Worried couple checking credit account onlineThe grousing began within 24 hours of Equifax’s announcement, last Thursday, of its massive data breach that compromised personal data of over 140 million U.S. consumers.  I’m generally unsympathetic about such complaints (“We’re shocked – SHOCKED – that in a breach affecting 140+ million people, we’re having trouble immediately reaching a live person at the phone bank!  And the breach website is not operating smoothly!”). Usually only Louis CK’s masterpiece “Everything’s Amazing – and Nobody’s Happy” can coax me out of my grumpy place.

But as post-announcement events have unfolded, some of the initial criticism appears to have legs:
Continue Reading Equifax breach – hot mess, or simply the world we live in?

dominoes fallingSometimes one must look past the headlines (Target’s $18.5 million deal with the states) to see what’s truly important in effective data breach response.

Last week, in the Experian data breach litigation, the District Court denied plaintiffs’ motion to compel production of the forensic analysis report on the breach, prepared by Mandiant.  Why?  Because it was Experian’s law firm that retained Mandiant to perform the forensic analysis and prepare its report, in anticipation of litigation.  According to the court:

  • Jones Day hired Mandiant to assist the law firm in providing legal advice to the client Experian;
  • Mandiant’s report was based on server images that are independently discoverable, without the report;
  • only a summary, not the full report, was shared with Experian’s internal Incident Response Team; and
  • though Mandiant had in the past worked directly for Experian on other matters, this engagement was separate.

On this basis the court held that the report was protected work product, without even reaching the additional point of attorney/client privilege.

So what’s the big deal?  It’s this – in the heat of an unfolding security incident (in Experian’s case, impacting 15 million people), things move fast.  Really fast.  Victim companies scramble to understand what happened, when it happened, what must now be done, and by when. The what and when are of course important, but  so too are the who and how of effective breach response.  For example, a natural move under the gun is to have the infosec folks immediately bring in an outside security/forensics firm and turn them loose.  Sounds great … until litigation ensues, and all of the forensic firm’s analysis is fair game in discovery – the good, the bad, and the ugly.

This is a no-win situation, for both the unprepared and the semi-prepared:

Continue Reading In breach response, who and how are just as important as what and when

Ship engine trottle, full speed aheadNews reports today indicate that Verizon is pushing ahead with its purchase of Yahoo’s core internet business, despite Yahoo’s massive data breaches.  Yahoo suffered a breach of 500 million user accounts in 2014, on the heels of a one billion account compromise in 2013 (names, telephone numbers, birth dates, passwords, and security questions), reputedly the largest data breach in history.

Speculation swirled for months about whether Verizon would simply walk away from the deal, originally set at $4.83 billion, or would proceed with a drastically reduced acquisition price.  And the result, as of today’s announcement?  Full speed ahead, after lowering the purchase price by $350 million.

Verizon will gain personal data on Yahoo’s over one billion users, which will no doubt boost its digital media and targeted advertising revenues, and the deal will help Verizon expand beyond the crowded market for wireless services.  So, the value of user information is not in doubt.  But what about the value of privacy?

$350 million is a lot of money.  And apparently Verizon and Yahoo will share certain costs related to governmental investigations and breach litigation, with Yahoo remaining on the line for SEC and shareholder litigation fallout.  But still, the results of simple division are stark – $350 million against up to 1.5 billion affected persons … yielding 23 cents.
Continue Reading What’s our privacy worth? According to the Verizon/Yahoo deal, about 23 cents.

Broken brick wall and blue sky with clouds.This week, with echoes of vintage John Mellencamp in the air, the U.S. Court of Appeals for the Sixth Circuit took a gavel to the wall that for years has blocked consumer class actions for data breach claims – Article III standing.  In Monday’s unpublished, 2-1 decision in consolidated cases against Nationwide Mutual Insurance Company, the court ruled that plaintiff consumers had standing to pursue negligence claims against Nationwide arising out of a 2012 security breach, in which hackers stole personal information of 1.1 million customers.

The Sixth Circuit is now aligned with the Seventh Circuit, which just last year in its Neiman Marcus decision similarly lowered the bar for Article III standing in consumer data breach litigation.Continue Reading Consumer data breach litigation standing – the walls are crumblin’ down