19
October
2017
Posts Tagged with: Work Product
Please be advised that contacting Miller Johnson or one of its attorneys by email does not constitute establishing an attorney-client relationship or otherwise confidential relationship between you and the Firm. Please do not give us any information you regard as confidential until a formal attorney-client relationship has been established. Any information you give to us before establishing an attorney-client relationship will not be regarded as privileged or confidential. Do you wish to proceed?
"*" indicates required fields
If your company experiences a data breach, the first person you should contact is your lawyer. While this advice is certainly self-serving to the authors, it is nevertheless the most prudent course of action.
In the first few moments after a data breach, everything you say or do is discoverable in subsequent litigation or other legal proceedings absent the protections afforded by the attorney-client privilege or attorney work product doctrine. Direct communications with and work performed by a forensic firm without the assistance of outside counsel will not be protected. It is critical, therefore, that your first call is to your lawyer to coordinate the company’s breach response.
Recently, a California district court found that a report generated by Mandiant, an outside IT forensic firm retained at the request of counsel, Jones Day, was protected from disclosure by the attorney work product doctrine. In re Experian Data Breach Litigation, Case No. 15-cv-1592 (C.D. Cal.) (Order issued 5.18.2017). Click here for the Order. In October 2015, Experian, one of the three largest, U.S.-based consumer credit reporting agencies, suffered a data breach that affected 15 million people. The breach exposed names, dates of birth, addresses, Social Security numbers and/or drivers’ license numbers. Experian immediately hired counsel who in turn hired Mandiant to investigate the data breach. A class action was filed the next day, and dozens of other class actions were consolidated into a matter in the U.S. District Court for the Central District of California. The plaintiffs requested a copy of Mandiant’s report and documents related to the investigation. Experian objected, arguing that the documents are privileged and protected by the work product doctrine. Plaintiffs moved to compel the production of the documents.
The court denied plaintiff’s motion to compel, holding that the documents were protected from discovery by the attorney work product doctrine. The court reasoned, “the evidence here establish that Jones Day instructed Mandiant to do the investigation and, but for the anticipated litigation, the report wouldn’t have been prepared in substantially the same form or with the same content.” Since the court found that the report is protected under the work product doctrine, the court did not address whether the report was also protected by the attorney client privilege. See also In re: Target Corp. Customer Data Security Breach Litigation, MDL No. 14-2522 (D. Minn. 2015) (finding that documents related to a forensic investigation were protected by both attorney-client privilege and attorney work product doctrine).
These cases are instructive to companies seeking to minimize the risk of disclosure of a forensic data breach report. Here some specific considerations when seeking to maintain the confidentiality of a post-breach investigation:
If you have any questions regarding how to best protect your company, please contact any of us in Miller Johnson’s Privacy and Cybersecurity team.
This blog post was authored by Jeff Muth, Jason Crow and Alex Contreras.