Third Circuit Cybersecurity Expert Testimony Requirements | Pietragallo Gordon Alfano Bosick & Raspanti, LLP
Carry: In many data breach cases, a cybersecurity expert can assess whether the company’s security measures were reasonable and appropriate or, alternatively, whether the company lacked the technology required to detect a breach. In certain circumstances, however, a party’s proposed expert may be challenged on the basis of unfair prejudice. Yet under the Third Circuit’s “generally liberal qualified expert standard”, such a challenge was recently overcome by a party whose expert had advanced computer skills, over 20 years of relevant professional experience and has offered an opinion with probative value that outweighed any danger of unfair prejudice.
Key points: Rule 702 of the Federal Rules of Evidence sets out the standards for the admissibility of expert testimony. As the Third Circuit Court of Appeals explained:
“Rule 702 has three main requirements: (1) the proposed witness must be an expert, that is, he must be qualified; 2° the expert must testify on matters requiring scientific, technical or specialized knowledge [, i.e., reliability]; and (3) the expert testimony must assist the trier of fact [, i.e., fit].”[1]
Regarding the first requirement, qualification, the Third Circuit said it had “a generally liberal standard of qualified experts.”[2] “Rule 702 requires the witness to have ‘special knowledge’ regarding the area of testimony. The basis of this specialist knowledge can be practical experience as well as academic training and degrees.[3]
In addressing the second requirement, reliability, the third circuit drew inspiration from the seminal case of Daubert the following non-exclusive factors to determine reliability:
“(1) if a method consists of a testable hypothesis; (2) whether the method has been peer reviewed; (3) known or potential error rate; (4) the existence and maintenance of standards controlling the operation of the technique; (5) whether the method is generally accepted; (6) the relationship between the technique and the methods whose reliability has been established; (7) the qualifications of the expert witness testifying on the basis of the methodology; and (8) the non-judicial uses for which the method was intended.[4]
Finally, expert testimony must also “fit” the facts of the case. As the Third Circuit noted:
In assessing whether the testimony offered by an expert is “suitable”, we ask “if [the] the expert evidence offered … is sufficiently related to the facts of the case to assist the jury in resolving a factual dispute. In other words, it’s a matter of relevance, and “Rule 702, which governs the admissibility of expert testimony, has a liberal admissibility policy” if it has the “potential to assist the trier of fact”.[5]
Discussion: The requirements of Rule 702 were recently discussed by a Pennsylvania district court in Orbital Engineering, Inc. v. Buchko, 578 F.Supp.3d 736 (WD Pa. Jan. 5, 2022), in which defendant Jeffrey J. Buchko (“Buchko”) filed an in limine motion to exclude the testimony of Donald J. Price (“Price”) , an expert proposed by applicant Orbital Engineering, Inc. (“Orbital”) on information technology (“IT”) and cybersecurity matters. Price’s qualifications included a master’s degree in information systems management as well as more than 20 years of experience advising and advising entities on their IT systems, conducting cybersecurity assessments, leading cybersecurity incident response teams and the direction of digital forensic investigations. Price also acted as the Senior Certified Digital Forensics Examiner responsible for incident response and digital forensics expertise for the FBI’s Computer Analysis and Response Team during his 15 years with the Federal Bureau of Investigation.[6]
Buchko had been employed as Chief Operating Officer (“COO”) of Orbital and was responsible for Orbital’s IT and ensuring that Orbital’s cybersecurity complied with relevant practices, standards and standards of industry. In November 2019, Orbital suffered a major ransomware attack that cost the company millions of dollars in damages and blamed it on Buchko’s “refusal and failure to strengthen the cybersecurity defenses of the company (or to dedicate the necessary staff and resources to do so)”.[7]
Orbital argued that Buchko’s actions (or inactions) constituted gross negligence and willful misconduct. Specifically, Orbital submitted that:
“[t]Throughout 2019, Buchko failed and refused to devote significant time or effort to overseeing Orbital’s IT infrastructure and security measures. He spent no time or effort to ensure that the company’s (outdated) IT policies were adhered to. Buchko has not authorized any expenditures to strengthen or improve the company’s technology defenses, despite repeated requests for such expenditures from the company’s IT administrator. Buchko also ignored numerous requests, warning signs and other complaints throughout 2019 to tighten and strengthen the company’s security protocols and antivirus software.[8]
In opposition, Buchko asserted that Price was not qualified to render expert opinions on the topics he was discussing. Further, he argued that Price’s methodologies are unreliable, that his opinions lack reliability and “concordance” and that his inappropriate amalgamation of Buchko’s job responsibilities as COO with those of the head of the IT department could mislead the jury.[9]
In support of Price’s proposed testimony, Orbital offered a report authored by Price discussing Orbital’s lack of compliance with industry standards relating to its IT function and cybersecurity policies and procedures, denying responsibility for the non-compliance of Orbital on Buchko.[10]
The Court analyzed Orbital’s proposed expert under each of the requirements of Rule 702 and determined that Price’s proposed testimony met the standards of qualification, reliability and “adequacy”. Additionally, it was noted that Price’s report regarding Buchko’s alleged misconduct was “sufficiently related to the facts of the case to assist the jury in resolving the differences between the parties”.[11] The Court acknowledged that Buchko can certainly cross-examine Price on the issues he would testify on, but they relate to the weight of his testimony, not his admissibility. Importantly, it was noted that while portions of Price’s proposed testimony “may be prejudicial to Buchko, [Buchko] failed to show that the probative value of Mr. Price’s testimony is outweighed by the danger of unfair prejudice.[12]
Accordingly, it has been found that Price can provide relevant information regarding his knowledge of the organization and/or business structure that may support his qualifications and can also testify to his views on industry standards. regarding cybersecurity and IT functions. However, the Court barred Price from expressing any testimony or opinion, to the extent that his report does, regarding the abstract responsibilities that a hypothetical COO might have for IT or cybersecurity.[13]
* This blog is available for informational purposes only and is not considered legal advice on any subject. By viewing blog posts, the reader understands that there is no attorney-client relationship between the reader and the blog editor. The blog should not be used as a substitute for legal advice from a licensed professional attorney. Readers are urged to consult their own legal counsel or contact one of Pietragallo’s attorneys with any legal questions regarding a specific situation.
[1] United States vs. Schiff602 F.3d 152, 172 (3d Cir. 2010) (citing Pineda v Ford Motor Co.520 F.3d 237, 243-44 (3d Cir. 2008)).
[2] Elcock v Kmart Corp.233 F.3d 734, 742 (3d Cir. 2000).
[3] Waldorf versus Shuta142 F.3d 601, 625 (3d Cir. 1998) (citation omitted).
[4] Elcock233 F.3d at 745-46 (citing In re Paoli RR Yard PCB Litig.35 F.3d 717, 742 n.8 (3d Cir. 1994)).
[5] Schiff602 F.3d at 172-73 (citations omitted).
[6] Orbital Engineering, Inc. v. Buchko, 578 F.Supp.3d 736 (WD Pa. Jan. 5, 2022); (Pl.’s Reply to Def’s Mot. To Excl. Testimony and Rpts. of Donald J. Price, ECF No. 314).
[7] ID.
[8] ID.
[9] Orbital Engineering, Inc.578 F.Supp.3d at 740.
[10] ID. at 743.
[11] ID. at 742.
[12] ID. at 743.
[13] ID.
