Posted In: Cybersecurity & Data Privacy, Litigation & Cybersecurity & Data Privacy
By Craig S. Horbus on May 13, 2020
When a data breach occurs, businesses rightly focus on identifying and rectifying the breach. The last thing a business is likely thinking about at that time is the threat of litigation. However, recent data breaches demonstrate that the threat of litigation is real and growing and should be considered at the outset. For example, the 2017 Equifax data breach resulted in a class action that ultimately settled for $380.5 million. See In re Equifax Inc. Customer Data Sec. Breach Litig., 1:17-MD-2800-TWT, 2020 WL 256132, at *45 (N.D. Ga. Mar. 17, 2020) (granting final approval of the settlement). Below are a few litigation considerations businesses should plan for and consider incorporating into their breach response plans.
Who Leads the Investigation?
Most businesses likely have their IT Department initially lead any breach investigation. While this approach may, from a business perspective, seem to make sense, businesses should have an Incident Response Plan in place and follow the plan which typically would involve coordinating with their legal counsel from the beginning to (1) assess the likelihood of litigation; (2) determine how to balance investigating the incident and protecting the interests of the business; and (3) help avoid waiving any potential privileges.
Is Litigation Reasonably Anticipated?
During the course of an investigation, businesses should assess whether it is reasonable to anticipate litigation by considering a number of factors, including, but not limited to:
- The severity of the incident, including the type and sensitivity of data stolen and the number of individuals impacted;
- If the business failed to follow any of its protocols that might have led to the breach incident;
- The level of publicity the incident receives; and
- How the business responds before, during, and after the incident, including whether there were any perceived delays in response, misstatements, or whether the business properly notified individuals under applicable federal or state laws.
As with any other matter, once litigation is reasonably anticipated, the business has an obligation to preserve relevant data, which may require issuance of a legal hold to preserve key information.
How to balance investigating the incident with protecting the interests of the business?
Data and communications related to the incident are potentially discoverable in any future litigation. See, e.g., In re: Dominion Dental Services USA, Inc. Data Breach Litig., 1:19-CV-1050-LMB-MSN, 2019 WL 7592343, at *3 (E.D. Va. Dec. 19, 2019) (general discovery rules and principles apply “when deciding whether litigants must disclose the contents of investigations conducted in data breach cases.”). At the same time, businesses must obtain legal advice to protect their interests in any future litigation.
To balance these interests, Target, took a two-track approach establishing an “ordinary-course investigation” to learn how the breach happened and how to appropriately respond to the breach. In re Target Corp. Customer Data Sec. Breach Litig., MDL142522PAMJJK, 2015 WL 6777384, at *2 (D. Minn. Oct. 23, 2015). A second task force was created to investigate and provide legal advice to Target in anticipation of litigation. Id. The second group was established at the request of Target’s in-house counsel and outside counsel was retained to help direct the investigation. Id. at *2. The two groups did not communicate with each other.
When plaintiffs’ counsel sought documents and communications from the second task force, the court determined that the communications and documents from the second group were protected by the attorney-client privilege or work product because “Target has demonstrated the information in those communications was transmitted for the purpose of obtaining legal advice regarding the data breach investigation.” Id. at *4. While Target’s approach might not be feasible in every situation, at a minimum, businesses should carefully consider how best to investigate and respond to any breach incident while also protecting the interests of the business should the incident lead to litigation.
How to Protect Privileged Communication and Information?
A top consideration for any business should be protecting privileged communications. In addition to the items discussed above, there are a number of steps businesses can take to help avoid waiving any applicable privilege, including:
- Avoid sharing information with unnecessary third-parties not retained to provide legal advice;
- If another party, such as a vendor, has a role in the breach incident, consider whether a common interest or joint representation agreement is necessary;
- Hire experienced outside counsel to direct the investigation to help demonstrate the legal nature of the investigation; and
- Properly identify and mark privileged communications without overusing such markings.
How Brouse Can Help
Brouse McDowell’s Cybersecurity team provides guidance and legal advice for data breaches. We also provide proactive solutions for companies to defend against cyber-attacks and events. We offer legal services related to data privacy and cybersecurity, including pre-breach and cybersecurity planning services, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Please contact us for more information and to learn how we can partner with you.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2023 Brouse McDowell. All rights reserved.