August 31, 2017 Articles

Protecting Breach Investigation Reports in Litigation

The more time that passes between when the breach is made public and the filing of litigation, the more likely it is that a court will rule against a finding of privilege.

By Brad C. Moody and Robert F. Walker

A recent opinion from the District Court for the Central District of California in In re Experian Data Breach Litigation, 15-cv-01592 (C.D. Cal. May 18, 2017) offers some examples of best practices for establishing the work-product privilege over certain investigation reports generated after a breach incident.

The Court’s Decision
In September 2015, Experian learned that it had been hacked and that the Social Security numbers of approximately 15 million of its customers had been compromised. Experian immediately retained outside counsel for legal advice in connection with the breach. Counsel then hired a cybersecurity consultant to educate counsel on the technical issues with the breach and help counsel provide legal advice to Experian. To conduct its work, the consultant reviewed forensic copies of Experian’s server and network. It did not have access to Experian’s live network.

On October 1, 2015, Experian publicly announced the breach. The first lawsuit against Experian was filed the next day. By the end of October 2015, the consultant finished its investigation of the breach and submitted a report to outside counsel.

Outside counsel then shared the report with the in-house lawyers for Experian, who in turn discussed the report with the company’s board of directors to devise the company’s strategy for defending against litigation. Notably, the full report was not given to Experian’s incident-response team.

In the pending litigation, the plaintiff filed a motion to compel production of the consultant’s report and documents related to that investigation. Experian opposed the motion, arguing that the work-product doctrine shielded the documents because the consultant’s work was done “in anticipation of litigation.”

On May 18, 2017, the district court sided with Experian and denied the plaintiff’s motion to compel. The court concluded that Experian established that the company’s outside counsel hired the consultant in anticipation of litigation. The court further held that “[t]he evidence here establish[es] that [outside counsel] instructed [the consultant] to do the investigation and, but for the anticipated litigation, the report wouldn’t have been prepared in substantially the same form or with the same content.” Moreover, Experian’s conclusion that litigation would follow was reasonable since a lawsuit was filed the day after Experian announced the breach.

What the court also found compelling was the fact that the full report was not shared with Experian’s incident-response team. The court, however, cautioned that not all reports prepared by the consultant for Experian were shielded. Since the consultant had provided similar forensic work to Experian in the past, reports submitted to Experian before outside counsel was hired could be subject to production in the lawsuit.

Protecting Your Reports in Litigation

The court’s decision is significant as it offers guidance for shielding the reports of experts hired to assist after breach incidents. However, the court was careful in limiting the scope of its holding by noting that the application of the privilege must be evaluated on a case-by-case basis.

Based on the Experian court’s opinion, here are some things to remember for future engagements with counsel and data security experts:

1. Insist that your legal counsel engage consultants after a breach. Whether the work-product privilege applies is decided by the particular facts of a case. However, the privilege is less likely to apply if a member of your company’s operations team engages the expert. The best practice is to engage your experienced outside counsel immediately and allow counsel to engage the consultants. Alternatively, if your company has in-house counsel, allow those lawyers to hire the consultant. Convincing a court that the work-product privilege applies will be easier if you can show that counsel directed the consultant’s work.

2. Clearly identify your company’s goals for engaging an expert. If the consultant is needed to help your IT department identify and plug the breach, it is less likely that the consultant’s findings will be privileged. Under those circumstances, the consultant will need to work with your IT department and incident-response team. The privilege may not attach once the consultant’s conclusions are widely used in the company’s operations.

However, that may not necessarily be a bad thing. Fixing the breach should be priority number one after an incident, and if your internal IT department or incident-response team lacks the resources or skill to remediate the breach, hiring an outside consultant will be necessary. Though litigation strategy is important, it does not necessarily need to drive every decision that is made after a breach.

3. Remember that the privilege can be waived. Some breaches trigger a duty to report to a government agency. For instance, HIPAA requires healthcare providers to report certain breaches to the Department of Health and Human Services. The reporting can lead to an investigation by the Office for Civil Rights. Outside consultants can help ensure that the risk that led to the breach is corrected. A report from such experts can also prove helpful in defending yourself during a government investigation. However, the downside is that any potential work-product privilege may be waived once a consultant’s report is given to a third party, like the government.

4. Be mindful that not all breaches will lead to litigation. To prove that the work-product privilege applies, there has to be evidence that you had an “objectively reasonable” belief that litigation would come from the breach. In the Experian case, it was not a stretch for the court to conclude that it was objectively reasonable for Experian to expect a lawsuit from the breach. Given the current litigation climate, companies like Experian are regularly sued when word gets out that sensitive customer information has been compromised. For Experian, it took only 24 hours for the first lawsuit to be filed. However, some types of breaches are not as likely to be litigated. Moreover, the more time that passes between when the breach is made public and the filing of litigation, the more likely it is that a court will rule against a finding of privilege.

Conclusion
The Experian court’s decision is a reminder that engaging experienced counsel to assist with an investigation is likely the most critical factor for establishing the work-product privilege. Having counsel direct the investigation provides a strong argument that the investigation was conducted in anticipation of some adverse legal proceeding.


Brad C. Moody and Robert F. Walker are shareholders at Baker Donelson in Jackson, Mississippi.


Copyright © 2017, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).