ABA Litigation Group – “Analyzing how best to preserve attorney-client privilege and work product protections over data breach investigatory reports in light of changing trends. In-house counsel faced with a data breach encounter a difficult balancing act. On one hand, it is critical to determine the cause of the breach and generate a plan to bolster security systems to reduce the likelihood of similar occurrences in the future. On the other hand, these same reports, usually performed by third-party consulting companies, can generate damning evidence for affected parties in ensuing litigation. Whether such reports are subject to production in litigation often turns on a handful of minutiae, such as the primary purpose of the report’s creation and whether the company maintains a clear line between business and legal functions. As a matter of practicality and necessity, that line often becomes blurred quite quickly, and several recent case decisions demonstrate the pitfalls that can result in inadvertent production of these reports in litigation. One of the earlier reported decisions involved Target’s successful objection to production of a data breach report on the basis of privilege in class-action litigation. See In re Target Corp. Customer Data Sec. Breach Litig., No. MDL142522PAMJJK, 2015 WL 6777384 (D. Minn. Oct. 23, 2015). Unlike many of the cases that followed, Target succeeded in protecting its data breach investigatory report from production in litigation. Following the Target decision, the tide has turned significantly regarding the production of data breach reports in litigation. These cases all tend to have similar threads: whether, and to what extent, these reports are generated for the purpose of providing legal advice or in anticipation of litigation and, most importantly, whether the company can prove either of those prongs…”
Sorry, comments are closed for this post.