One of the risk management concerns endemic to data breach responses is the potential discoverability of the forensic and other investigations necessary to assess the breach and plan an appropriate response. That concern may result in less than fulsome documentation of the breach in real time. Fortunately, that concern recently has been addressed in post-breach litigation.
On May 18, 2017, a California federal district court judge denied a motion to compel production of a report and supporting documents prepared by a third-party forensics firm in the wake of a massive 2015 data breach. The judge held that such documents were privileged by the work product doctrine, which protects not only materials prepared by an attorney in anticipation of litigation, but also documents created by investigators working for attorneys, if created in anticipation of litigation.
In September 2015, Experian, one of the world’s largest consumer credit monitoring firms, learned that it had suffered a massive data breach. The breach, perpetrated by outside hackers, exposed the sensitive personal data of approximately 15 million people who applied for service with T-Mobile. The data exposed, which had been collected to evaluate potential customers’ credit, included names, addresses, birth dates, Social Security numbers, drivers’ license numbers and passport numbers. In September 2015, immediately after it discovered the breach, Experian hired an outside law firm for legal advice regarding the attack. The law firm then hired Mandiant, a third-party forensics consultant, to investigate the data breach and provide an expert report analysis of the hacking attack.
On October 1, 2015, Experian publicly disclosed the breach. One day later, the first complaint was filed alleging claims related to the breach, which eventually led to a class action lawsuit. Mandiant finished its report by the end of October 2015 and gave it to Experian’s outside counsel, which then shared the report with Experian’s in-house counsel, and together they used the report to develop a legal strategy.
In April 2017, the class action plaintiffs filed a motion to compel the production of the report produced by Mandiant, arguing that the work product doctrine did not apply because Experian had independent business duties to investigate data breaches, and it did exactly that after realizing that its own experts lacked sufficient resources. However, the judge noted that it was Experian’s outside counsel, not Experian itself, who hired Mandiant and obtained the report, and that outside counsel did so in anticipation of litigation. The judge also noted that but for the anticipated litigation, the report would not have been prepared in substantially the same form or with the same content. Based mostly on those findings, the judge dismissed the motion to compel on the grounds that the report was protected by the work product doctrine.
Data breaches, especially large-scale ones that expose sensitive data, often lead to costly litigation. Any company faced with the prospect of such litigation would be well advised to take advantage of all available protections, such as those, like the work product doctrine, offered by the attorney-client relationship. As the Experian/T-Mobile case and many others like it show, such protections can be invaluable when defending against claims that expose a firm to substantial liability.