There are many steps that a company should take to prepare for a data breach. As , one of the most important steps is to hire outside legal counsel. Not only will outside legal counsel advise the company how to comply with applicable legal requirements, but establishing a relationship with outside legal counsel will allow the company to shield certain communications that were made for the purpose of obtaining legal advice through the application of the attorney-client privilege.
The attorney-client privilege generally shields communications made for the purpose of providing legal advice. During the course of a data breach investigation, the line can become blurred as to whether certain communications are privileged. This issue has come up during recent high profile data breach litigation; specifically, during the Target data breach class action.
Lessons learned from the Target data breach
Target suffered a massive data breach in 2013. The data breach gave rise to a variety of class action suits against Target based on its alleged failure to protect customer financial data. In the class action brought by the affected financial institutions, the plaintiffs sought discovery of certain documents that were created during the course of Target’s investigation.
Target withheld certain materials from production, claiming attorney-client privilege and work-product protection. Target argued that it had established a two-track internal data breach investigation. One investigation was performed to understand how the breach occurred, and produced ordinary course of business information that was discoverable during the litigation. The other investigation was conducted for the purpose of providing legal advice and to allow Target’s legal counsel to provide informed advice to its client. The information from that second investigation was privileged and not discoverable.
The court reviewed Target’s investigation method and the relevant documents, and it agreed that most of the requested documents were not discoverable since they were protected by the attorney-client privilege and work product doctrine. Target’s approach to its data breach investigation can be instructive for other companies in similar situations.
Three tips to maintain the attorney-client privilege
A company’s management can take steps before a data breach occurs to prepare its response. Here are three tips for maintaining the attorney-client privilege:
- Retain outside counsel: Companies should work with outside legal counsel prior to a data breach to develop a data breach response plan. However, following a data breach, retaining outside legal counsel, rather than relying on in-house counsel, will strengthen claims of attorney-client privilege, since in-house lawyers are regularly asked to provide ordinary business advice along with legal advice.
- Consider privilege from the outset: Companies should take steps at the outset of a data breach investigation to preserve the attorney-client privilege. The company should determine with outside counsel how the privilege will be established and maintained, not only between the company and outside counsel but with any experts and vendors that are brought into the investigation. For example, any agreements with technical experts should state that their services are being sought in anticipation of litigation.
- Is a two-track investigation the correct approach for your company?: The Target litigation demonstrated the benefits of a two-track investigation. Target effectively separated the business investigation it was conducting from the investigation it was conducting to address future litigation. By creating that distinction, it was easier for Target to assert the attorney-client privilege and work-product doctrine to withhold information. Ideally, a company would proceed as Target did, to create the strongest possible claim of privilege. However, if a company does not have the resources to create two distinct investigations, steps should be taken to clearly separate out and identify information and communications that are produced for legal purposes versus those produced for business purposes.
Working with outside counsel
Data breach investigations produce a lot of information much of which a company will not want to share. Working with outside legal counsel during a data breach investigation can help shield information from unwanted disclosure. If you have any questions regarding data breach response or data privacy, please contact Tim Hayes at McKenna Storer