funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Bringing in the lawyers to keep data breach details privileged

From: Jeffrey Walton <noloader () gmail com>
Date: Mon, 15 Apr 2013 20:50:49 -0400
http://www.lexology.com/library/detail.aspx?g=7d9adc8e-7dac-47a1-b328-deb922117034

You may recall Eric’s recent post here, about whether big companies
have a legal and/or ethical requirement to report data breaches to the
SEC. As he concluded, you’re supposed to disclose “material” data
breaches, but the definition of the word “material” is left wide open.
Last week, a Wall Street Journal article and video highlighted a new
trend in breach disclosures – bringing in the lawyers. Nationwide
Insurance, which suffered a pretty substantial cybersecurity hit last
fall, has retained the services of a big law firm to investigate. Why?
As The Verge writes:

[Nationwide] has hired a legal firm to conduct an investigation of the
security breach, granting the results the protected secrecy of
attorney-client privilege… The new practice is being adopted by many
companies that have fallen victim to cyberattacks, leading some law
firms to begin specializing in this type of data-breach investigation.
Frequently, the legal counsel will contract a data security firm to
perform the actual analysis.

With the large number of affected customers, and the sensitive data
that is often compromised, it’s very possible that class action
lawsuits may arise from this kind of data breach. (We’ve talked about
online retailers, gaming networks, hospitals, universities, state
governments and banks all getting hacked, and we’ve only been
operating for a few months!) The higher the potential for lawsuits,
the more likely it is that a company’s – possibly flawed –
cybersecurity policies will be called into question, and discoverable.
So it’s easy to see the appeal of getting the lawyers to conduct an
investigation after-the-fact: all their findings will be kept under
the veil of privilege, and therefore not available to plaintiffs.

As discussed in the video, more and more law partners are now touting
their expertise as “cybersecurity” experts, and this area of law is
referred to as “the next big thing, business-wise”. We will doubtless
be covering this topic again as the trend continues to grow.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: