On August 30th 2019, Judge Paul W. Grimm of the US District Court of Maryland set a precedent that could change the way forensic reports of data breaches are written.
Marriott failed to block the release of the PCI Forensic Report that was conducted by external cyber specialists in November 2018, in the wake of the Starwood data breach. One suspects that the document will contain a full, drains up, root cause analysis into Marriotts failings.
Marriott may well be dragging Accenture through the mud also, as their Outsourcer-in-chief, with management responsibility for the IT systems in question.
The letter
The letter itself make a very clear argument for why the release of the report is valid in the circumstances. The problem for the rest of the industry is, that it is every difficult to see why the same precedent would not be carried forward for every other data breach.
An organisation hiring a specialist team of cyber experts to review a data breach and provide a detailed root cause analysis, can now expect that this document will be visible as part of any court proceedings.
This gives both parties a dilemma. The hiring organisation that has suffered the breach will most probably seek to water down any findings that may be used against them in court later.
The Cyber Experts will likewise realise that their market share for supporting such data breach review services, will be dependant on how flexible they can be in watering down their analysis’s.
This creates an ethical dilemma for cyber security. The most ethical cyber experts will receive less work, as organisations seek to employ cyber experts with a track record of being flexible and creative in their report creation.
This is likely to lead to Cyber Insurance companies insisting on their own trusted cyber experts performing this review, prior to any decision being made on whether to pay out.
