It’s 2:00 a.m. and you get a call from your security team – the inevitable has happened and you have to respond to a cybersecurity “incident.”
After the initial moment of panic, you recall that your team has an incident-response plan in place, and you breathe a small sigh of relief because you know your cybersecurity consultants and your attorneys have everything covered. Over the next few weeks, the investigation reveals the source of the breach and the data that was disclosed, you send proper notices to the proper agencies and consumers, and you prepare to address the inevitable lawsuits from consumers.
Despite the undesirable consequences related to any data breach, your response team acted appropriately, and you managed to mitigate a lot of potential harm by acting quickly and efficiently – then a judge rules that you have to disclose your forensic consultant’s report as part of discovery. At least that’s what happened last month to Capital One. See In re Capital One Consumer Data Security Breach Litigation, MDL No. 1:19md2915, 2020 WL 2731238 (E.D. Va. May 26, 2020).
In a fact-intensive analysis, the court found that although Capital One’s outside counsel worked with the consultant and directed the creation of the report, the report was not entitled to work-product protection because – in short – it was not prepared specifically in anticipation of litigation. In reaching this conclusion, the court noted that Capital One accounted for the consultant as a “business” expense rather than a “legal” expense and further noted that the report would have been prepared even without the anticipation of litigation.
The magistrate judge’s decision on this matter is up for reconsideration, but this is a good reminder to review your incident-response plans with outside counsel and, out of an abundance of caution, allow outside counsel to engage its own experts. While there may be some advantages to having security consultants on retainer, consideration must be given to how that consultant’s work may be used against you in the future. At a minimum, the consultant should enter into a new agreement with outside counsel and perform all post-breach analysis at counsel’s direction.
For more information on data privacy matters, please contact a Kerr Russell attorney.
Jeffrey A. May practices in the areas of general business law, intellectual property, and litigation with a focus on the increasingly important area of Cybersecurity and Data Privacy Law. He is credentialed as a Certified Information Privacy Professional/United States (CIPP/US). He has prior experience owning and operating a technology-based business. His experience and education allow him to assist clients with a wide range of business issues and litigation matters. Jeffrey helps clients identify and mitigate risks related to data security incidents and breaches. He also helps with information technology policies and practices, and data sharing arrangements with third parties.
Other posts to consider: