Hackers have shown themselves to be resourceful in gathering information that allows them to commit their crimes. We have seen hackers use employees and other “out of wallet” information to gain access to data. Recent developments in the Target litigation provides a reminder that hackers may also use documents filed in court in data breach cases to commit crimes.
On July 24, 2015, the Financial Institutions in the Target 2013 data breach case (In re: Target Customer Data Security Breach Litigation) filed a Motion To UnsealCertain Documents Cited In And Attached To Plaintiff’s Motion For Class Certification. In the Motion, the Financial Institutions claim that “Target has taken the position that every document it has ever produced in this case is ‘Confidential’ or ‘Highly Confidential’ and should be concealed.” The current dispute stems from a Protective Order entered by the court on June 25, 2014, that allowed the parties to designate certain documents as “Confidential” or “Highly Confidential.” Of course, under this Protective Order, any document marked “Confidential” would not be accessible through the court’s electronic filing system. In its Motion, the Financial Institutions argue that it has not been able to locate a single document produced by Target that hasn’t been designated as confidential.
The financial institutions’ argument is based primarily on the burdens created under the Federal Rules of Civil Procedure for any litigant seeking confidentiality. The court’s Protective Order is based on Federal Rule of Civil Procedure 26, which states that a court “may, for good cause, issue [a protective order] order to protect a party or person from annoyance, embarrassment, oppression, or undue burden or expense, including…that a trade secret or other confidential research, development, or commercial information not be revealed or be revealed only in a specific way.” The party seeking the protective order has the burden of showing “good cause” for confidentiality. The financial institutions assert that Target has not met this “heightened burden” to keep the documents under seal.
While the financial institutions and Target disagree over whether Target’s documents should be unsealed, both parties agree that, under the Protective Order, documents containing “information that may reveal a trade secret or other confidential research, development, financial, or other information, including data security information, that is commercially sensitive or information that reveals personally identifiable information” should remain under seal.
In its opposition brief, Target argues the documents should remain sealed because Target believes hackers would use the information to commit crimes in the future. In support of its argument, Target relies on various sources indicating hackers mine this information (“The hacker fills out the map with a complete intelligence database on your company, perhaps using public sources such as government databases, financial filings and court records.”). In short, Target claims that if the documents are unsealed, hackers would have access to “detailed information about Target’s IT infrastructure, Target’s information security controls, and information about Target’s information security policies and procedures.”
On August 12, 2015, the court held a hearing and took the financial institutions’ motion under advisement, stating it will issue an order at a later time.
The present dispute in the Target litigation demonstrates the unique issues litigants and courts will face related to data breach cases. Target summarizes this issue in the following manner:
Ironically, in a case in which their core complaint is that Target failed to take steps that may have prevented the criminal attack on Target’s computer network that is the subject of this litigation…Plaintiffs, through their Motion to Unseal, invite this Court to issue an order that would put Target at greater risk of a future attack and the future harm that would accompany such an attack. Indeed, according to their theory of the case, an order granting Plaintiff’s Motion to Unseal would put Plaintiffs themselves at greater risk of future harm.
Therefore, as data breach litigation flourishes, courts will be called on to balance the interests of litigants to have sufficient information to support their claims while not disclosing information that provides hackers a playbook to commit their crimes.