When assisting clients with emergency data breach response, and preparing and implementing a data privacy and security plan, it often becomes efficient, cost effective and necessary to hire outside vendors to assist with portions of the engagement. These activities include risk assessments, gap assessments, vulnerability testing, forensic analysis and security incident investigations.
It is important that counsel hire the vendors to perform the activities to protect the conclusions, which are part of the engagement, under the cloak of attorney client privilege, work product doctrine, or in anticipation of litigation. By doing so, the reports and documents that are part of the engagement of counsel, which are relied upon by counsel may be protected from discovery in litigation.
This week, a California federal judge ruled in a class action data breach case against Experian that Mandiant’s investigation report and documents related to its investigation into the incident were not subject to discovery because it had been hired by counsel, not Experian. The judge held that since counsel hired Mandiant, and relied on its investigation and conclusions, the report and documents were part of counsel’s work product, and were prepared in anticipation of litigation and protected by privilege.
This is very helpful and important precedent for companies to pay attention to when responding to a data breach in anticipation of litigation, as well as implementation of a data privacy and security plan. If you involve counsel, there is a better chance that the report and documentation can be protected in subsequent litigation as privileged pursuant to the work product doctrine and in anticipation of litigation.
This was a big win for Experian, and important precedent for all of us working in this field.