Businesses in all industries and of all sizes are collecting data about their customers, potential clients, and workforce. This collection can be as simple as processing credit cards for purchases or gathering data about consumer behavior on websites or social media platforms, or can include a robust collection of sensitive financial, location, or health information. In the event that an incident occurs, a business is obligated to respond quickly to address the pitfall and potentially inform consumers that their information may have been subject to an unauthorized access according to applicable national or state laws. Navigating these unchartered waters usually involves bringing in counsel to assess whether a “breach” has occurred, how much, whose and what information was accessed, and to potentially prepare for litigation from those consumers whose data was subjected to the breach.

As part of this response, counsel often calls on cybersecurity experts to provide incident response services and breach analysis to understand the severity of the breach and the company’s data security posture. These forensic assessments can be used in a variety of ways, including helping determine the immediate steps that need to be taken to comply with data breach laws, ensure that the compromise is resolved, or troubleshoot potential weak points in the company’s cybersecurity safeguards to develop a stronger infrastructure to avoid future incidents.

When companies are faced with litigation due to a data breach, these reports and documentation are often demanded by plaintiffs’ attorneys through the litigation discovery process as they contain highly valuable and relevant information surrounding the data breach and the company’s cybersecurity response, policies, and infrastructure. Whether this discovery should be permitted is a relatively new topic on the legal landscape, which has been subject to debate and discussion by experts in the field. On one hand – the report can be a goldmine for plaintiffs to be able to prove their cases. On the other – public policy should encourage companies to analyze and address their data security condition without fear that they are developing an arsenal of documentation that could later be used against them.

In certain circumstances, some courts have ruled that forensic investigations for breach are protected by the rules of Attorney-Client Privilege or Work-Product Protection, and therefore, are shielded from the discovery process. This was seen in 2017, when a California federal judge found that Experian did not have to provide the investigation documents tied to the 2015 data breach of T-Mobile customer data, finding that the report was ordered by and prepared for Experian’s attorneys to prepare for litigation, and therefore, was protected from discovery because the Work-Product Doctrine applied. Since that time, thought leaders on this topic have weighed in to issue their recommendation to lawmakers regarding how these doctrines should apply in the cybersecurity context. Recently, the Sedona Conference published The Sedona Conference Commentary on Application of the Attorney-Client Privilege and Work-Product Protection to Documents and Communications Generated in the Cybersecurity Context to work through these complex concerns.[1]

The most recent jurisprudence involving the Work-Product Doctrine has taken a different stance and distinguished itself from prior case law when a Virginia district court ordered Capital One to release cybersecurity reports and documentation following a 2019 data breach.[2] In determining whether the cybersecurity reports were protected under the Work-Product Doctrine, the Virginia district court probed into “whether the [cybersecurity report] would have been prepared in substantially similar form but for the prospect of litigation.” Id at 7. The court determined that the reports were not protected by the doctrine, and found that outside counsel retaining a firm to conduct a breach analysis does not itself pull those reports under the evidentiary protections. The decision also relied upon the fact that Capital One already had a long standing relationship with the cybersecurity firm, and that the reports were “used by Capital One for various business and regulatory purposes.” Id at 10.

While the impact of this decision regarding the applicability of evidentiary protections in the cybersecurity realm remain to be seen, businesses facing litigation due to data breaches should be diligent and remain cognizant of the potential implications of the Capital One decision.  With that in mind, the following are some suggestions businesses and their legal teams might want to consider:

  1. Cyber security firms should be retained by outside counsel to conduct the investigation.
  2. If the business has a pre-existing relationship with a cybersecurity firm for day-to-day matters, a different security firm should be retained for purposes of the forensic investigation. This is not only important for the purposes of privilege, but it is a best practice to have an objective third party that had no involvement in developing the current businesses security posture conduct the assessment. This practice also works to avoid bias, the risks of conflicts of interest and overlooking vital information.
  3. The Statement of Work for the security firm should be clear in defining the nature of the work and the closing deliverables as they relate to the legal response to the breach, potential litigation, or current litigation.
  4. To prevent waiver of any evidentiary protections, reports should not be disclosed to any individuals that are not directly involved in the legal response to the breach or in preparing for or responding to litigation (i.e. not provided to the company’s business or IT teams).

To be sure, we expect to see continued activity in this space, as incidents increase in frequency, scope and potential liability.  Taft’s Privacy & Data Security Group is ready to assist clients in navigating the ever-changing landscape of cybersecurity law, work to avoid breaches, and preparing to respond in the event that a breach is discovered.

[1] The Sedona Conference, Commentary on Application of Attorney-Client Privilege and Work-Product Protection to Documents and Communications Generated in the Cybersecurity Context, 21 Sedona Conf. J. 1 (forthcoming 2020), https://thesedonaconference.org/publication/Commentary_on_Application_of_ Attorney Client_Privilege_and_Work-Product_Protection_to_Documents_ and_Communications_Generated_in_the_Cybersecurity_Context.

[2] In re: Capital One Consumer Data Security Breach Litigation, MDL No. 1: 19md2915 (E.D. Va. May 26, 2020).