A thousand questions immediately flood any lawyer’s mind when they first hear that their client may have been affected by a data breach. How did it happen? What data were affected? Was there any personal information affected, what type, and how much? When did it happen? How much time passed before we discovered it? These are a few of the questions that must be answered—and answered fast—before you can advise your client on the many time-sensitive, high-stakes legal obligations that arise from a data breach.

It is increasingly common that lawyers need technical experts to gather and provide the information necessary to answer these questions. Whenever that is the case, there is an argument to be made that attorney-client privilege should attach to the communications associated with the work that these experts perform, including written reports that communicate the results of interviews, forensic exams, and similar investigatory activities. It also may be reasonable to anticipate that a legal dispute will arise from the data breach, in which case materials produced by technical experts may be protected by the work-product doctrine. But neither privilege is absolute, so an organization must take proper precautions during the investigation and response to help shield the materials from discovery by opposing counsel in the event of litigation.

Class action litigation arising from Target’s massive 2013 data breach provides a valuable lesson in what those precautions should look like. According to Target, after learning that the company may have experienced a breach, Target’s chief legal officer initiated an investigation to provide information to a “Data Breach Task Force” specifically intended to enable in-house and outside counsel to advise Target on its legal obligations. A class of financial institution plaintiffs sought discovery of the Data Breach Task Force investigation as part of their bid to recover significant monetary losses suffered from the breach. Target asserted attorney-client privilege and work product protection in defense of the request. The trial court largely agreed with Target, ruling that most of the information sought by the plaintiffs was protected from discovery.

The court’s order reveals several strategies for prevailing on a future privilege claim to protect breach response documentation:

Again, legal privileges are never absolute. These strategies are intended to clarify a few points that often positively influence assertions of privilege, but they do not guaranty success. However, keeping these approaches top-of-mind at the outset of a breach response, or even including them in your practice breach response drills, is good exercise to help ensure your privilege defense remains fit throughout the (hopefully) controlled chaos of a data breach.

Poyner Spruill’s Privacy and Information Security team includes practitioners working exclusively in the area of privacy and data security. They have a combined total of almost 20 years of experience counseling clients from most industries on all aspects of privacy and data security compliance, deal negotiation, records management, and data breach response.

◀︎ Back to Thought Leadership