Why Cybersecurity Matters in High-Stakes Litigation
Preserve, preserve, preserve … but what about protect?
April 13, 2018 at 10:00 AM
8 minute read
You're a skilled general counsel embroiled in high stakes litigation, perhaps even a “bet the company” case. You've dotted your i's and crossed your t's, all in preparation for the ensuing battle. You've issued appropriate litigation hold letters, you've backed-up case-critical electronically stored information (ESI), you've taken steps to ensure that potentially relevant ESI is preserved, and that nothing is modified, deleted or “rolls off the system” without you knowing about it first. You go to sleep believing that you've taken all reasonable steps to preserve the data that may one day be necessary for your lawsuit.
The next morning you wake up to an email from your IT department stating that a data breach has occurred, that the company is investigating the extent of the breach, and that more details will follow. You first think about your own files, hoping that nothing has been lost; but then your attention inevitably shifts to the lawsuit and all the data that you worked hard to preserve: What if any of the data has been compromised or, worse yet, lost? Can the company be blamed for a failure to preserve? Could this actually cause us to lose the case?
Whether used for marketing, analytics or research—or for other more nefarious purposes—data is the modern-day gold, and we're in the midst of a gold rush. As technology evolves at an ever-faster pace—and data becomes increasingly valuable—ransomware and cyberattacks will continue to be on the rise. This article addresses some of the potential impacts of a data breach on pending litigation, and whether cybersecurity checks should become just as much a part of a company's data preservation plan as the now-routine litigation hold letters.
Data is Gold
Data is the gold that drives many high stakes litigation matters. When a party reasonably believes that future litigation is foreseeable, its “duty to preserve” is triggered. David's Bridal v. House of Brides, 2009 WL 10690590, *2 (D. N.J. 2009) (citing Kronisch v. United States, 150 F.3d 112, 126 (2d Cir.1998)) (the duty to preserve arises “when a party should have known that the evidence may be relevant to future litigation.”). “While a litigant is under no duty to keep or retain every document in its possession, even in advance of litigation, it is under a duty to preserve what it knows, or reasonably should know, will likely be requested in reasonably foreseeable litigation.” Scott v. IBM Corp., 196 F.R.D. 233, 249 (D. N.J. 2000). But what exactly does the duty to “preserve” entail?
We know that at a minimum the duty to preserve includes: (i) notifying custodians of potentially relevant ESI regarding their preservation obligations; (ii) stopping the routine purging of potentially relevant ESI; and (iii) suspending document retention/destruction policies that could compromise potentially relevant ESI. State Nat'l Ins. Co. v. County of Camden, 2011 WL 13257149, *3 (D. N.J. 2011) (collecting cases). Because potentially relevant ESI is not necessarily collected when the duty to preserve is triggered, a party's handling of the non-collected ESI can become important. While the ESI that has been collected—whether imaged and backed up or collected by an eDiscovery vendor—should be deemed to be safe if handled correctly, it is the ESI that is not collected but rather “preserved” by the litigant itself that keeps some litigators up at night because its handling can impact the course of any litigation.
The Duty to Preserve is not Boundless, but it Does Include a Duty to 'Safeguard'
“The scope of the duty to preserve data is not boundless. A party 'need do only what is reasonable under the circumstances.'” Van De Wiele v. Acme Supermarkets, 2015 WL 4508376 *3 (D. N.J. 2015). The recently amended Rule 37(e) recognizes that “reasonable steps” to preserve suffice; it does not call for “perfection.” Fed. R. Civ. P. 37(e) Advisory Committee's notes to 2015 amendment. And, what is “reasonable” is a fact question to be determined on a case-by-case basis. Friedman v. Philadelphia Parking Authority, 2016 WL 6247470 *7 (E.D. Pa. 2016).
Likewise, not all parties are created equal when it comes to evaluating their preservation efforts. Case law and authorities teach us that courts should be sensitive to factors such as a party's sophistication and financial resources in determining whether that party acted “reasonably.” Friedman, at *7; Fed. R. Civ. P. 37(e) Advisory Committee's notes to 2015 amendment. So when it comes to cybersecurity measures, a sophisticated, global company accustomed to regularly handling confidential information may be held to a different standard than a small local company that never touches sensitive data.
In the past, litigants often preserved their data via “backup drives”—physical tapes or external hard drives stored in locked fireproof rooms or off-site at storage facilities safely protected and away from thieves and hackers. Now, the term “backup drive” more often than not refers to a live database such as a cloud based or other live storage medium. Why does this matter? Because, as the seminal case of Zubulake taught us, the failure to “safeguard” backup tapes can result in sanctions for spoliation of evidence. Zubulake v. UBS Warburg, 229 F.R.D. 422, 424 (S.D.N.Y. 2004).
This begs the question—should a litigant ask how its data is not just being “preserved” but how is it being “safeguarded”? If a litigant stores its physical “backup drive” in an unlocked common area desk drawer where thefts have been known to occur rather than under lock and key, that litigant may not find much sympathy from the court when it explains that the backup drive was stolen. The same could be said for data stored in the cloud with no security measures in place after repeated cyberattacks. In the end, data that is either unsecured or under-secured could be open season to anyone from a common thief to a sophisticated hacker looking to strike gold.
Cyberattack: A Superseding Cause?
The duty to preserve is flexible. A litigant is not the absolute guarantor of the safety of its data, and will not be held culpable when the loss of information occurs “by events outside the party's control,” including through a “malign software attack.” FRCP 37, Adv. Comm. Notes. That is because Rule 37(e) “is inapplicable when the loss of information occurs despite the party's reasonable steps to preserve.” Id. “Courts, however, may … assess the extent to which a party knew of and protected against such risks.” Id. (Emphasis added.) So, as contemplated by the Committee Notes to Rule 37(e), foreseeability of a cyberattack should at least be considered when it comes to a party's preservation efforts because a company may not be immune from liability where its data is lost due to some intervening causation, including an intentional cyberattack by a third party.
Although New Jersey courts have not directly addressed a party's preservation efforts in the context of a cyberattack, they have followed tort law when determining if a superseding act may break the chain of causation that links the alleged wrongful act—here, a litigant's failure to preserve potentially relevant ESI—and the injury suffered. As explained in Komlodi v. Picciano, 89 A.3d 1234, 1252 (N.J. Super. 2014), intervening causes that are foreseeable or the normal incidents of the risk created, will not break the chain of causation and relieve a party of liability. Id. citing Model Jury Charge (Civil) 6.14 (Aug. 1999). Thus, the concepts of foreseeability and superseding/intervening causation are inextricably interrelated and the court needs to have a full understanding of both. Komlodi, at 1252. Under this framework, if we assumed a litigant has had a history of attempted cyberattacks and nevertheless stored potentially relevant ESI in the cloud with limited or no security measures in place, a court may find that any ensuing data loss caused by a third-party attack was foreseeable and, therefore, the intervening cause may not excuse its failure to preserve.
Should Litigators Consider a 'Cybersecurity Check'?
The need for a “cybersecurity check” is not one-size-fits-all and will likely depend on a number of factors including: (1) the nature of the litigant itself and its business; (2) whether the litigant implemented standard cybersecurity measures expected to be in place in its industry; (3) whether cyberattacks are foreseeable or have occurred in the past; and (4) the extent to which the litigant has protected against the reasonably foreseeable risks. The answer as to whether a “cybersecurity check” is needed, boils down to whether a court could consider an unprotected or under-protected data breach a failure to “safeguard” sufficient to warrant the imposition of sanctions after applying these factors.
In the months and years to come, lawyers, litigants and courts will be forced to grapple with third-party attacks on electronic data and will eventually expand on a litigant's duty to “safeguard” potentially relevant ESI. Will the duty to preserve include or even require a “cybersecurity check,” and will the failure to include one expose a litigant for failing to meet its duty? For now, adding that extra question to counsel's general preservation protocols—how is the data protected?—could help militate against that risk.
Benayoun is a shareholder with Greenberg Traurig, focusing his practice on complex commercial litigation. Koff is an associate in the firm's Litigation Practice. They are resident in the firm's Fort Lauderdale office.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllFalling Back in Love With Certain Estate Planning Strategies in a Falling Interest Rate Environment
9 minute readThe Crucial Role Parenting Coordinators Play in Helping Former Spouses Co-Parent Effectively
Three's Company: Can a Nonsignatory to an Arbitration Agreement Compel or Be Compelled to Arbitrate?
8 minute readTrending Stories
- 1Congress and Courts are Considering Litigation Financing: Is Disclosure Imminent?
- 2Bar Report — Nov. 25, 2024
- 3People in the News—Nov. 25, 2024—Eckert Seamans, Klehr Harrison
- 4How We Made Practice Group Chair: 'One of the Most Important Skills Is Being a Good Listener,' Say Timothy Kincaid and Brad Vaiana of Winston & Strawn
- 5Avoiding Inadvertent Conflict Issues With Constituents When Representing Organizational Clients
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250