Takeaway: In many data breach cases, a cybersecurity expert may evaluate whether the company’s security measures were reasonable and appropriate or, alternatively, if the company lacked the requisite technology to detect a breach. In some circumstances, however, a party’s proposed expert may be challenged on the basis of unfair prejudice. Yet, under the Third Circuit’s “generally liberal standard of qualifying experts”, such a challenge was recently overcome by a party whose expert had advanced IT credentials, 20+ years of relevant professional experience, and offered an opinion with probative evidentiary value that outweighed any danger of unfair prejudice.
Key Points: Rule 702 of the Federal Rules of Evidence sets forth the standards for admissible expert testimony. As explained by the Third Circuit Court of Appeals:
“Rule 702 has three major requirements: (1) the proffered witness must be an expert, i.e., must be qualified; (2) the expert must testify about matters requiring scientific, technical or specialized knowledge [, i.e., reliability]; and (3) the expert’s testimony must assist the trier of fact [, i.e., fit].”
Regarding the first requirement, qualification, the Third Circuit has stated that it has “a generally liberal standard of qualifying experts.” “Rule 702 requires the witness to have ‘specialized knowledge’ regarding the area of testimony. The basis of this specialized knowledge can be practical experience as well as academic training and credentials.”
When addressing the second requirement, reliability, the Third Circuit has derived from the seminal case of Daubert the following non-exclusive factors for determining reliability:
“(1) whether a method consists of a testable hypothesis; (2) whether the method has been subject to peer review; (3) the known or potential rate of error; (4) the existence and maintenance of standards controlling the technique’s operation; (5) whether the method is generally accepted; (6) the relationship of the technique to methods which have been established to be reliable; (7) the qualifications of the expert witness testifying based on the methodology; and (8) the non-judicial uses to which the method has been put.”
Lastly, an expert’s testimony must also “fit” the facts of the case. As the Third Circuit remarked:
In assessing whether an expert’s proposed testimony “fits,” we are asking “whether [the] expert testimony proffered … is sufficiently tied to the facts of the case that it will aid the jury in resolving a factual dispute.” Put another way, this is a question of relevance, and “Rule 702, which governs the admissibility of expert testimony, has a liberal policy of admissibility” if it has the “potential for assisting the trier of fact.”
Discussion: Rule 702’s requirements were recently discussed by a District Court in Pennsylvania in Orbital Engineering, Inc. v. Buchko, 578 F.Supp.3d 736 (W.D. Pa. Jan. 5, 2022), wherein Defendant Jeffrey J. Buchko (“Buchko”) filed a motion in limine to exclude the testimony of Donald J. Price (“Price”), an expert proffered by Plaintiff Orbital Engineering, Inc. (“Orbital”) on information technology (“IT”) and cybersecurity issues. Price’s qualifications included a master’s degree in Information Systems Management as well as 20+ years of experience consulting and advising entities concerning their IT systems, conducting cybersecurity assessments, leading cybersecurity incident response teams, and directing digital forensic investigations. Price also acted as a Certified Senior Digital Forensic Examiner responsible for incident response and digital forensics expertise for the FBI’s Computer Analysis and Response Team during his 15 years with the Federal Bureau of Investigation.
Buchko had been employed as the Chief Operating Officer (“COO”) of Orbital and was responsible for Orbital’s IT and ensuring that Orbital’s cybersecurity conformed with relevant industry practices, standards, and norms. In November 2019, Orbital suffered a significant ransomware attack that caused the company to lose millions of dollars in damages, and attributed blame to Buchko’s “refusal and failure to fortify the Company’s cyber-security defenses (or to devote the personnel and resources necessary to do so)”.
Orbital argued that Buchko’s actions (or inactions) constituted gross negligence and willful misconduct. Specifically, Orbital argued that:
“[t]hroughout 2019, Buchko failed and refused to devote any meaningful time or efforts to oversee Orbital’s IT infrastructure and security measures. He did not devote any time or effort to ensure that the company’s (outdated) IT policies were being followed. Buchko did not authorize a single expenditure to fortify or improve the company’s technological defenses, despite repeated requests for such expenditures from the company’s IT administrator. Buchko likewise ignored numerous requests, warning signs and other complaints throughout 2019 to strengthen and reinforce the company’s security protocols and anti-virus software.”
In opposition, Buchko asserted that Price is not qualified to render expert opinions on the topics he discusses. Further, he argued that Price’s methodologies are unreliable, his opinions lack reliability and “fit,” and his improper conflation of Buchko’s job responsibilities as COO with those of the head of the IT department could mislead the jury.
In support of Price’s proposed testimony, Orbital offered a report authored by Price discussing Orbital’s lack of compliance with industry standards relating to its IT function and cybersecurity policies and procedures, placing the blame for Orbital’s noncompliance on Buchko.
The Court analyzed Orbital’s proposed expert under each of Rule 702’s requirements and determined that Price’s proposed testimony met the standards of qualification, reliability, and ‘fit’. Moreover, it was noted that Price’s report regarding Buchko’s alleged misconduct was “sufficiently tied to the facts of the case such that it will aid the jury in resolving the parties’ disputes.” The Court acknowledged that Buchko can certainly cross-examine Price as to the issues he would testify to, but they go to the weight of his testimony, not its admissibility. Importantly, it was noted that while portions of Price’s proposed testimony “may be prejudicial to Buchko, [Buchko] has not demonstrated that the probative value of Mr. Price’s testimony is substantially outweighed by the danger of unfair prejudice.”
Accordingly, it was held that Price may provide relevant background regarding his familiarity with corporate organization and/or structure that may support his qualifications and may also testify as to his opinions about industry standards regarding cybersecurity and IT functions. However, the Court precluded Price from expressing any testimony or opinions, to the extent that his report does so, regarding the abstract responsibilities that a hypothetical COO may have with respect to IT or cybersecurity.
 United States v. Schiff, 602 F.3d 152, 172 (3d Cir. 2010) (quoting Pineda v. Ford Motor Co., 520 F.3d 237, 243-44 (3d Cir. 2008)).
 Elcock v. Kmart Corp., 233 F.3d 734, 742 (3d Cir. 2000).
 Waldorf v. Shuta, 142 F.3d 601, 625 (3d Cir. 1998) (citation omitted).
 Elcock, 233 F.3d at 745-46 (quoting In re Paoli R.R. Yard PCB Litig., 35 F.3d 717, 742 n.8 (3d Cir. 1994)).
 Schiff, 602 F.3d at 172-73 (citations omitted).
 Orbital Engineering, Inc. v. Buchko, 578 F.Supp.3d 736 (W.D. Pa. Jan. 5, 2022); (Pl.’s Reply to Def’s Mot. To Excl. Testimony and Rpts. of Donald J. Price, ECF No. 314).
 Orbital Engineering, Inc., 578 F.Supp.3d at 740.
 Id. at 743.
 Id. at 742.
 Id. at 743.
* This blog is available for informational purposes only and is not considered legal advice on any subject matter. By viewing blog posts, the reader understands there is no attorney-client relationship between the reader and the blog publisher. The blog should not be used as a substitute for legal advice from a licensed professional attorney. Readers are urged to consult their own legal counsel or reach out to any of Pietragallo’s attorneys on any legal questions concerning a specific situation.