A recent decision in the Target litigation over a data security breach that occurred during the 2013 holiday season has reaffirmed the validity of the well-established practice of conducting two-track investigations after a data security breach.
Two-track investigations permit a company to conduct a swift, non-privileged investigation of how a data breach occurred, while pursuing, with a different team, a separate privileged investigation to assist in-house and outside counsel to provide legal advice to the company. In the Target litigation, the court denied a motion to compel certain attorney-client and work-product privileged materials generated in the course of Target's internal investigation because of Target's two-track approach to investigating the breach. In re Target Corp. Customer Data Sec. Breach, MDL No. 14-2522 (D. Minn. Oct. 25, 2015).