Those following developments in the data breach litigation space will be interested in the recent decision, In re Experian Data Breach Litigation (In Re Experian), where the California District Court upheld a privilege claim over a forensic report prepared following a data breach.

BACKGROUND

This decision arises in the context of a class action brought against Experian Information Solutions Inc. (Experian) after it announced that one of its systems had been the subject of unauthorized access.

In the aftermath of the breach, but before litigation was commenced, Experian retained external counsel, which in turn retained the security firm to conduct an expert report and analysis of the attack (Report). The Report was provided to outside counsel who shared it with in-house counsel at Experian.

The plaintiffs sought an order compelling Experian to produce a copy of the Report. Experian resisted.

DECISION

In resolving the dispute, the court applied the “because of” test to determine whether the Report was covered by “work product” privilege (as “litigation privilege” is known in the U.S.). The “because of” test does not consider whether the litigation was the primary or secondary motive behind the creation of a document, but considers all the circumstances and applies the privilege when it can be fairly said that the document was created because of anticipated litigation. It should be noted that this is a different test than the “dominant purpose” test that a Canadian court would apply to determine whether a document is subject to litigation privilege, although it is unclear that the court would have arrived at a different result if it had applied the dominant purpose test.

The court rejected the plaintiffs’ principal argument that the Report should be produced because Experian had business reasons to investigate data breaches and it hired the security firm to do this because it lacked the internal resources. The court accepted that Experian may have had other reasons for investigating the breach, but it found that on the record before the court it was clear that the security firm was hired by outside counsel to prepare a report in anticipation of litigation. The court appeared to place some weight on the fact that the report was not given to Experian’s internal investigation team.

The court also rejected the plaintiffs’ argument that they would suffer substantial hardship if the Report were not produced because they did not have access to the live servers. The court found that the experts did not have access to live servers when they were investigating to prepare the Report and that the plaintiffs could retain an expert to do the same analysis from server images.

The court also rejected the plaintiffs’ argument that Experian had waived privilege over the report by sharing it with counsel for T-Mobile (a client of Experian) in redacted form. The court noted that Experian and T-Mobile had entered into a joint defence agreement and found that the disclosure did not amount to a waiver of the work product doctrine.

Experian also claimed that the Report was protected by solicitor-client privilege (known as attorney-client privilege in the U.S.), but as the court found that the Report was protected by the work product doctrine, it was unnecessary for it to consider the application of solicitor-client privilege.

IMPLICATIONS

Although based on U.S. law, the In Re Experian decision is a reminder that post-breach communications and reports may be protected by privilege. Key takeaways from this decision include:

  • There is potential value to having forensic investigators retained by external counsel
  • The fact that a forensic report serves purposes other than litigation purposes may not annul privilege, so long as the report was prepared for the dominant purpose of litigation
  • There may be value to entering into a joint defence agreement where there is a desire to share a forensic report with a third party