Cybersecurity Expert Witness Testimony Allowed in Data-Breach Lawsuit

Plaintiff filed suit against defendant related to a data-security breach.  Plaintiff hired a Cybersecurity Expert Witness to provide testimony.  The defendant filed a motion to exclude this testimony.  The court denied the motion to exclude.

Facts:  This case (Southern Independent Bank v. Fred’s Inc. – United States District Court – Middle District of Alabama – March 13th, 2019) involves a data-security breach.  The plaintiff claim damages in the form of actual fraud losses, card reissuance costs, lost revenue, and ancillary costs that they allege stemmed from the defendant’s negligent failure to maintain adequate cybersecurity.  The plaintiff hired Ian Ratner (Cybersecurity Expert Witness) to provide expert testimony.  The defendant has filed a motion to exclude the expert testimony of this expert.

Discussion:  The defendant first argues that Ratner is not qualified to opine on the impact of data breaches on financial institutions.  Second, it argues that Ratner’s methodology used to arrive at his opinions on those issues is unreliable.

The defendant argues that Ratner is a forensic accountant who has no experience working in the payment card industry.  Thus, they argue, Ratner should not be testifying about how issuing banks should act in response to a CAMS alert or how a CAMS alert can be used to prove causation of fraudulent damages.  The court opines that Ratner is qualified under Daubert to testify about the impact of data breaches on issuing banks.  The court notes that, in addition to his general experience investigating fraud with respect to payment cards, Ratner was retained in an identical capacity in a Home Depot litigation as a damages expert on behalf of issuing backs in which he used similar methodologies to determine what damages the banks suffered as a result of a data breach.’

Also, the defendant has not explained why forensic accounting is so far removed from analyzing the financial impact data breached have on banks that experience in the former is not relevant in the latter.

The defendant also seeks to exclude Ratner’s testimony on the ground that the methodologies he utilizes in determining causation and reasonableness of damages are not reliable.  Ratner proposes to use the CAMS alert system to determine which cards experienced fraud as the result of the defendant’s data breach.  The court opines that Ratner’s proposal is reliable under Daubert.

The court notes that any arguments on this issue is better done at cross-examination, rather than at this point in time.

Conclusion:  The motion to exclude Ian Ratner from testifying is denied.