Preserving Privilege Over Communications In The Aftermath Of A Data Breach

Article by Ryder Gilliland and John Mather

While there are no guarantees as to which communications will ultimately be protected by privilege, a company can increase its odds of creating a sphere of privilege-protected communications in the aftermath of a data breach by giving consideration to such issues in structuring its internal investigations.

Below we highlight lessons learned from the decision of the United States District Court for the District of Minnesota following the much publicized December 2013 data breach involving Target Corporation (Target).

BACKGROUND

Following its data breach, Target initiated a two-track investigation.

On one track, Target set up an ordinary course internal investigation aimed at determining how the breach occurred and how Target and the credit card brands could respond to it. A team from Verizon Business Network Services (Verizon) was retained to assist with this investigation.

On another track, Target’s external counsel retained a separate team at Verizon to investigate and educate external counsel about the breach so as to “enable counsel to provide legal advice to Target, including legal advice in anticipation of litigation and regulatory enquiries.” As part of this track, Target also struck a task force to assist external counsel.

Plaintiffs’ counsel sought records relating to both tracks of the investigation, arguing that everything should be producible because Target needed to undertake an investigation even if there had been no lawsuit.

THE COURT’S DECISION

Target was by and large successful. The court found that the documents relating to the second track investigation, including Verizon’s work product, were privileged. It found that these investigations were not focused on remediation of the breach, but on informing Target’s counsel about the breach so that Target’s lawyers could provide the company with legal advice and defend the company in pending litigation.

The only documents the court required to be produced were certain emails from Target’s CEO to the board of directors that provided an update on Target’s response from a business perspective.

IMPLICATIONS

Where a post-breach investigation involves employees, contractors or other third parties, Ontario courts are likely to consider privilege using similar factors as the court in Target. In particular, to assess whether solicitor-client privilege extends to communications between counsel and third parties, Ontario courts are likely to consider whether the third party’s role was to educate counsel and facilitate legal advice. With regards to litigation privilege, Ontario courts are likely to consider whether the communications at issue were prepared for the dominant purpose of existing or anticipated litigation, or as part of a normal course investigation.

BEING PROACTIVE

With this in mind, a company can increase its odds of preserving a sphere of privileged communications by taking the following steps:

  • Create a work stream designed specifically for the purpose of obtaining legal advice
  • Have internal and external legal counsel involved in the direction and execution of that work stream
  • Have third-party contractors retained by external counsel for the specific purpose of assisting in the litigation.

While taking such steps will not guarantee privilege protection, a thoughtful and deliberate work plan increases the odds.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Ontario: Two gamblers spearhead class action against casino over hacking of private data

By Colin Perkel

THE CANADIAN PRESS

TORONTO _ Two gamblers who allege their privacy was breached are spearheading a proposed class action against an Ontario casino whose databases were hacked.

In a notice of action, they also alleged Monday that Casino Rama, north of Toronto, unjustly enriched itself at the expense of the claimants.

In the allegations contained in the notice, Leonid Kaplan, of Barrie, Ont., says he provided casino staff with copies of his driver’s licence and credit card when he went there to gamble in September.

Kaplan says he received an email by the CEO of Casino Rama, John Drake, on November 10 with the subject line: “Unauthorized Access to Personal Information.”

The email stated that the organization had been the “victim of a cyberattack that resulted in the theft of past and present patron, employee and vendor information.”

The casino publicly confirmed the attack last week but did not say exactly when it occurred or over what period.

The other proposed representative plaintiff, Cheryl Mizzi, of Stouffville, Ont., says she and her husband regularly went to Casino Rama starting in 1999. They last visited in 2015. She, too, provided various forms of identification.

Neither proposed plaintiff have said what losses, if any, they incurred as a result of the privacy breach.

The lawsuit also names Ontario’s gaming commission, the Penn National Gaming and its Ontario subsidiary, which run the casino, and the Chippewas of Rama First Nation where the facility is located.

The suit, which has yet to be certified as a class action or tested in court, seeks $50 million in damages as well as another $10 million in punitive damages.

Lawyer Ted Charney said Monday the “unjust enrichment” claim arises from the casino generating revenues from gambling when customers thought reasonable security measures were in place to protect privacy.

“The casino elected not to invest in adequate staff and technology while collecting gambling revenues, promising to provide adequate security measures,” Charney said.

The suit also alleges the defendants breached contracts and violated consumer laws.

A Casino Rama spokeswoman did not address the allegations, but said Monday the organization was working with the authorities on the ongoing investigation.

“We are limited in how much detail we can provide,” Jenna Hunter said. “We deeply regret this situation and recognize the seriousness of the issue.”

Casino Rama Resort warned its customers, vendors as well as current and former staff last Thursday to keep an eye on their bank accounts, credit cards and other financial information.

The casino said it had “recently” discovered becoming the victim of a cyberattack that resulted in the large-scale data theft.

Stolen data appeared to include internal financial and security-incident reports, emails, payroll data, client information, social insurance numbers, and dates of birth, according to the casino.

“The hacker claims that the employee information dates from 2004 to 2016, and that some of the other categories of information taken date back to 2007,” the casino said in a statement.

The resort, which has 2,500 slot machines and more than 110 gaming tables, said the games themselves weren’t hacked.

Located on Rama First Nation, the casino opened 20 years ago.

CP3

Yahoo Says Hackers Stole Info from 500 Million User Accounts

Yahoo said hackers stole personal information from 500 million of its user accounts, a massive security breakdown it attributed to a “state sponsored actor.” The breach disclosed Thursday, the latest setback for the beleaguered internet company, dates back to late 2014.

That’s when high-tech thieves hacked into Yahoo’s data centres, the company said. But Yahoo only recently discovered the break-in as part of an ongoing internal investigation.

The stolen data includes users’ names, email addresses, telephone numbers, birth dates, hashed passwords, and the security questions _ and answers _ used to verify an account holder’s identity.

Last month, the tech site Motherboard reported that a hacker who uses the name “Peace” boasted that he had account information belonging to 200 million Yahoo users and was trying to sell the data on the web.

Yahoo recommends that users change their passwords if they haven’t done so since 2014. The Sunnyvale, California, company said its investigation so far hasn’t found any evidence that information about users’ bank accounts or credit and debit cards were swiped in the hacking attack. It said it has “no evidence” that the attacker is still in Yahoo’s network.

News of the security lapse could cause some people to have second thoughts about relying on Yahoo’s services, raising a prickly issue for the company as it tries to sell its digital operations to Verizon Communications for $4.8 billion.

That deal, announced two months ago, isn’t supposed to close until early next year. That leaves Verizon with wiggle room to renegotiate the purchase price or even back out if it believes the security breach will harm Yahoo’s business. That could happen if users shun Yahoo or file lawsuits because they’re incensed by the theft of their personal information.

Verizon said it still doesn’t know enough about the Yahoo break-in to assess the potential consequences. “We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities,” the company said in a statement.

 

8 Ashley Madison users in US and Canada sue cheating website over data release

By Amanda Lee Myers

THE ASSOCIATED PRESS

LOS ANGELES _ Eight people across the U.S. who registered to use Ashley Madison are suing the website for cheaters after hackers released personal and detailed information of millions of users, including financial data and sexual proclivities.

The lawsuits were filed between last month and Monday by Ashley Madison users in California, Texas, Missouri, Georgia, Tennessee and Minnesota. They all seek class-action status to represent the estimated 37 million registered users of Ashley Madison.

The lawsuits, which seek unspecified damages, claim negligence, breach of contract and privacy violations. They say Ashley Madison failed to take reasonable steps to protect the security of its users, including those who paid a special fee to have their information deleted.

Last month, hackers infiltrated Ashley Madison’s website and downloaded private information. The details _ including names, emails, home addresses, financial data and message history _ were posted publicly online last week.

“Needless to say, this dumping of sensitive personal and financial information is bound to have catastrophic effects on the lives of the website’s users,” according to a lawsuit filed Friday on behalf of an anonymous Los Angeles man who created an account with Ashley Madison in March 2012.

“As a result of (Ashley Madison’s) unfair, unreasonable and inadequate data security, its users’ extremely personal and embarrassing information is now accessible to the public,” according to the lawsuit, filed by the Baltimore-based firm of Hammond Law.

Attorney Julian Hammond, who says his firm has litigated class-action lawsuits against companies like Google, Apple and Hulu, said the Ashley Madison breach is unprecedented in his experience.

The website’s users are worried not only about identity theft but about the embarrassment of the release of intimate sexual preferences. Even registering for the site without having an actual affair could put marriages in jeopardy.

“I haven’t seen anything like it,” Hammond said Tuesday.

A spokesman for Avid Life Media, the Toronto-based company that owns Ashley Madison, referred to previously released statements by the company calling the hack malicious and an “act of criminality.”

Avid Life on Monday began offering a $500,000 Canadian (US $378,000) reward for information leading to the arrest of members of a group that hacked the site.

“We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world,” the company said in a statement last week.

The U.S. litigation follows a $578 million lawsuit filed in Canada last week, also seeking class-action status.

The hackers who took responsibility for Ashley Madison’s data breach have said they attacked the website in an effort to close it down as punishment for collecting a $19 fee without actually deleting users’ data.

On Monday, Canadian police said the hack has triggered extortion crimes and led to two unconfirmed reports of suicides.

The credit-card information of U.S. government workers _ some with sensitive jobs in the White House, Congress and the Justice Department _ was revealed in the breach. Hundreds of email addresses in the data release appear to be connected to federal, provincial and municipal workers across Canada.

canada-press

Canada: Loss of Customer Loyalty a Big Concern Following a Data Breach

Canada: Loss of Customer Loyalty a Big Concern Following a Data Breach

TORONTO–(BUSINESS WIRE)–The Boiler Inspection and Insurance Company of Canada (HSB BI&I), part of Munich Re, announced data breach coverage enhancements for businesses and complimentary access to a suite of online tools to help prevent the loss or theft of personal information.

“Consumers hold businesses accountable for the loss of their personal information. They expect to be notified when it happens so steps can be taken to protect themselves from identity theft.”

“One of the most negative consequences of a data breach is the loss of customer loyalty,” said Derrick Hughes, vice president for HSB BI&I. “Consumers hold businesses accountable for the loss of their personal information. They expect to be notified when it happens so steps can be taken to protect themselves from identity theft.”

HSB BI&I introduced data breach coverage in 2011 through its reinsurance partners to help organizations respond to the financial burdens of a data breach. The coverage can pay for legal and forensic review, notification and fraud alert and case management services for identity theft victims.

HSB BI&I has enhanced its data breach insurance to cover personal data in the custody, care and control of a third party; known malware-related data breaches; notification to the Privacy Commissioner and public relations services.

In addition, policyholders of HSB BI&I’s and its partner insurance companies will receive access to eRiskHub®, a Web portal, supported by NetDiligence®, for data breach risk mitigation. The website provides users with resources and tools to help establish a response plan, manage the costs and minimize the effects of a data breach.

About The Boiler Inspection and Insurance Company of Canada

The Boiler Inspection and Insurance Company of Canada, a member of the HSB Group and part of Munich Re’s Risk Solutions family, provides the industry-leading range of specialty equipment breakdown insurance coverages for business and home. As Canada’s leading equipment breakdown insurer, the company helps clients reduce risk through a unique combination of specialty coverages, engineering-based risk management strategies, and an in-house team of jurisdictional and loss-prevention inspectors. For more information, visit munichre.com/hsbbii

Follow us on Linkedin, Twitter, Facebook.

About Munich Re

Munich Re stands for exceptional solution-based expertise, consistent risk management, financial stability and client proximity. This is how Munich Re creates value for clients, shareholders and staff. In the financial year 2014, the Group – which combines primary insurance and reinsurance under one roof – achieved a profit of €3.2bn on premium income of over €48bn. It operates in all lines of insurance, with over 43,000 employees throughout the world. With premium income of around €27bn from reinsurance alone, it is one of the world’s leading reinsurers. Especially when clients require solutions for complex risks, Munich Re is a much sought-after risk carrier. Its primary insurance operations are concentrated mainly in the ERGO Insurance Group, one of the leading insurance groups in Germany and Europe. ERGO is represented in over 30 countries worldwide and offers a comprehensive range of insurances, provision products and services. In 2014, ERGO posted premium income of €18bn. In international healthcare business, Munich Re pools its insurance and reinsurance operations, as well as related services, under the Munich Health brand. Munich Re’s global investments amounting to €227bn are managed by MEAG, which also makes its competence available to private and institutional investors outside the Group.

Contacts

HSB BI&I

Silvana Martins, +1 416-216-7204

Media Relations

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest