Announcements

Court Ruling on Forensic Data Breach Reporting Flying Under the Radar

One thing that may have flown under the radar in recent weeks is that a court has ruled that Capital One must allow plaintiffs to review a cybersecurity firm’s forensic report related to the bank’s 2019 data breach despite the bank’s protests that it is a protected legal document.

You can read more about it here for context.

This could set a precedent for companies when it comes to breaches. Prior to this, whenever breaches occurred (particularly consumer related-breaches) companies were able to hide behind the shield of private corporate confidentiality. This new ruling may deter companies from having IR firms on retainer as that makes their forensics work admissible in court.

Previously, consumers had to trust that the information companies were releasing was true and accurate.  It would allow an organization to not release details that could expose their failures or missteps within their security organizations.  Incident reports were considered internal-only documents This may no longer be the case.

Going forward, this ruling opens the door for companies to be unable to hide behind a curtain or veil of protection of confidential information.  They now will have to give the full truth as to what happened in an incident.

While many breaches can be tracked back to an end user doing something, like falling for a phishing email, there are other underlying issues at play – like poor security practices, taking shortcuts on staff and tools, not doing the right security things. With this new ruling, all of the information around a breach will be made available.  So, regardless if a breach was something the organization was prepared for, or if it was a complete business failure, everyone will know.

This sends a message to those paying attention that taking a risk on cutting corners or taking shortcuts could pose a much greater risk than before.  Security is insurance and there have been organizations that are willing to roll the dice knowing they can hide or distort what happened if something did go wrong. This ruling may put an end to all of those behaviors and create deeper transparency.  Keep a close eye on how this plays out because it could cause a significant change to the ways organizations go about securing their environments.