Editor’s Note: Organizations relying on secrecy-based approaches to addressing potential cyber defense breaches may run afoul of the federal cybersecurity policies that are detailed in a growing number of regulatory and guidance documents. A more sophisticated approach to minimizing disclosure responsibilities by proactively managing cyber-risks is needed.
From: The Wall Street Journal
When Nationwide Mutual Insurance Co. discovered in October that a hacker had breached its systems and stolen personal details of roughly one million people, it put the internal probe in the hands of a law firm, rather than one of the forensic investigators typically retained for such incidents.
The insurer hired Boston-based Ropes & Gray LLP in part because the law firm could offer something a forensic firm couldn’t: attorney-client privilege and the secrecy it confers.
As data breaches and cybercrime become a bigger concern for companies, law firms are touting that secrecy in their efforts to win business. Law firms also help companies navigate the patchwork of federal and state laws governing public disclosures of data breaches.
The moves come as the Securities and Exchange Commission is pressing companies to be more forthcoming about attacks on their computer networks, and 47 states have enacted data-breach notification laws.
Heightened regulatory scrutiny and the risk of litigation following data breaches is driving the need for confidentiality, says Ropes & Gray partner Doug Meal, who is heading Nationwide’s investigation.
Within weeks of Nationwide’s disclosure that the records had been stolen, the Federal Bureau of Investigation was investigating the breach and regulators in several states were investigating the company, Nationwide said. Plaintiffs have filed lawsuits seeking class-action status in Kansas and Ohio federal courts, alleging that the insurer failed to safeguard their personal information properly.
The company says it hired Ropes & Gray to provide counsel on the data breach but declines to comment further, citing continuing litigation.
Some investigators agree that attorney-client privilege comes in handy.
Mike Dubose, the head of Kroll Advisory Solutions’ cyberinvestigations practice, says Kroll advises its clients to hire a lawyer first and then have the lawyer hire Kroll. While a forensics firm such as Kroll can detect malware, scour network-access logs or understand the modus operandi of a foreign hacking group, if Kroll is contracted directly by the company rather than by an outside lawyer, that work is unlikely to be protected by attorney-client privilege, he says.
“Every network we have seen has substantial room for improvement,” Mr. Dubose says. “What a company does not want is its investigation or due diligence, undertaken with the best of intentions, to be used against it in litigation.”
Heartland Payment Systems Inc. HPY +0.27% turned to Ropes & Gray when the credit-card processor’s data was breached in 2009. The New Jersey company was contractually obligated to undergo forensic investigations initiated by card providers, including MasterCard Inc. MA +0.58% and Visa Inc. V +0.70%
But Charles Kallenbach, Heartland’s general counsel, says the company also wanted to conduct its own investigation to make sure the outside probes didn’t blame his company unfairly. Heartland also didn’t want those results disclosed to outside parties, he says.
“When you’re up against class-action foes and plaintiffs’ attorneys, there’s a need to keep that information private,” Mr. Kallenbach says.
From 2008 through last year, hackers accessed 681 million records, and there has been a 40% increase in the number of publicly disclosed data breaches the last two years, according to a study by accounting firm KPMG. The typical data breach costs a company $5.5 million in operating expenses and lost business, according to a 2011 report by the Ponemon Institute, a security research firm.