Earlier this month, we offered our analysis and takeaways from a Magistrate Judge’s decision that defendant Capital One was required to produce a third-party data breach assessment report as part of ongoing consumer litigation.  Available here.  Not surprisingly, Capital One appealed that order.  On June 25, 2020, District Court Judge Anthony Trenga affirmed the

Following a data breach, companies generally launch an investigation to determine the source and scope of the breach. These efforts are often led by in-house privacy, compliance, and/or litigation counsel with an eye firmly planted on the legal claims that might be asserted, or need to be defended, as a result of that breach. Often key to any data breach investigation is an incident response consultant that helps determine the scope and analyzes the causes of a potential breach. Many companies expect that any reports by, or communications with, the consultant would be protected by the attorney-client privilege and/or work product doctrine, which would shield relevant materials from production during any governmental investigations or third-party litigation that arise from the event. Recently, however, a federal court compelled production of just such a breach report and related documents, calling into question the scope of that protection for data breaches and possibly other corporate investigations.

This post discusses the background and rationale that led to the Court’s finding and offers our advice concerning steps that should be taken to maximize the potential scope of protection for consultant reports in data breach investigations and other corporate investigations.
Continue Reading Lessons Learned for Maintaining Attorney-Client Privileged Data Breach Investigation (and other Consultant) Reports