Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
This blog summarizes the webinar in which I discuss this legal decision and its insurance implications with experts Justin Daniels, Advisor on Cybersecurity and Data Protection and General Counsel at Baker Donelson, and Kelly Geary, National Practice Leader - Executive Risk & Cyber/Professional Services Claims & Coverage Leader, Epic Brokers. Watch the webinar.
In August, a top banking regulator, The Office of the Comptroller of the Currency, fined Capital One $80 million over a 2019 data breach that exposed the financial records of over 100 million customers and credit card applications. The regulator found that the bank failed to establish effective security measures and correct deficiencies in a timely manner. And this financial penalty is likely to be the tip of the iceberg after a judge in the resulting class action lawsuit ruled in favor of the plaintiffs on a critical issue.
In late May of this year, the judge presiding over a class action lawsuit brought against Capital One in response to its 2019 data breach ruled that the global financial holding company must turn over a copy of the incident report it commissioned to determine the cause of the breach.
While it may seem like a nondescript cog of the legal machine, this ruling shakes up a protection taken for granted by businesses that engage services such as incident response. In fact, in the past, we often have advised customers to work through general or inside counsel to protect communication between their cybersecurity service providers and that counsel by using well-understood legal mechanisms, including attorney-client privilege. However, in this case, the judge refused this privilege. That’s why this decision upends the notion of blanket sanctuary against disclosing the intimate details on how a cyber incident might have occurred. And for all companies, it now means simple mistakes made years prior to an offending cyber breach can cause major complications down the road.
This ruling is instructive about how companies and their forensic firms structure their engagements. Master service agreements (MSAs) and statements of work (SOWs) should be paid separately and not out of a retainer for existing services. And, this ruling could impact firms that request prepaid retainers to provide on-demand breach services, especially for customers for whom they already serve. Let’s pause for a moment and establish the key factors.
In late September 2019, Capital One publicly disclosed a massive cyber breach that affected over 100 million of their credit card customers and applicants. The breach was detected in July of that year and the stolen data included personally identifiable information (PII) including applicant names, addresses, phone numbers, email addresses, dates of birth, self-reported incomes and some “fragmented” information including credit scores, transaction data and in some cases, U.S. Social Security numbers.
The resulting investigation conducted by Capital One’s appointed cybersecurity firm, Mandiant, determined that an outside individual gained unauthorized access as a result of a misconfigured open-source Web Application Firewall (WAF) used to protect operations hosted in the cloud with Amazon Web Services (AWS). As part of the service, Mandiant produced an incident response report which outlined the key sequence of events and contributing factors that led to the breach.
The attorneys representing an amalgamated class action lawsuit of 60 similar filings requested access to the Mandiant report. They argued that the document would be critical in the discovery phase of the suit they brought against Capital One in response to the breach.
In May of this year, Judge John Anderson from the U.S. District Court for the Eastern District of Virginia ruled in favor of the plaintiffs in the action requiring Capital One to provide a copy of the report.
Everyone is familiar with the notion of attorney-client privilege. It’s a jewel in the crown of almost all crime drama in mainstream culture. In legal parlance, attorney-client privilege protects the right of the client to refuse or prevent other parties to disclose confidential communications between themselves and their attorney. It’s a critical pillar in common law to encourage frank discourse between client and attorney, in order that their attorney can provide the most effective representation.
There is another critical legal object to understand: work product protection. Fed Rule 502(g)(2) defines work product protection as “protection for tangible materials in preparation for litigation or trial.”
Representatives for Capital One argued that the Mandiant report was protected work product and subsequently protected by attorney-client privilege because the data breach in question would likely precipitate legal action against the firm. Capital One also managed all communication through their legal representatives at Debevoise & Plimpton. Normally this position would hold. So why did the judge rule against Capital One?
The simplified ruling is that the judge deemed that Capital One’s commission and use of the Mandiant incident response report was for business purposes and not in response to litigation. Read the full report here.
There are several factors that go into the judge’s ruling: at the time the work was commissioned, there were no known suits against Capital One in relation to the data breach. The judge ruled that Capital One could not provide “sufficient evidence” to show that the incident response services provided by Mandiant would have differed between litigation and non-litigation motivated activity.
The judge also deemed that the contact history, dating back to 2015, excluded the incident report from protection. The original SOW and MSA included the same data forensics work as was conducted in 2019 as part of the breach investigation. Moreover, Capital One designated the retainer paid to Mandiant in February 2019 as “business critical” and not a “legal” expense. It is conceivable that, internally, the CISO had to deem the work business critical to avoid budgetary constraints or meet other financial restrictions. In fact, Wall Street Journal article outlined internal concerns with Capital One about high turnover in the security team, failure to deploy critical security software and other issues.
The final nail in the Capital One coffin was the wide distribution of the report across 50 employees, a general email distribution list, four regulators and its accounting firm, Ernst & Young. With this broad distribution to non-legal experts and organizations, it became hard to argue that the report was commissioned in defense of a lawsuit.
While appearing pedantic, these factors contributed to the judge’s final ruling in favor of the plaintiff. From each factor, we can glean recommendations to ensure companies do not find themselves exposed similarly to Capital One.
Firms should require separate SOWs and MSAs that distinguish specific services as pre- and post-incident. Incident response services, including subsequent investigations, resulting reports and remediation recommendations should not be included in ongoing engagements. They must be specifically commissioned in response to a distinct event.
Payment for incident response services should be separate from any payments for ongoing or renewable services and should precipitate a new retainer. Your finance department should clearly identify specific work as “Legal” and not part of any other convenient reporting general accounting code.
How widely an incident report is disseminated can undercut claims of attorney-client work products. Understand in-house counsel and limitation of attorney work product doctrine. In this case, the report should be closely controlled by legal counsel. In fact, during a recent webinar I hosted, Justin Daniels advised that the incident response report goes only to the legal counsel, and dissemination beyond is only verbal summary by counsel. This way, the communication is protected under attorney-client privilege and the original document is protected as a work product.
By extension, the findings of incident response reports as well as vulnerability assessments, penetration testing and risk assessment should go through and only to legal counsel. Justin also advised that this strategy works best with retained counsel rather than in-house counsel. In some cases, in-house counsel are viewed as wearing multiple hats and not all communications will fall under protection of attorney-client privilege in similar matters.
I’d recommend you speak with Justin directly on this matter. His observations are eye opening.
In the case of Capital One, the devil certainly resides in the details. The judge’s ruling in this case shakes the generalized assumption of protection under attorney-client privilege … and reinforces the fact that innocuous administrative tasks can lead to your undoing in a courtroom. Remember, it’s not just class action lawsuits. The same could happen during disrupted insurance claims or seeking relief from third-party vendors at the heart of a data breach. While most of us view the details of financial accounting as a nuisance, that also could be a snare. Ensure you don’t compromise your future during the pain of an annual budgeting cycle and don’t let your accounting folks make uninformed decisions about accounting buckets and codes. These simple mistakes can compound into extremely expensive risks down the road.
eSentire, Inc., the Authority in Managed Detection and Response (MDR), protects the critical data and applications of 2000+ organizations in 80+ countries, across 35 industries from known and unknown cyber threats by providing Exposure Management, Managed Detection and Response and Incident Response services designed to build an organization’s cyber resilience & prevent business disruption. Founded in 2001, eSentire protects the world’s most targeted organizations with 65% of its global base recognized as critical infrastructure, vital to economic health and stability. By combining open XDR platform technology, 24/7 threat hunting, and proven security operations leadership, eSentire's award-winning MDR services and team of experts help organizations anticipate, withstand and recover from cyberattacks. For more information, visit: www.esentire.com and follow @eSentire.