Applying Discovery Rules to Cybersecurity Investigations
During discovery, corporate entities have long been asked to produce documents from related internal investigations. Most rules of civil procedure now explicitly address such scenarios and are supplemented by extensive caselaw. As litigation in the cybersecurity field becomes more commonplace, a growing body of caselaw has developed to address investigations of cybersecurity incidents. In the high-profile investigation of Facebook and Cambridge Analytica by the Massachusetts attorney general, oral argument on an attempt to compel production of data from Facebook suggests that the same principles applied in traditional investigations will be applied in the cybersecurity field.
In 2015, Facebook discovered that a professor had passed Facebook user data that was gained through an app to third-parties, including the now infamous Cambridge Analytica. Facebook stated that it then required the professor and any party who received that information to certify that all such data was destroyed in light of its violation of Facebook policy. Although the certifications were provided, in March of 2018, Facebook released a statement that it believed the data was not in fact deleted, and suspended all offending individuals and entities. Facebook also launched an app developer investigation at that time, led by its outside attorneys. The Massachusetts attorney general followed suit, launching its own investigation of Facebook under the Massachusetts Consumer Protection Act.
The Massachusetts attorney general’s office is now seeking disclosure of Facebook’s app developer investigation, which Facebook has opposed as protected by the work product doctrine and attorney-client privilege. Attorneys for Facebook have argued that this investigation is distinguishable from its ongoing maintenance programs in that it has a defined beginning and eventual end. Facebook further claims that it was the product of legal advice specifically designed to understand legal risks and options, which could only fall under the attorney-client privilege. The Massachusetts attorney general responded that it is only looking for who Facebook policed in its investigation, and has not sought what the company’s attorneys have said about the process.
The presiding judge appears to be following existing caselaw in evaluating the extent to which Facebook will have to comply with the demands. He noted that it seemed to be a longer-term enhancement of standard practices and protocols and suggested that there must be discoverable factual information contained within the investigation. This latter comment goes directly toward most jurisdictions’ standard for determining the discovery of investigation materials–whether or not it is factual in nature rather than an evaluation of facts. While courts rarely require disclosure of credibility discussions, or overall analysis of the case, experts who are brought in simply to determine what happened often have their reports compelled for production. Companies and their technology leadership should therefore be cognizant of the information they collect both in-house and through third-parties when conducting investigations. Caselaw may still be evolving in the cybersecurity field in this area, but it is clear that the same principles that have been used in more traditional corporate investigations will also be applied. Awareness of the potential for eventual disclosure is therefore necessary to carefully plan, and execute, an investigation that may be subject to later litigation.