Court Examines Whether Cyber Security Expert May Rely on Self-Defined Industry Standard

ByZach Barreto

|

Updated onMarch 16, 2021

Court Examines Whether Cyber Security Expert May Rely on Self-Defined Industry Standard

Court: United States District Court for the Southern District of Florida
Jurisdiction
: Federal
Case Name
: Nat’l Union Fire Ins. Co. v. Tyco Integrated Sec., LLC
Citation
: 2015 U.S. Dist. LEXIS 193807

Following a security system breach and burglary, the plaintiff sues the defendant security services company. The plaintiff’s cyber security expert opines on the case using an “industry standard” for companies handling sensitive customer data that he has compiled himself.

The court is tasked with reviewing his methodology and determines that he has relied on valid sources and has appropriately evaluated how the defendant compares.

Facts

The defendant in this case was a security services company who provided security and fire safety for a pharmaceutical company’s distribution warehouses. The plaintiff, the pharmaceutical company’s subrogee, claimed that burglars broke into a warehouse using confidential information about the security system that had been outlined in the defendant’s security proposal for the warehouse. The plaintiff alleged the burglars exploited the same security weaknesses that the defendant had pointed out while negotiating a renewal of their contract. The plaintiff hired a cyber security expert witness to testify about the deficiencies in the defendant’s IT security infrastructure and their inability to protect confidential data.

The Plaintiff’s Cyber Security Expert Witness

The plaintiff’s cyber security expert concluded that the burglars used confidential information kept by the defendant on the configuration of the facilities. The expert pointed out that the defendant’s technical infrastructure, as well as the steps taken by the defendant to protect customer information, were below the industry standard.

The expert noted that the “industry standard” he referred to in his report was “organizations in the 2009 to 2011 timeframe in the billion-dollar range, that would secure important customer information, such as alarm records, alarm systems, or anything that might be sensitive to their customers if breached.” The expert’s estimation was not limited to alarm firms, but also included alarm companies. The expert explained his conclusions were not based solely on his experience but also on applicable criteria used by the cybersecurity industry, such as those used by the National Institute of Standards and Technology, the Council of Cyber Security Council, and the Payment Card Industry.

The expert further said that the defendant did not reveal solicited information about its network infrastructure despite receiving a Litigation Hold Letter. He believed it meant the defendant’s network security infrastructure was substandard.

Discussion

The court found that the use of standard cyber security standards was a valid and effective way of creating an industry standard for processing confidential client information. The court noted it had not made such a decision in a previous case, Kaufman v. Pfizer Pharms, Inc. Though nonbinding, in that case, expert witness testimony was excluded because aside from her own experience, the expert had not implemented any meaningful “industry standard.” The court observed the expert’s testimony in the current case on the necessary cyber security procedures for large companies and the applicable standards for handling sensitive information were instead based on more than personal experience and, therefore, reliable.

The court further noted that for matters relating to discovery, the admissibility of evidence, and spoliation are issues for the court to decide, and, thus, the expert’s testimony on the Litigation Hold Letter was inadmissible. It also concluded that he was a cyber security expert and not an investigator, so his opinion on how the burglars gained access to the warehouse was speculative.

Held

The motion to exclude the cybersecurity expert witness’s testimony was granted in part and denied in part.

Key Takeaways for Experts

Here, the cyber security expert has laid out his own definition of an “industry standard” but it is backed with valid sources, and therefore, permitted. This demonstrates that sound methodology based on industry-accepted concepts will stand, even if novel.

About the author

Zach Barreto

Zach Barreto

Zach Barreto is a distinguished professional in the legal industry, currently serving as the Senior Vice President of Research at the Expert Institute. With a deep understanding of a broad range of legal practice areas, Zach's expertise encompasses personal injury, medical malpractice, mass torts, defective products, and many other sectors. His skills are particularly evident in handling complex litigation matters, including high-profile cases like the Opioids litigation, NFL Concussion Litigation, California Wildfires, 3M earplugs, Elmiron, Transvaginal Mesh, NFL Concussion Litigation, Roundup, Camp Lejeune, Hernia Mesh, IVC filters, Paraquat, Paragard, Talcum Powder, Zantac, and many others.

Under his leadership, the Expert Institute’s research team has expanded impressively from a single member to a robust team of 100 professionals over the last decade. This growth reflects his ability to navigate the intricate and demanding landscape of legal research and expert recruitment effectively. Zach has been instrumental in working on nationally significant litigation matters, including cases involving pharmaceuticals, medical devices, toxic chemical exposure, and wrongful death, among others.

At the Expert Institute, Zach is responsible for managing all aspects of the research department and developing strategic institutional relationships. He plays a key role in equipping attorneys for success through expert consulting, case management, strategic research, and expert due diligence provided by the Institute’s cloud-based legal services platform, Expert iQ.

Educationally, Zach holds a Bachelor's degree in Political Science and European History from Vanderbilt University.

Find an expert witness near you

What State is your case in?

What party are you representing?