Pay Attention to the Court’s Ruling in Capital One’s Case
This could mean HUGE changes to corporate cybersecurity decisions…
In 2019, Capital One had one of the biggest data breaches in recent history. A former employee managed to gain access to over 100 MILLION customer accounts and credit card applications, as well as:
- 140,000 social security numbers
- 80,000 bank account numbers
- An undisclosed number of names, credit scores, addresses, and other sensitive details
How did it happen? Well, the individual managed to hack into a server. The company reportedly expected to incur approximately $100 million to $150 million in costs resulting from the hack, including credit monitoring, tech costs, customer notifications, and of course, legal support afterwards.
A look at the court’s ruling in this interesting case…
In May, 2020, a federal judge ruled that the bank must provide an incident report to litigants. This incident report, from its cybersecurity forensic firm, must showcase the details surrounding the data breach and their investigation. Basically, the report will provide in-depth details to a group of customers that are suing the bank.
These details will make all technical and procedural failures evident to the litigants – showing exactly how a single individual was able to collect a TON of sensitive information from a large bank with $28 billion in revenue. Typically, attorney-client privilege allows organizations to keep their incident response reports private, and in turn, avoid any costly legal measures against them.
Why does this matter?
The ruling is unusual in the world of corporate cybersecurity law. In particular, the ruling highlights the importance of carefully setting up relationships with outside security firms. Norma Krayem, Vice President and Chair of the Cybersecurity, Privacy, and Innovation Practice at Van Scoyoc Associates, expressed…
“This type of directive from the judge could strike fear in the hearts of every company that’s ever hired a vendor to understand and improve their cyber posture.”
Basically, companies could be exposed to greater public scrutiny, and as a result, significant reputational damage due to their security programs. It’s vital for organizations of all types and sizes to be prepared to provide evidence of a robust third-party risk management program in place – one that focuses on monitoring for risks throughout their environment and supply chain.
In this case, the court found that the determinative issue was “whether the [incident response firm’s] report would have been prepared in substantially similar form but for the prospect of that litigation.” Ultimately, “the fact that the investigation was done at the direction of outside counsel and the results were initially provided to outside counsel” did not satisfy the “but for” formulation.
It was decided that the bank failed to present “sufficient evidence to show that the incident response services would not have been done in substantially similar form even if there was no prospect of litigation.”
How should you approach cybersecurity going forward?
Our biggest recommendation? Make sure you’re continuously monitoring for risks via a robust risk management program. You should be working with a technology support partner that’s capable of implementing a multi-layered cybersecurity solution that incorporates a range of tools:
- Anti-virus software
- Multi-factor authentication
- DNS filtering
- Spam filtering
- And more
Your technology support partner should be able to help you determine any legal obligations that may arise from an incident as part of their incident response planning.
Do you need help protecting against hackers?
If this court ruling makes you a bit uncomfortable, you’re not alone. We’ve had quite a few business executives reach out because they’re feeling uncertain about their cyber posture – and we don’t blame them. In a day and age where cybercrime is more rampant than ever and it’s possible you’d have to provide an incident response report in the event of a data breach, it’s better to be safe than sorry. Get in touch with us…