Why Incident Response Reports Are No Longer Private After a Business is Hacked

Capital One’s data breach may have ended privileged incident response reports

In 2019, a software engineer from Seattle hacked into a Capital One server and gained access to personal information pertaining to more than 100 million people. Openly boasting about her exploit, she reportedly stole 140,000 Social Security numbers and 80,000 bank account numbers. The software engineer had worked for Amazon Web Services where the Capital One database was hosted.

The cause for the data breach was a misconfigured firewall. It’s unclear how the firewall was misconfigured, but it could have been a simple oversight. Had Capital One employed a third-party solution on its AWS servers, like a Next Generation Firewall, the incident may have been avoided. Next Gen firewalls detect threats in real-time and use a growing database of known attacks as a reference for threat indicators.

Since Capital One failed to protect consumer data, they are now at the center of a host of lawsuits. Multiple lawsuits – including more than 60 class actions – have been filed against Capital One for failing to safeguard consumers’ personal information with appropriate data security measures.

As part of the litigation, Capital One is being asked to hand over information that was formally considered privileged.

Capital One must hand over their incident response report

When a company experiences a data breach, they usually create an incident response report that describes all the measures taken to mitigate and stop the effects of the breach. According to Cyberscoop, Capital One’s contractor, Mandiant, compiled an incident response report that is expected to detail “engagement activities, results and recommendations for remediation” as a result of the 2019 data breach. Capital One expected that this report would remain privileged, but a judge thinks otherwise.

In May 2020, a Virginia District Court judge ruled that Capital One must provide plaintiffs’ attorneys with a copy of their incident response report from a 2019 data breach. This ruling could pave the way for similar rulings in the future and is a dire warning to corporations to step up their game concerning data security.

Why incident response reports have been kept privileged

Large corporations prefer to keep incident response reports private because the details could give plaintiffs information to justify seeking a higher payout. Naturally, corporations want to mitigate the financial impact of a data breach lawsuit. Thanks to strict data protection regulations, some corporations are already required to pay hefty fines and want to pay consumers as little as possible.

Corporations should use this situation to their advantage

Rather than be afraid, corporations should use the Capital One data breach situation to their advantage. Namely, this is a great opportunity to increase data security measures to protect personal information. Top-of-the-line, high-tech cybersecurity is no longer an option but a requirement for any business that stores personal data belonging to customers.

Should incident response reports remain privileged?

Under current legal doctrine, incident response reports should remain privileged. However, this surprise ruling in Virginia is cause for reconsideration. For years, corporations have been employing poor data security measures that have caused harm to millions of people across the world. When incident response reports remain privileged, nobody really knows the whole story regarding security and personnel failures. That’s not fair to consumers.

Between a long string of ransomware attacks, data breaches, and relentless bricking, it’s clear that corporations aren’t motivated to increase security measures. Declaring incident response reports as unprivileged has the potential to act as a deterrent for businesses that try to get by with minimal security measures.

Businesses can learn from Capital One’s incident response report

If Capital One’s incident response report becomes part of the court proceedings, it will eventually be made public. This means businesses can use the information to their advantage and learn from Capital One’s mistakes.

It costs money to employ high-level data security measures. However, high-tech data security should be a standard part of every corporation’s IT budget. Data security might be an expense when tax time rolls around, but it’s actually an investment in customer relationships.

Customers shouldn’t have to worry about if or when their personal data will be posted on the dark web for hackers to exploit. They should know the companies they do business with care about protecting them – even if it costs a little more.

Check the comment section for additional information, or share what you know or ask a question about this article, by clicking the 'View or Write Comment' button below.

Note: Some of the information in samples on this website may have been impersonated or spoofed.