If your company experiences a data breach, the first person you should contact is your lawyer.  While this advice is certainly self-serving to the authors, it is nevertheless the most prudent course of action.

In the first few moments after a data breach, everything you say or do is discoverable in subsequent litigation or other legal proceedings absent the protections afforded by the attorney-client privilege or attorney work product doctrine.  Direct communications with and work performed by a forensic firm without the assistance of outside counsel will not be protected.  It is critical, therefore, that your first call is to your lawyer to coordinate the company’s breach response.

Recently, a California district court found that a report generated by Mandiant, an outside IT forensic firm retained at the request of counsel, Jones Day, was protected from disclosure by the attorney work product doctrine.  In re Experian Data Breach Litigation, Case No. 15-cv-1592 (C.D. Cal.) (Order issued 5.18.2017).  Click here for the Order.  In October 2015, Experian, one of the three largest, U.S.-based consumer credit reporting agencies, suffered a data breach that affected 15 million people.  The breach exposed names, dates of birth, addresses, Social Security numbers and/or drivers’ license numbers.  Experian immediately hired counsel who in turn hired Mandiant to investigate the data breach.  A class action was filed the next day, and dozens of other class actions were consolidated into a matter in the U.S. District Court for the Central District of California.  The plaintiffs requested a copy of Mandiant’s report and documents related to the investigation.  Experian objected, arguing that the documents are privileged and protected by the work product doctrine.  Plaintiffs moved to compel the production of the documents.

The court denied plaintiff’s motion to compel, holding that the documents were protected from discovery by the attorney work product doctrine.  The court reasoned, “the evidence here establish that Jones Day instructed Mandiant to do the investigation and, but for the anticipated litigation, the report wouldn’t have been prepared in substantially the same form or with the same content.”  Since the court found that the report is protected under the work product doctrine, the court did not address whether the report was also protected by the attorney client privilege.  See also In re: Target Corp. Customer Data Security Breach Litigation, MDL No. 14-2522 (D. Minn. 2015) (finding that documents related to a forensic investigation were protected by both attorney-client privilege and attorney work product doctrine).

These cases are instructive to companies seeking to minimize the risk of disclosure of a forensic data breach report.  Here some specific considerations when seeking to maintain the confidentiality of a post-breach investigation:

• The forensic team should be hired by outside counsel, not the company
• The engagement letter between the company and outside counsel should state that outside counsel may need to hire a forensic firm
• The forensic firm’s scope of work should expressly state that the purpose of the engagement is to assist counsel with providing legal advice to company
• Don’t share the forensic firm’s full report with anyone other than in-house counsel
• Incorporate forensic firm’s findings into a legal memorandum, relating those findings to the legal advice provided to company

If you have any questions regarding how to best protect your company, please contact any of us in Miller Johnson’s Privacy and Cybersecurity team.

This blog post was authored by Jeff Muth, Jason Crow and Alex Contreras.