In the unfortunate event that an organization suffers a data breach, it should endeavor to engage the assistance of counsel as early as possible. Counsel can not only provide guidance on the necessary remediation steps and legal responsibilities, but can also control the manner in which documents concerning the breach are prepared and marked. By doing so, certain legal protections could attach to those documents should litigation arise, thereby allowing counsel the ability to manage the manner and flow of that material as part of its overall litigation strategy. That point was driven home recently in a May 15, 2017 ruling in the matter of In Re: Experian Data Breach Litigation (SACV 15-1592). In Experien, the Court found that a report prepared by a forensics consultant in the immediate aftermath of a data breach was protected from disclosure because it was prepared at the direction of counsel.
Experian involved a consolidated class action brought by plaintiffs whose personally identifiable information was allegedly compromised when the defendant, Experian, suffered a data breach. As explained by the Court, in September 2015, Experian learned that one of its systems was breached by an unauthorized third party. Experian immediately retained outside litigation counsel for legal advice regarding the attack, who, in turn, hired an outside forensics firm to conduct an expert report analysis of the attack. On October 1, 2015, Experian announced its data breach, and one day later, the first complaint was filed alleging claims related to the breach. The consultant report was finished by the end of October 2015 and given to outside counsel, who subsequently provided it to Experian’s in-house counsel. The report, according to Experian, was prepared to help counsel provide legal advice regarding the attack, and is continuing to be used by counsel for that purpose.
As far as the dispute at issue, the plaintiffs asked the Court to compel Experian to produce the consultant’s report and related documents as discovery in the litigation. Experian argued that the report should not be disclosed because it is protected under the work product doctrine (generally, the work product doctrine is a qualified privilege for certain materials prepared by an attorney acting for his or her client in anticipation of litigation, and extends to documents created by investigators working for attorneys, provided the documents were created in anticipation of litigation). Plaintiffs’ core argument as to why the report was not work product was that Experian had independent business duties to investigate any data breaches, and that it hired the consultant to do exactly that after realizing that its own experts lacked sufficient resources.
While the Court agreed that Experian did in fact have independent business duties to remedy, investigate and remediate the breach, it found that the record before the Court made clear that the consultant conducted the investigation and prepared its report for outside counsel in anticipation of litigation, even if that wasn’t the consultant’s only purpose. The Court further found that Experian’s argument was buttressed by the fact that the full report was not given to Experian’s Incident Response Team (“if the report was more relevant to Experian’s internal investigation or remediation efforts, as opposed to being relevant to defense of this litigation, then the full report would have been given to that team.”) Thus, the Court concluded that the evidence established that Experian’s outside counsel instructed the forensic consultant to do the investigation and, but for the anticipated litigation, the report wouldn’t have been prepared in substantially the same form or with the same content.
This case underscores the importance of businesses engaging counsel early on when a data breach occur so that strategic decisions, including those related to the retention of an outside forensics consultant, can be made with a view towards offering businesses maximum protection should litigation arise. Once such decision should be to make sure that counsel, rather than a company’s CISO or other member of its incident response or IT teams, retains the services of an outside consultant to investigate the breach.
Finally, it is worth noting that the Experian decision is consistent with two other cases which have addressed this issue: Genesco, Inc. v. Visa U.S.A., Inc., No. 3:13-cv-00202 (M.D. Tenn. Mar. 25, 2015) and In re: Target Corporation Customer Data Security Breach Litigation, No. 14-2522 (D. Minn. Oct. 23, 2015).