Cybersecurity consultants could be on the hook for data breaches at companies they contract with after two recent court rulings in consumer class actions.
The cases raise questions about whether a consultant’s work should be considered fair game for class action lawyers gathering evidence on a cyber incident to try to hold the consulting firms responsible for fallout from breaches. The rulings also have implications for what lawyers defending companies can do to protect such information.
“Class action lawyers now have a playbook,” said John Reed Stark, a former Securities and Exchange Commission internet enforcement official who runs his own cyber-consulting business.
Stark said the Capital One decision is concerning to cyber consultants because the forensic reports they write can provide “a vivid trail for liability.”
The Accenture ruling could also impact the relationship between cyber consultants and the companies they contract with, he said. Consultants and companies might be more careful about how contracts for cyber projects are written.
“It will impact the way these consulting firms do business with clients when they feel like they’ll get brought in as defendants,” Stark said. “They’re used to coming in as witnesses.”
Accenture was accused of negligence as cybersecurity consultant to Marriott after a hack of the hotel chain’s Starwood database exposed data on up to 500 million guests from 2014-18. Accenture must face consumer claims over the hack, a judge in the U.S. District Court for the District of Maryland ruled.
The consumers sufficiently made their case that harms from the hack, such as fraudulent credit card charges, were “traceable” to Accenture, according to the judge’s decision. The consulting firm was responsible for outlining and implementing Starwood’s cyber policies before the breach.
Capital One, meanwhile, faces a class action over a cloud hack that exposed the data of about 100 million people in the U.S. Consumers suing the bank sought a copy of a post-hack report by FireEye Inc.'s Mandiant.
Capital One’s lawyers tried to shield the cyber report by claiming an attorney work product privilege that protects documents prepared in anticipation of a suit.
A judge in the U.S. District Court for the Eastern District of Virginia granted access to the report, with a ruling that hinged on the long-standing consulting relationship between Capital One and Mandiant.
“That’s a huge deal in my world,” said Linn Freedman, a partner at Robinson & Cole LLP who focuses on data privacy and security law.
Lawyers defending companies usually hire a consulting firm to perform forensics on a cyber incident to decide whether it should be reported as a breach. Courts have generally considered such work protected under the work product privilege, starting with a 2017 decision in a lawsuit over a data breach at Experian Plc, Freedman said.
The “deciding factor” in the Capital One case was that Mandiant had already been hired by the company, she said.
Mandiant and Accenture declined to comment.
Having two cyber consulting firms on standby—one for incident response and one for routine work—could help companies more effectively argue that post-breach work should be covered under the attorney work product protection, said Erik Weinick, an attorney at Otterbourg P.C. in New York.
Companies should try to minimize disclosure by keeping investigations within the scope of the breach, said Steve Stransky, vice chair of privacy and cybersecurity at Thompson Hine LLP in Cleveland.
“What I’ve seen is that cybersecurity firms are there to promote their services and add future recommendations,” he said. “My recommendation is to just omit it completely and have them focus on immediately the facts of the case.”
Paying post-breach consultants from a company’s legal budget as opposed to the general ledger can also further the argument that it’s not a routine business expense but rather preparation for litigation.
A statutory protection for certain cybersecurity work could compel companies to review their security without worrying about it falling into opposing counsel’s hands, according to Matt Hamilton, a partner at Troutman Pepper in Philadelphia.
“The last thing you want to do is disincentivize good cybersecurity practices,” he said.