As a litigator, when responding to any security incident, thoughtful consideration is given to the possibility that the security incident may wind up in litigation, and therefore, certain decisions are made in anticipation of that litigation. Without getting into the details of the legal doctrines of attorney-client privileges, work product doctrine, and in anticipation of litigation, suffice it to say that these doctrines are long-established in order for certain information and documents to be privileged and non-discoverable in litigation if the facts and circumstances warrant protection under these doctrines.
One consideration during a security incident is whether a forensic analysis is warranted. If so, the usual course is for the attorney handling the security incident to hire the forensic firm so that the forensic firm is providing services to the attorney and the results may be protected under a legal privilege doctrine. This has been upheld by one court following the Experian data breach.
This week, a different court ordered Capital One to hand over the forensic report completed after its data breach in 2018 to the plaintiffs in a class action litigation brought against it as a result of the data breach. The court distinguished coming to the opposite conclusion than the court in the Experian case did because Capital One already had on retainer the forensic firm that conducted the forensic analysis, and the firm was not hired by the attorney handling the security incident for that specific security incident.
This conclusion is monumental because many companies have a data security and/or forensic firm pre-engaged in the event of a security incident, so that no valuable time is wasted trying to find a firm after appropriate due diligence and the negotiation of a contract, and instead the firm can jump right in to assist with mitigation. Many cyber-liability insurance companies and counsel advise companies to pre-negotiate contracts with vendors in the event of a security incident in order to be able to start the analysis immediately without expending valuable time in an urgent situation.
The court’s decision brings into question the best path forward following a security incident, and whether companies should consider using outside counsel to hire the forensic firm to complete mitigation and analysis following a security incident to preserve applicable privileges. Most outside counsel practicing in this area have existing relationships with different vendors and have pre-negotiated contracts in place to save valuable time in such instances. Since different judges come to different conclusions, consulting with outside counsel regarding the different decisions in the Experian and Capital One cases is warranted.