March 31, 2013
When Nationwide Mutual Insurance Co. discovered in October that a hacker had breached its systems and stolen personal details of roughly one million people, it put the internal probe in the hands of a law firm, rather than one of the forensic investigators typically retained for such incidents.
The insurer hired Boston-based Ropes & Gray LLP in part because the law firm could offer something a forensic firm couldn’t: attorney-client privilege and the secrecy it confers.
As data breaches and cybercrime become a bigger concern for companies, law firms are touting that secrecy in their efforts to win business. Law firms also help companies navigate the patchwork of federal and state laws governing public disclosures of data breaches.
The moves come as the Securities and Exchange Commission is pressing companies to be more forthcoming about attacks on their computer networks, and 47 states have enacted data-breach notification laws.
Heightened regulatory scrutiny and the risk of litigation following data breaches is driving the need for confidentiality, says Ropes & Gray partner Doug Meal, who is heading Nationwide’s investigation.
Within weeks of Nationwide’s disclosure that the records had been stolen, the Federal Bureau of Investigation was investigating the breach and regulators in several states were investigating the company, Nationwide said. Plaintiffs have filed lawsuits seeking class-action status in Kansas and Ohio federal courts, alleging that the insurer failed to safeguard their personal information properly.
The company says it hired Ropes & Gray to provide counsel on the data breach but declines to comment further, citing continuing litigation.
Some investigators agree that attorney-client privilege comes in handy.
Mike Dubose, the head of Kroll Advisory Solutions’ cyberinvestigations practice, says Kroll advises its clients to hire a lawyer first and then have the lawyer hire Kroll. While a forensics firm such as Kroll can detect malware, scour network-access logs or understand the modus operandi of a foreign hacking group, if Kroll is contracted directly by the company rather than by an outside lawyer, that work is unlikely to be protected by attorney-client privilege, he says.
“Every network we have seen has substantial room for improvement,” Mr. Dubose says. “What a company does not want is its investigation or due diligence, undertaken with the best of intentions, to be used against it in litigation.”
Heartland Payment Systems Inc. HPY +1.59% turned to Ropes & Gray when the credit-card processor’s data was breached in 2009. The New Jersey company was contractually obligated to undergo forensic investigations initiated by card providers, including MasterCard Inc. MA +1.89% and Visa Inc. V +2.12%
But Charles Kallenbach, Heartland’s general counsel, says the company also wanted to conduct its own investigation to make sure the outside probes didn’t blame his company unfairly. Heartland also didn’t want those results disclosed to outside parties, he says.
“When you’re up against class-action foes and plaintiffs’ attorneys, there’s a need to keep that information private,” Mr. Kallenbach says.
From 2008 through last year, hackers accessed 681 million records, and there has been a 40% increase in the number of publicly disclosed data breaches the last two years, according to a study by accounting firm KPMG. The typical data breach costs a company $5.5 million in operating expenses and lost business, according to a 2011 report by the Ponemon Institute, a security research firm.
Companies on the losing-side of data-breach class-action litigation pay an average settlement award of $2,500 per plaintiff, with attorney fees averaging around $1.2 million, according to a survey released last year by Temple University Beasley School of Law.
Alston & Bird LLP, one of the country’s 50-biggest law firms by revenue, hired Kimberly Peretti in January to co-chair the firm’s security-incident and management-response team. Ms. Peretti, a former senior litigator for the Justice Department’s Computer Crime and Intellectual Property Section, says the practice is among the first at a major law firm that is dedicated to data-breach investigations. She expects the firm’s competitors to follow suit, she says.
While forensic firms still get most of the work, and are hired by law firms, the need to establish attorney-client privilege has led companies to turn to law firms, Ms. Peretti says.
Stewart Baker, who manages Steptoe & Johnson LLP’s technology practice and is a former chief policy adviser at the Department of Homeland Security, says the likelihood of increased government regulation almost ensures a steady flow of work for law firms.
The SEC instituted its voluntary corporate-disclosure plan for cyberbreaches in October 2011 and sent dozens of letters to companies last year asking about cybersecurity disclosures, pushing for more information.
It is unclear how much business data breaches have generated for law firms. Legal recruiters say top firms value cybersecurity experience and the practice area is still developing.
Steve Nelson, a recruiter at executive-search firm McCormick Group Inc., says law firms increasingly are looking for prosecutors with cybercrime experience to beef up incident-management-and-response practices. Hiring such specialists isn’t on par with that of lawyers with expertise in the Foreign Corrupt Practices Act, an antibribery law that has become a cash cow for firms, but is steadily increasing, he says.
“Say you’re a company and you wake up Monday morning, and the FBI says, ‘We found your data halfway to Asia.’ That’s a new experience companies are going to have to deal with, and you’re probably going to want a lawyer,” Mr. Baker said.