corpcounsel.com | June 20, 2016
Data Breach Response Teams: Best Practices for Preserving Privilege
From the Experts
Aaron P. Brecher
Most officers and directors
could probably guess that they
should immediately consult with
counsel—both in-house and outside—upon learning that their
company has been hit with a
data breach. There are many deci­
sions that need to be made early
in the response process, includ­
ing: whether and when to notify
the authorities, when and how to
notify those whose information
may have been compromised and
what steps must be taken to con­
tain and remediate the breach. All
of these decisions will be aided by
the advice of experienced coun­
sel familiar with the legal require­
ments surrounding data security.
Frank discussions between at­
torneys and their clients are criti­
cal to maintaining an effective
partnership to protect the client’s
legal rights. To that end, it’s im­
portant for companies to be able
to use the attorney-client privi­
lege and work-product doctrine
to shield communications made
for the purpose of obtaining legal
advice—and documents created
by their attorneys for the pur­
pose of giving that advice. While
the specific rules vary by jurisdic­
tion, documents developed in the
course of giving or obtaining legal
advice are generally protected by
the attorney-client privilege, the
work-product doctrine or both.
But information or documents
produced for ordinary business
purposes generally are not.
Because the technical as­
pects of data breaches are often
complex and can vary signifi­
cantly from incident to incident,
companies will often need the
advice of outside consultants in
addition to their lawyers. When
those consultants identify vul­
nerabilities in a company’s se­
curity setup, publicly disclosing
those vulnerabilities can damage
reputations in the market and
also have implications for poten­
tial legal liability. Two court deci­
sions help illustrate some of the
June 20, 2016
circumstances in which a compa­
ny will be able to withhold infor­
mation gathered by investigators
under claims of privilege.
A Typical Case: A Team of
Experts to Help the Attorneys
In Genesco v. Visa (2014), Genes­
co, an apparel retailer, sued Visa
in federal court in Tennessee after
Visa tried to assess more than $13
million in noncompliance fines and
reimbursement expenses against
Genesco. The assessment followed
a cyberattack that exposed credit
card data on Genesco’s network
when that data was transmitted to
banks for payment authorizations.
Those banks had contractual obli­
gations to Visa to ensure that their
merchants were in compliance
with Visa’s data security standards.
In service of those obligations, Ge­
nesco retained a firm approved
under Visa’s standards to investi­
gate the cyberattack and Genes­
co’s data security system. That firm
found several alleged deficiencies
in Genesco’s system, forming the
basis for Visa’s noncompliance
fines against the banks, which in
turn sought reimbursement from
Genesco under various indemnity
agreements.
Genesco separately retained
Stroz Friedberg, another com­
puter forensics firm, to provide
consulting and technical services
to help Genesco’s in-house and
outside counsel to give legal ad­
vice about the data breach and
the first firm’s findings. Genesco’s
retention agreement with Stroz
expressly stated that the firm
was retained in anticipation of
potential litigation or other legal
proceedings, and all investigation
and analysis Stroz and the legal
team performed were done to as­
sist Genesco’s attorneys in prepar­
ing for anticipated litigation.
When Visa sought informa­
tion about Stroz’s findings and
the privileged investigation, the
court largely sided with Genesco.
As one basis for its decision, the
court concluded that an attorney’s
factual investigations of its client
for the purpose of providing legal
advice “fall comfortably” within
the attorney-client privilege, and
that the privilege extends to com­
munications with agents and ex­
perts retained for the purpose of
providing legal advice. The court
also ruled that Stroz’s work under
counsel’s direction fell under the
work-product privilege. The workproduct privilege “is an intensely
practical [doctrine], grounded in
the realities of litigation in our ad­
versary system. One of those re­
alities is that attorneys often must
rely on the assistance of investiga­
tors and other agents in the com­
pilation of materials in preparation
for trial.”
Adding a Wrinkle: Two Expert
Teams from the Same Firm
While Genesco conducted no
investigation of its own after the
data breach other than the privi­
leged investigation, In re Target
(2015) adds a layer of complex­
ity. The company ordered up a
two-tiered data breach investiga­
tion involving one set of outside
consultants to investigate the
incident in the ordinary course
of business and a second set of
consultants from the same firm
to conduct a privileged investiga­
tion to aid Target’s legal team.
The case pitted a class of financial
institutions as plaintiffs against re­
tail giant Target, following a highly
publicized breach of credit card
and other information on Target’s
systems. According to the Minne­
sota federal court presiding over
the case, after the breach, Target
retained outside counsel and es­
tablished the Data Breach Task
Force “at the request of Target’s
in-house lawyers and its retained
outside counsel so that the task
force could educate Target’s attor­
neys about aspects of the breach
and counsel could provide Target
with informed legal advice” to de­
fend the company.
As part of its response to the
breach, Target also retained a
team of consultants from Verizon
Business Network Services. This
team conducted an investigation
into the data breach “on behalf of
several credit card brands” and Tar­
get did not claim attorney-client
or work-product privilege for that
investigation. The court charac­
terized the nonprivileged team as
conducting an “ordinary-course in­
vestigation” designed so that Tar­
get and Verizon could learn how
the breach happened and so Tar­
get could appropriately respond.
Separately, Target’s outside coun­
sel retained another team of con­
sultants from Verizon—”Privileged
Verizon”—to participate in the
Data Breach Task Force because, as
the court put it, “Target’s lawyers
needed to be educated about the
June 20, 2016
breach so that they could provide
Target with legal advice and pro­
tect the company’s interests in
litigation.” The two Verizon teams
did not communicate with one an­
other about the substance of the
attorney-directed investigation.
The plaintiffs wanted access to
documents and communications
related to the Data Breach Task
Force that Target had withheld
as privileged and identified on its
privilege log (with explanations
for the decision to withhold). Af­
ter reviewing the documents in
camera, the court shielded nearly
all of the documents, ruling that
“the work of the Data Breach Task
Force was focused not on reme­
diation of the breach . . . but on
informing Target’s in-house and
outside counsel about the breach
so that Target’s attorneys could
provide the company with legal
advice and prepare to defend the
company in litigation that was
already pending and was reason­
ably expected to follow.” The work
of the Data Breach Task Force was
therefore protected under the
attorney-client privilege and the
work-product doctrine.
5 Tips for Preserving Privilege
Data breaches can involve highly
technical issues. Understanding
those issues and giving sound le­
gal advice will often require coun­
sel to rely on outside consultants.
At the same time, a company af­
fected by a breach will typically
need to investigate and remediate
that breach in the ordinary course
of business. To ensure the candor
that is necessary to a successful
attorney-client relationship, and
to protect the client’s interests
in potential litigation, the client
must know that the consultations
its lawyers undertake to evaluate
the client’s legal obligations will be
shielded from discovery. Below are
some best practices for preserving
the attorney-client and work-prod­
uct privileges, while respecting an
opponent’s entitlement to dis­
cover information about a breach
response made in the ordinary
course of business. Some of these
principles are applicable to other
sensitive internal investigations,
but have particular relevance in
the data breach context.
1. Retain outside counsel.
As in most significant matters
expected to result in litigation,
retaining outside counsel is criti­
cal to strengthening claims of
attorney-client privilege. In-house
lawyers often give ordinary busi­
ness advice in addition to legal
advice. That can make it difficult
for a court considering a claim of
privilege to determine whether
communications were made to
obtain legal counsel or ordinary
business advice.
2. Expressly state in reten­
tion agreements with technical
experts that their services are
being sought in anticipation of
litigation.
The Genesco court noted several
times that Genesco’s agreement
with Stroz was explicit in its pur­
pose. Noting this in a retention
agreement can stave off accusa­
tions that a claim of privilege is
being made ad hoc to avoid turn­
ing over damaging information.
3. Rigorously wall off your
response teams.
If, like Target, you retain out­
side experts to determine how
the breach occurred and to help
resolve the issue for business pur­
poses, ensure, like Target, that
those experts do not discuss the
substance of any investigation
being conducted by your privi­
leged team for legal purposes.
4. Make sure your privilege
team is actually rendering le­
gal advice in anticipation of
litigation.
In many cases, this is more a
matter of good faith than any­
thing else. But if, as in Target, a
court reviews documents with­
held as privileged, the court will
compel the disclosure of docu­
ments or information unrelated
to providing legal advice.
5. Maintain a detailed privi­
lege log.
While unnecessary in Genesco,
a privilege log is a useful means
of documenting, in a systematic
way, which documents sought by
an opponent are subject to privi­
lege and why. It provides your op­
ponent—and the court—with a
way to assess the validity of your
assertion of privilege.
Aaron P. Brecher is an attorney
in Lane Powell's Seattle office and
a member of the firm's privacy and
data security practice group.
Reprinted with permission from the June 20, 2016 edition of
CoRpoRate Counsel © 2016 alM Media properties, llC.
this article appears online only. all rights reserved. Further
duplication without permission is prohibited. For information,
contact 877-257-3382 or [email protected]. # 016-06-16-11