Cybersecurity Expert Witness Testimony Allowed in Part in Data Breach Litigation

Summary:  Cybersecurity Expert Witness testimony allowed in part as the court decided that the expert’s testimony was reliable based on his experience in cypersecurity forensics.

Facts:  This case (Savidge et al v. Pharm-Save, Inc. et al – United States District Court – Western District of Kentucky – March 31, 2023) involves a data breach claim.  The plaintiffs Andrea Savidge and Beth Lynch, former employees of the defendant, claim that Pharm-Save should be held liable for a data-breach in which sensitive and personal information was compromised.  The complaint maintains that a few Pharma-Save employees released this information to cyber-criminals who posed as company executives.  To assist their case, the plaintiffs hired Cybersecurity Expert Witness Vincent D’Agostino to provide expert witness testimony.  The defendant filed a motion to exclude this expert from testifying.

Discussion: The court notes that Mr. D’Agostino has a bachelor’s degree in political science from Penn State University and a law degree from Hoftsra University.  Mr. D’Agostino worked for the FBI for eleven years and now works as the head of Cyber Forensics and Incident Response at BlueVoyant, a cyber defense firm.  The court states that the defense does not contest Mr. D’Agostino’s qualifications and the court opines that he has the knowledge, education, and experience to qualify as an expert witness in this case.

The defendant does argue that Mr. D’Agostino’s testimony should be excluded because he only performed a few Google searches to reach his conclusions.  The plaintiffs reply by stating that his expert witness opinions were taken from his experience and were not from any independent research that was performed.  The court concluded that D’Agostino’s experience explains how he reached his conclusions, explaining the rationale that backs up his conclusions.

In addition, the court opines that D’Agostino’s expert witness opinion will assist the trier of fact in determining whether Pharm-Save was negligent in failing to protect against a the phishing scam that led to the data breach.

The court, however, does grant Pharm-Save’s motion to exclude D’Agostino’s expert opinion that Barbara Houghton was “grossly negligent.”

Conclusion:  The motion to exclude the expert witness testimony of Vincent D’Agostino is granted in part and denied in part.