Court Examines Whether Cyber Security Expert May Rely on Self-Defined Industry Standard

    Court Examines Whether Cyber Security Expert May Rely on Self-Defined Industry Standard
    Author:

    Court: United States District Court for the Southern District of Florida
    Jurisdiction: Federal
    Case Name: Nat’l Union Fire Ins. Co. v. Tyco Integrated Sec., LLC
    Citation: 2015 U.S. Dist. LEXIS 193807

    Following a security system breach and burglary, the plaintiff sues the defendant security services company. The plaintiff’s cyber security expert opines on the case using an “industry standard” for companies handling sensitive customer data that he has compiled himself.

    The court is tasked with reviewing his methodology and determines that he has relied on valid sources and has appropriately evaluated how the defendant compares.

    Facts

    The defendant in this case was a security services company who provided security and fire safety for a pharmaceutical company’s distribution warehouses. The plaintiff, the pharmaceutical company’s subrogee, claimed that burglars broke into a warehouse using confidential information about the security system that had been outlined in the defendant’s security proposal for the warehouse. The plaintiff alleged the burglars exploited the same security weaknesses that the defendant had pointed out while negotiating a renewal of their contract. The plaintiff hired a cyber security expert witness to testify about the deficiencies in the defendant’s IT security infrastructure and their inability to protect confidential data.

    The Plaintiff’s Cyber Security Expert Witness

    The plaintiff’s cyber security expert concluded that the burglars used confidential information kept by the defendant on the configuration of the facilities. The expert pointed out that the defendant’s technical infrastructure, as well as the steps taken by the defendant to protect customer information, were below the industry standard.

    The expert noted that the “industry standard” he referred to in his report was “organizations in the 2009 to 2011 timeframe in the billion-dollar range, that would secure important customer information, such as alarm records, alarm systems, or anything that might be sensitive to their customers if breached.” The expert’s estimation was not limited to alarm firms, but also included alarm companies. The expert explained his conclusions were not based solely on his experience but also on applicable criteria used by the cybersecurity industry, such as those used by the National Institute of Standards and Technology, the Council of Cyber Security Council, and the Payment Card Industry.

    The expert further said that the defendant did not reveal solicited information about its network infrastructure despite receiving a Litigation Hold Letter. He believed it meant the defendant’s network security infrastructure was substandard.

    Discussion

    The court found that the use of standard cyber security standards was a valid and effective way of creating an industry standard for processing confidential client information. The court noted it had not made such a decision in a previous case, Kaufman v. Pfizer Pharms, Inc. Though nonbinding, in that case, expert witness testimony was excluded because aside from her own experience, the expert had not implemented any meaningful “industry standard.” The court observed the expert’s testimony in the current case on the necessary cyber security procedures for large companies and the applicable standards for handling sensitive information were instead based on more than personal experience and, therefore, reliable.

    The court further noted that for matters relating to discovery, the admissibility of evidence, and spoliation are issues for the court to decide, and, thus, the expert’s testimony on the Litigation Hold Letter was inadmissible. It also concluded that he was a cyber security expert and not an investigator, so his opinion on how the burglars gained access to the warehouse was speculative.

    Held

    The motion to exclude the cybersecurity expert witness’s testimony was granted in part and denied in part.

    Key Takeaways for Experts

    Here, the cyber security expert has laid out his own definition of an “industry standard” but it is backed with valid sources, and therefore, permitted. This demonstrates that sound methodology based on industry-accepted concepts will stand, even if novel.