In an important ruling on October 23, 2015, a U.S. Magistrate Judge in federal District Court for the District of Minnesota upheld large swaths of a retailer’s claimed attorney-client privilege covering forensics investigations in response to a data breach, as well as certain key communications relevant to the breach investigation and response. This ruling belongs in every internal counsel’s playbook because it outlines the scope of what can be covered by privilege and what steps need to be taken by internal counsel to perfect the privilege against subsequent attack.
For the case at issue, in the wake of the underlying incident that involved alleged loss of a significant amount of payment card data, the retailer structured the incident investigation so as to consist of two separate tracks, with two separate forensics teams. The first, non-privileged track corresponded to the investigations required by the payment card companies. These investigations and resulting reports were non-privileged.
The second, privileged track, however, was created when the retailer retained outside counsel and commissioned a separate forensics investigation team for this privileged investigation in order to provide legal advice with respect to the incident. The forensics teams for each track did not communicate with each other regarding the incident. The retailer observed the formalities of privilege and involved external counsel in communications. When the privilege was ultimately tested, the Judge conducted an in camera inspection of the retailer’s privilege logs. Based on all of the above, the Magistrate Judge largely upheld the assertions of privileged with respect to this second track, including the corpus of communications by and with outside counsel.
The bottom line for breach response is straightforward: (1) to help ensure that privilege is maintained, hire external counsel immediately in the wake of an incident (prior to engaging a forensics firm and separate from the payment forensic investigator (PFI) process, which may be required by the payment brands) and (2) maintain the formalities surrounding privilege (marking of documents, cc’ing external counsel, etc.) so that when privilege is inevitably tested by adverse parties, it survives the challenge.