it is easier to demonstrate that the second forensic firm’s analysis fits clearly within the work product protections.

  1. Change your approach to vendors with a preexisting relationship.

Depending on the circumstances, neither of the above measures may be possible (or desirable) in connection with a breach event.  If a company decides to use the same vendor for both business and litigation-related services, it is crucial to isolate the litigation-related services that the vendor provides and to detail them out in a separate SOW that makes clear how the scope and purpose of the litigation-related work differs from any preexisting SOWs.  The SOW should clarify, for example, that counsel is directing the work for the purpose of providing legal advice and guidance to the company in anticipation of litigation.  And the SOW should not include any unrelated work such as remediation that may be covered under preexisting SOWs.

  1. Use the report only for litigation purposes, and limit its disclosure to necessary individuals.

A company should use the forensic report solely for litigation purposes, and should limit its distribution to only those who need it for these purposes. Such individuals may include in-house counsel, the board of directors, and possibly a small group of cybersecurity employees who need to understand the full nature and scope of the attack and the vulnerabilities identified to assist counsel in the assessment of potential claims and defenses. Clear direction needs to be provided to everyone that receives the report that it is privileged, confidential, and not to be further disseminated. A company should not disclose a forensic report to third parties or the team responsible for incident response.

Generally, materials prepared in the ordinary course of business or pursuant to regulatory requirements are not documents prepared in anticipation of litigation.  In Capital One’s case, the magistrate judge emphasized that about fifty employees, four regulators, an accounting firm, and the “corporate governance office general email box” received a copy of the forensic report.  “[N]o explanation [was] provided as to why each recipient was provided with a copy” or “whether disclosure was related to a business purpose or for the purpose of litigation.”  Further, “Capital One anticipated using the Mandiant Report in making certain disclosures required under the Sarbanes Oxley Act” and provided the report to an employee “for 2nd line business need.”  Capital One also “fail[ed] to address what, if any, restrictions were placed on those persons and entities who received a copy.”  In considering these factors, the court ultimately determined that Capital One used the report for “various business and regulatory purposes.”

In its recent objection, Capital One does not dispute that the Mandiant Report was used for purposes beyond litigation, but maintains that such dual use does not destroy the work product protection. “Regardless of whether Capital One had other, business reasons to investigate the Cyber Incident, those reasons arose from the same set of facts that created the threat of litigation and occasioned Mandiant’s investigation.” Similarly, Capital One argues that its disclosure of the Report “to a limited number of recipients” is immaterial. It disclosed the Report to governmental regulators “because it is obligated to do so.” It disclosed the Report to its auditor, Ernst & Young (EY), and outside counsel directed Mandiant to communicate with EY, “to confirm that the Cyber Incident did not impact the integrity of Capital One’s internal controls over financial reporting.” It disclosed the Report to a “small number of employees” on a need-to-know basis, and distribution was “‘tightly controlled,’ ‘monitored,’ and ‘logg[ed]’ by Capital One’s Senior Associate General Counsel.” And it used the Report to make Sarbanes-Oxley disclosures for the “distinctly legal purpose” of “minimiz[ing] the risk of regulatory action and litigation.”

No matter the final decision, the safest course of action is to provide the full report only to those who need it solely for litigation purposes and provide clear controls on its use.  As a practical matter, companies can often create a separate and non-privileged report to be used for business and regulatory purposes.  Non-privileged reports should be distinct from the privileged forensic report (i.e., not a copy and paste) and should provide a summary of their findings rather than a detailed analysis.

  1. Pay for litigation-related cybersecurity services from your litigation or legal budget.

A company should pay for incident response services out of its litigation or legal budget to show that a forensic firm’s services were provided in anticipation of litigation, as opposed to a business expense.  Capital One paid for Mandiant’s services under the Letter Agreement from the preexisting SOW retainer until the retainer was exhausted and from its Cyber organization’s budget thereafter.  Capital One designated the fees as a “Business Critical” expense and not a “Legal” expense.  After the cyberattack, Capital One reclassified the expenses associated with Mandiant’s work on the data breach as legal expenses and deducted them from its legal department’s budget.  The court was not persuaded, finding that “the retainer paid to Mandiant was considered a business-critical expense and not a legal expense at the time it was paid.”  In considering this factor, the court ultimately determined that Capital One had requested the Report for various business purposes.

In response, Capital One points out that the company had classified the retainers paid to Mandiant before the data breach as “business critical” expenses rather than “legal” expenses, because regulations require the company to have a plan in place for cybersecurity incident response.  The expenses related to the Report were designated as “discovery and investigation costs related to the Cyber Incident” during the “routine year-end accounting reconciliation” process, and were accordingly paid from the company’s legal budget.

Irrespective of how the Court resolves this dispute, companies should pay close attention to how they pay and account for cybersecurity and incident response services to clearly differentiate business and legal functions.  When appropriate, retainers or similar payments should be allocated to a legal function and accounting entries should be written to demonstrate the legal purpose of the work to be undertaken.  In any event, before incurring the expenses, companies should consider designating the costs of incident response services to their legal budgets to show that such services are provided in anticipation of litigation.

Conclusion

If your company experiences a data breach, it is imperative to immediately retain outside counsel who understands the nuances of cybersecurity events, the regulatory and legal obligations flowing from the event, and the potential claims that may arise to carefully navigate the difficult privilege issues that arise almost immediately following a breach.  CPW is here to help.

The world of digital marketing has grown exponentially in the last two decades.  In fact, it was estimated that in 2020, despite the global pandemic, approximately $332.84 billion will be spent on digital advertising worldwide.[1]  Not surprisingly, sophisticated algorithms (such as real-time bidding and programmatic ad buying) have been built in recent years to master the science of digital marketing and customer segmentation-aka target marketing.  While none of the current U.S. privacy laws explicitly prohibit target marketing based on electronically obtained consumer data, this space is getting over populated, and over regulated, and the landscape is changing.  And so we ask the obvious question, can target marketing withstand the emerging privacy regulations? Our answer is probably, with certain notable caveats.

Target marketing is an old but powerful marketing strategy.[2]  It used to involve breaking consumers into defined segments where each segment shared some similar characteristic, such as, gender, age, buying power, demographics, income, or a combination of a few shared characteristics; then designing marketing campaigns based on the shared characteristic(s).  Approaches have changed with the passing of time.  Nowadays, target marketing has been narrowed to the point of defining every individual consumer or household, and designing marketing campaigns for each individual consumer or household.  Target marketing is often the key marketing tool used to attract new business, increase sales, or strengthen brand loyalty.[3]  Despite its success, with the massive amount of consumer data now being used to target consumers, and the emerging data privacy laws and regulations, marketers have to tread carefully to avoid getting themselves in (legal) hot water.

How do marketers access consumer data?  And why is it potentially problematic?

Lets first address consumer data.  Marketers can acquire data by themselves, (aka, “first party data”).  This includes data from behaviors, actions or interests demonstrated across website(s) or app(s), as well as data stored in a business’ customer relationship management system (“CRM”).[4]  By contrast, “second party data” or “third party data” is data acquired from another source.  It could be someone else’s first party data, or it could be data collected by outside sources that are not the original collectors of the data.[5]

The most common method for obtaining consumer data (first, second or third party) over the internet has been through cookies stored on our digital devices.[6]  (For a recent litigation involving the use of cookies in the context of kids’ privacy rights see this prior post).  Cookies are used to track the activities of devices as users visit particular web pages, allowing advertisers to build profiles of a device’s online activities; these profiles can then be used to create targeted advertising tailored to the user of that device.[7]

Marketers are also able to obtain data through social media platforms.  Most of us using social media are aware of the personal information we submit before we create our accounts.  This information may include some personally “identifiable” information, such as our name, address, date of birth etc., but there is other personal information which is not considered “identifiable”, such as our gender, age, postal code, etc.  Marketers can then partner with social media platforms to create marketing campaigns based on consumer segments created through each individual’s personal information.  Ever wonder why your husband is not seeing ads for women’s shoes, or why you are receiving ads for products or services you have not shopped for but may be interested in?  It is target marketing.  (And of course, as CPW has covered, data can also be harvested from social medial platforms through scraping).

So what?  Well, until recently (with a few notable exceptions such as the Fair Credit Reporting Act (“FCRA”)) laws regulating companies selling or acquiring consumer data were sparse and preceded the advent of new technologies.  Compare Trans Union LLC v. FTC, 536 U.S. 915, 917 (2002) (stating that “the FCRA permits prescreening—the disclosure of consumer reports for target marketing for credit and insurance. . . .”) with FTC I, 81 F.3d 228 (D.C. Cir. 1996) (holding that selling consumer reports for target marketing violates the FCRA).

In many respects, corporations were thus able to use consumer data to create complex marketing campaigns.  This practice recently came up in the context of the Capital One data breach.  See, e.g., In re Capital One Consumer Data Sec. Breach Litig., 2020 U.S. Dist. LEXIS 175304, at *28 (E.D. Va. Sep. 18, 2020) (discussing plaintiffs’ allegation that “Capital One created a massive concentration of [personally identifiable information, a ‘data lake,’ in which Capital One ‘mines [customers’] data for purposes of product development, targeted solicitation for new products, and target marketing of new partners—all in an effort to boost its profits.”).

The tide is starting to change.  With the emergence of more recent data privacy laws, such as the California Privacy Rights Act of 2020” (“CPRA”), the California Consumer Privacy Act of 2018 (“CCPA”) and General Data Protection Regulation (“GDPR”), “covered entities” can no longer use personal information carte blanche for advertising purposes.  However, it bears noting that the statutory definition of personal information remains much narrower than what one might assume.   CCPA for example defines personal information as: “…information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household…”  California Consumer Privacy Act of 2018 §1798.140.(o)(1).

Thus, information about one’s gender and income, without more, would not be fall under this definition.  Are consumers comfortable to have this information used without their consent?  Do they even have a choice?  It depends.  Although common law tort principles, such as invasion of privacy, embarrassment or emotional distress, may allow some legal remedies, case law is sparse and for obvious reasons, has trended towards permitting corporate use of such data.  See, e.g., Bradley v. T-Mobile US, Inc., 2020 U.S. Dist. LEXIS 44102 (N.D. Cal. Mar. 13, 2020) (rejecting claim that use of consumer data, including age, for target marketing concerning online job postings constituted age discrimination and violated various federal and state laws).

At least insofar as California is concerned, there has been some interesting developments concerning target marketing of late.  This is because under CCPA, some businesses engaged in target marketing interpreted “sales” as excluding the exchange of personal information, such as cookie data, for targeting and serving advertising to users across different platforms.  This approach was on the purported basis that no “sales” (as defined in the statute) were involved because no exchange for “valuable consideration” had occurred.  The CPRA, which was approved by California voters in November, utilizes the concept of “sharing” and seemingly eliminates this potential loophole (although that doesn’t mean there won’t be future litigation regarding this issue).

The concept of “data clean rooms” as also (re)surfaced to bypass the issues related to sharing customer data.  Data clean room allow companies, or divisions of a single company, to bring data together for joint analysis under defined guidelines and restrictions that keep the data secure[8].  Whether a clean room contains PII or anonymized data, data privacy practices are critical.  If the anonymized data can be deanonymized (tied back to actual people through creative analytics), it would make the data subject to most privacy laws (and definitely the GDPR).

What does the future look like for digital advertising?  With the spike in US state regulations relating to consumers’ online privacy, such as, CPRA, the Nevada Senate Bill 220 Online Privacy Law (2019), and the Maine Act to Protect the Privacy of Online Consumer Information (2019)[9], it remains fluid.  There has also been changes in cybersecurity, data security and data breach notification laws (although we will table discussion of the specifics of that for another day).  The bottom line is that marketers now not only have to pay extra attention to each state’s regulation before obtaining and/or processing consumer information, they also have to pay extra attention to the consent obtained.  The free reigns of using unlimited consumer data to create complex algorithms for the optimal marketing campaign is slowly coming to a halt.

To mitigate litigation risk, entities in the marketing industry will have to take a jurisdiction specific approach that accounts for recent developments.  And as the scope of these new laws and regulations are tested via litigation, CPW will be there every step of the way.  Stay tuned.

[1] https://www.emarketer.com/content/global-digital-ad-spending-update-q2-2020

[2] https://www.acrwebsite.org/volumes/8572/volumes/v29/NA-29

[3] https://www.thebalancesmb.com/target-marketing-2948355

[4] https://www.lotame.com/1st-party-2nd-party-3rd-party-data-what-does-it-all-mean/#:~:text=First%20party%20data%20is%20the,you%20have%20in%20your%20CRM

[5] Ibid.

[6] Swire, Peter and Kennedy-Mayo, DeBrae, “U.S. Private-Sector Privacy,” Third Edition,  Pg 130

[7] Ibid.

[8] https://www.snowflake.com/blog/distributed-data-clean-rooms-powered-by-snowflake/

[9] https://www.csoonline.com/article/3429608/11-new-state-privacy-and-security-laws-explained-is-your-business-ready.html

2020 has been a year for the record books, and the area of data breach litigation is no exception.   Several key developments, when considered individually or in conjunction, will likely make breach litigation a top of mind data privacy issue going into the next year.  So fasten your seatbelts and read on as CPW recaps what you need to know going into 2021.

Overview of Industries Impacted by Data Breach Litigation in 2020

What industries were impacted by data breach litigations in 2020?  The short answer: all of them.

Despite the widespread adoption of cybersecurity policies and procedures by organizations to safeguard their proprietary information and the personal information of their clients, consumers, and employees, data breaches are all too common.  CPW has covered previously how “[t]echnical cybersecurity safeguards, such as patching, are obviously critical to an effective cybersecurity program.  However, many of the most common vulnerabilities can be addressed without complex technical solutions.”  Top five practical recommendations to reduce cyber risk can be reviewed here.

In fact, the number of data breaches in 2020 was more than double that of 2019, with industries that were frequent targets including government, healthcare, retail and technology.  In this instance, correlation equals causation—as more and more companies experienced crippling security breaches, the number of data breach litigations is also on the rise.

What Has Changed with Data Breach Litigations in 2020?

Besides increasing in frequency, the considerations implicated by data breach litigation have also grown increasingly complex.  This is due to several factors.

First, plaintiffs bringing data breach litigations have continued to rely on common law causes of action (negligence and fraud, among others) in addition to asserting new statutory claims (although of course there are exceptions).  The reason for this boils down to the fact that while nearly every state has a data breach statute, many do not include a private right of action and are enforced by the state attorneys general.  Hence plaintiffs’ reliance on common law and tort based theories.  Insofar as statutory causes of action are concerned, the California Consumer Privacy Act (“CCPA”) has only been on the books since the start of this year, but emerged as a focal point for data breach litigations (be sure to check out our CCPA Year-in-Review coverage).  The first CCPA class action settlement was announced last month and will likely serve as a benchmark going forward (keep a close eye on organizations agreeing to adopt increased security and data privacy controls, as has been done on the regulatory front).

Second, there was a monumental development in the spring that sent shockwaves through the data breach defense bar.  A federal judge ordered production of a forensic report prepared by a cybersecurity firm in the wake of the Capital One data breach.  The report was found not protected as attorney work product despite having been prepared at the direction of outside counsel.  [Note: A forensic report is usually prepared by a cybersecurity firm following a thorough investigation into a company’s cyberattack.  The report will address, among other areas, any vulnerabilities in a company’s IT environment that enabled the cyberattack.  Obviously, while these findings can help a company defend itself in subsequent litigation and mitigate risk, the utility of the forensic report can cut both ways.  Plaintiffs can also use this information to substantiate their claims.]  This ruling reaffirmed several key lessons for companies facing cyber incidents.  This includes that to shield a forensic report as work product, a company must demonstrate that the report would not have been created in essentially the same form absent litigation.  Notably, this burden is more difficult to meet where the company has a pre-existing relationship with the cybersecurity vendor that prepares the report.

And third, as seen from a high profile case earlier this year, the legal fallout from a data breach can extend to company executives.  A company’s former Chief Security Officer (CSO) was charged with obstruction of justice and misprision of felony for allegedly trying to conceal from federal investigators a cyberattack that occurred in 2016, exposing the data of 57 million individuals.  Although an outlier, it is a significant reminder for companies and executives to take data breach disclosure obligations seriously—notwithstanding regarding murkiness in the law regarding when these obligations arise.

What Changed With Standing in Data Breach Cases in 2020?

Experienced litigators may be familiar with the classic requirements for standing, but even the most experienced of them are not likely familiar with standing as it applies to data breach litigation.  The reason for this discrepancy is simple:  although standing case law can be generally straightforward, this case law has not caught up to the unique challenges posted by data breaches.  This, when combined with the absence of national-level legislation for data privacy, has created a hodgepodge of circuit splits and differing interpretations.

As you will recall, Article III standing consists of three elements:  (1) an injury-in-fact that is concrete and particularized, as well as actual or imminent; (2) the injury must be fairly traceable to the defendant’s act; and (3) it must be “likely” that a favorable decision will compensate or otherwise rectify the injury.

When a data breach occurs, the penultimate standing question is whether the theft of data may, by itself, constitute a sufficient injury.  Is there an injury when leaked personal information is not copied or used to facilitate fraud or another crime?  Should an injury occur when only certain types of personal information, such as Social Security numbers, are leaked, or may the disclosure of other types of information, such as credit card numbers or addresses, be sufficient for injury?  These questions are the heart of data breach litigation, and 2020 brought us a few notable cases that are worth reflecting on at this time of the year.

Given the absence of uniform causes of action in data breach litigation, plaintiffs often employ a number of strategies when drafting their complaints.  One strategy has been to allege a negligence cause of action.  This year, this strategy drew increased attention when Wawa, a convenience store chain, moved to dismiss a class action lawsuit filed against it by a group of credit unions regarding an alleged data breach.  In In Re: Wawa Inc. Data Security Litigation, No. 2:19-cv-06019 (E.D. Pa.), a group of credit unions alleged that a convenience store chain’s failure to abide by the PCI DSS–the payment card industry’s data security standards–should be the standard of care for determining a negligence claim.  In opposition, the plaintiffs argued that Wawa had an independent and common law duty to use reasonable care to safeguard the data used by credit and debit cards for payments.  The parties held oral argument in November and a decision remains pending.  Our previous coverage provides more information.

While some commentators have reported a trend this year towards viewing standing in data privacy cases to be more permissive towards plaintiffs, at least one court this year paused this trend.  In Blahous v. Sarrell Regional Dental Center for Public Health, Inc., No. 2:19-cv-00798 (N.D. Ala.), a group of patients filed suit against a dental provider due to an alleged data breach.  After conducting an investigation, the defendant determined that there was no evidence that any breached files were copied, downloaded, or otherwise removed.  This factual finding was included in the notice that the defendant sent to its patients.

The court rejected the plaintiff’s argument and granted the defendant’s motion to dismiss.  Crucial to the court’s opinion was that there were no allegations that suggested any disclosure of the acquired data, “such as an actual review by a third party,” had occurred.  The court stated “the fact that the [b]reach occurred cannot in and of itself be enough, in the absence of any imminent or likely misuse of protected data, to provide Plaintiffs with standing to sue.”  The court looked to the notice of the data breach and observed “[t]he [n]otice upon whose basis the Plaintiffs sue, included as exhibits to their own pleading, denies that any personal information was copied, downloaded, or removed from the network, despite Plaintiffs’ mistaken belief to the contrary.”

Perhaps the biggest takeaway of Blahous is that the disclosure of a patient’s Social Security number and health treatment information were not sufficient for standing.  This was contrary to other decisions where the absence of a Social Security number in a data breach specifically led a court to conclude there was no injury.  See Antman v. Uber Technologies, No. 3:15-cv-01175 (N.D. Cal.) (allegations are not sufficient when the complaint alleged “only the theft of names and driver’s licenses. Without a hack of information such as social security numbers, account numbers, or credit card numbers, there is no obvious, credible risk of identity theft that risks real, immediate injury.”).

Another case highlighted the current circuit split concerning injury in data breaches.  In Hartigan v. Macy’s, No. 1:20-cv-10551 (D. Mass.), a Macy’s customer filed a class action lawsuit after his personal information was leaked due to a breach through Macy’s online shopping platform.  The court granted Macy’s motion to dismiss, attributing three reasons for its holding:  (1) the plaintiff did not allege fraudulent use or attempted use of his personal information to commit identify theft; (2) the stolen information “was not highly sensitive or immutable like social security numbers”; and (3) immediately cancelling a disclosed credit card can eliminate the risk of future fraud.

Hartigan has at least two takeaways.  First, the change brought by Blahous may be an anomaly.  In Blahous, the court found no standing when a Social Security number was disclosed.  The Hartigan court, however, specifically stated that the absence of any disclosed Social Security numbers was a reason why the plaintiff did not suffer an injury.  Although issued later in the year, the Hartigan court did not cite Blahous or any opinion from within the Eleventh Circuit.

Second, Hartigan highlighted the current circuit split regarding standing in data breach cases.  The court’s analysis was based on First Circuit precedent that was issued prior to the Supreme Court’s decision in Clapper.  The court then looked to six other circuits for guidance.  It cited opinions in the D.C. and Ninth Circuits that suggested the disclosure of “sensitive personal information,” like Social Security numbers, creates a substantial risk of an injury.  It then looked to opinions from the Fourth, Seventh, and Ninth Circuits that suggested post-theft criminal activity created an injury.  Finally, it noted that the Third, Fourth, and Eighth Circuits found no standing in the absence of criminal activity allegations, even when Social Security numbers were disclosed.

Finally, no year-in-review would be complete without additional discussion of the CCPA (including in the area of standing).  At least one notable standing opinion highlights what may be to come.  In Fuentes v. Sunshine Behavioral Health Group, LLC, No. 8:20-cv-00487 (C.D. Cal.), a Pennsylvania resident filed suit against an operator of drug and alcohol rehabilitation treatment centers regarding an alleged data breach.  A significant issue was whether the plaintiff, a Pennsylvania resident that stayed in one of the defendant’s California facilities for one month, may be a “consumer” under the CCPA for standing purposes.

The defendant seized on the plaintiff’s residency issues for its motion to compel arbitration, or, in the alternative, to dismiss.  The defendant argued that the plaintiff’s one-month at a California treatment facility did not make him a “consumer.”  The CCPA defines a “consumer” as “a natural person who is a California resident,” as defined by California regulations.  Cal. Civ. Code § 1798.150(h).  That part of the California Code of Regulations includes in its definition of “resident”:  (1) individuals who are in California for other than a temporary or transitory purpose; or (2) individuals domiciled in California who are outside the state for a temporary or transitory purpose.

Unfortunately, the court did not evaluate this issue because the parties voluntarily dismissed the suit prior to a decision.

Trends in 2021

The nation’s political landscape and the pending circuit split will likely fuel developments in 2021.

With a new Congress arriving shortly, most eyes are watching to see whether the 117th Congress will finally bring about comprehensive federal data privacy legislation.  Of the previously introduced federal legislation, one point of difference has been whether there should be a private cause of action.  The CCPA, which permits private causes of action for California residents, may be one source of influence.  Should federal legislation recognize a private cause of action, cases like Fuentes may foreshadow a standing argument to come.

The change of administration will also likely influence data privacy trends.  The Vice President-Elect’s prior experiences with data privacy issues may place her on-point for any federal action.  When she was Attorney General of California, the Vice President-Elect had an active interest in data privacy issues.  In January 2013, her office oversaw the creation of the privacy Enforcement and Protection Unit of the California Attorney General’s Office, which was created to enforce laws related to data breaches, identity theft, and cyber privacy.  The Vice President-Elect also secured several settlements with large companies, some of which required creation of specific privacy-focused offices within settling companies, such as chief privacy officer (mirroring recent trends discussed above).

2021 may also be the year of the Supreme Court.  In recent years, the Supreme Court has denied several cert petitions in cases involving data breaches.  2021, however, may be the year when we see the nation’s highest court decide who has standing in a data breach and when an injury occurs.  Several high-profile data privacy cases have increased the public’s attention to data issues, such as the recent creation of two MDLs.  Additionally, the circuit split referenced in Hartigan may be coming to a head.  Finally, the implementation of the CCPA and possibility of federal legislation may make this the year of data privacy.

CPW will be there to cover these developments, as they occur.  Stay tuned.

Lots of Eyes are Looking to the FCRA Lately, So Let’s Get to Know it Together.

What is the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681 et seq.?

Often regarded as one of the first privacy statutes in the US, the FCRA is a federal statute that regulates the use of personal