In a recent decision, a federal court in Washington state ordered a hospitality chain (“the Company”) to turn over an investigation report created in response to a ransomware attack (“the attack”). The court ruled that the information in the investigation report did not qualify as protected material under the attorney-client privilege or work product doctrines. In deciding whether the report was privileged, the court considered whether such a report would have been prepared in a substantially similar fashion absent of the impending data breach litigation.
The Company suffered a ransomware event which resulted in the breach of personally identifiable information for current and former employees (“the employees”) who then filed a class action suit against the Company. In response to the attack, the Company hired outside counsel to respond to the event. Outside counsel then retained a cybersecurity service vendor (“the Vendor”) to “provide consulting and technical services.” During litigation, the employees sought access to the investigative report prepared by the Vendor and filed a motion for the Company to release all documentation related to the breach.
In response to this motion, the court ruled in favor of the employees and ordered the Company to turn over the investigative report and all related documents. The extent of privilege over cybersecurity consultant reports has been an ongoing issue in the context of data breach litigation. Here, the court held that several factors should be considered in a determination of privilege, including whether the report would have been created in a substantially similar manner absent the anticipation of litigation.
Further, the court reasoned that for a document to fall under attorney-client privilege or the work-product doctrines, it must be related to legal advice. The court determined that the Vendor had provided a “business service” to the Company. Thus, the court held that simply copying an attorney onto an email containing relevant reports and documents does not automatically make it privileged.
One of the leading DNA registries in the country (the “Site”) is facing a flurry of class action lawsuits stemming from a massive data breach in which hackers successfully hacked around 14,000 user accounts using credential stuffing. Credential stuffing is defined as brute-forcing into accounts with passwords that were known to be associated with the targeted customers. The credential stuffing technique, used by the hackers, not only breached 14,000 user accounts but also resulted in the indirect hacking of an additional 6.9 million users who opted into the Site’s “DNA Relatives” feature (“Feature”). The Feature allowed users to automatically share their personal data with other users who were considered their relatives on the Site. As a result, nearly half of the Site’s customer base was compromised and had personal information leaked – despite not being directly targeted.
In response to this massive breach, the Site attempted to shift blame onto its customers, stating that its users had “negligently recycled and failed to update their passwords following these past security incidents.” The Site further alleged that any personal data that may have been compromised was not the result of the Site’s failure to maintain security measures. Attorneys for the affected customers countered, arguing that the Site should have implemented available safeguards to protect against credential stuffing, including requiring that multifactor authentication be enabled for all the Site’s users. This authentication feature was only optional prior to the breach.
The aftermath of the data breach sheds light on potential steps a business may take to protect itself from credential stuffing and other forms of hacking. Specifically, a business can employ a Managed Detection and Response solution to identify any suspicious activity on their network as well as monitor the dark web for possible stolen data. Had the Site required multifactor authentication for its users and deployed a system to identify and respond to potential suspicious activity, it would likely not be facing nearly thirty class action suits from customers who were directly and indirectly hacked using credential stuffing.