Lessons Learned from Target’s Data Breach Discovery Win

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.natlawreview.com/article/lessons-learned-target-s-data-breach-discovery-win

A thousand questions immediately flood any lawyer’s mind when they first
hear that their client may have been affected by a data breach. How did it
happen? What data were affected? Was there any personal information
affected, what type, and how much? When did it happen? How much time passed
before we discovered it? These are a few of the questions that must be
answered—and answered fast—before you can advise your client on the many
time-sensitive, high-stakes legal obligations that arise from a data breach.

It is increasingly common that lawyers need technical experts to gather and
provide the information necessary to answer these questions. Whenever that
is the case, there is an argument to be made that attorney-client privilege
should attach to the communications associated with the work that these
experts perform, including written reports that communicate the results of
interviews, forensic exams, and similar investigatory activities. It also
may be reasonable to anticipate that a legal dispute will arise from the
data breach, in which case materials produced by technical experts may be
protected by the work-product doctrine. But neither privilege is absolute,
so an organization must take proper precautions during the investigation
and response to help shield the materials from discovery by opposing
counsel in the event of litigation.

Class action litigation arising from Target’s massive 2013 data breach
provides a valuable lesson in what those precautions should look like.
According to Target, after learning that the company may have experienced a
breach, Target’s chief legal officer initiated an investigation to provide
information to a “Data Breach Task Force” specifically intended to enable
in-house and outside counsel to advise Target on its legal obligations. A
class of financial institution plaintiffs sought discovery of the Data
Breach Task Force investigation as part of their bid to recover significant
monetary losses suffered from the breach. Target asserted attorney-client
privilege and work product protection in defense of the request. The trial
court largely agreed with Target, ruling that most of the information
sought by the plaintiffs was protected from discovery.

The court’s order reveals several strategies for prevailing on a future
privilege claim to protect breach response documentation:

- Plan now to execute these strategies effectively later. As will become
apparent from the tips that follow, it is essential to lay the groundwork
for privilege in the infant stages of your breach response. For example, if
your response team engages an investigative partner before you or your
outside counsel are fully engaged, you will have lost several valuable
opportunities to capitalize on an approach that may keep that response
team’s work product from being disclosed in litigation months or years down
the road.

- Appearances matter. Investigatory materials prepared to aid counsel
should note on their face that they are privileged and that they were
prepared for and delivered to counsel. That’s the basic approach any lawyer
can articulate. But we suggest going further; actually recount counsel’s
involvement and that he or she directed that the investigatory work was
necessary. Documents should also recount that they were requested for legal
advice. These types of precautions will strengthen your privilege argument
when, as in the Target case, the court conducts an in-camera review of the
materials in question rather than simply considering the parties’ legal
arguments and assertions about the materials.

- But appearances are not all that matter. Your breach response teams need
to understand why their work is privileged because evidence of their
understanding may be critical when privilege is asserted. Simply knowing
that a lawyer told them to mark materials as privileged is not adequate.
They should be able to recount that their work was necessary to facilitate
legal advice. In Target’s case, the chief legal officer was able to
represent to the court that the work was, in fact, conducted to support the
work of counsel, and that understanding was held by all who supported the
Data Breach Task Force. The court appears to have relied heavily on that
representation in reaching its conclusions. Ideally, had it been necessary,
other members of the response teams would have been equally well-positioned
to assert their understanding as to why the privilege attached.

- Don’t just involve counsel—entrench counsel, and do it immediately.
Obviously, the investigatory work in question actually has to have been
intended to support legal advice for privilege to attach, so the first step
is engaging counsel BEFORE the investigation is fully formed. It is not a
safe strategy to carry out the investigation, at some point later engage
counsel to advise on the breach, and then assert that the
(already-concluded) investigative work was somehow designed to support the
legal advice you hadn’t even requested yet. If third parties are necessary
to conduct the investigation, counsel should heavily advise on the scope
and approach of their work at the beginning and throughout the
investigation. Ideally counsel also will be a party to the engagement. The
Target court noted that one of Target’s outside counsel was a party to an
engagement letter with the investigating provider, suggesting that a
tri-party (vendor–client–lawyer) engagement or side engagement letter by
counsel is compelling. (Note also that the client did not need to be
excluded as a contracting party; outside counsel had not separately and
independently engaged the third party.) The contractual document should
actually recount that supporting counsel is a core purpose of the
engagement.  Any documents conveying results should recount the same and
also be directed to counsel.

- Consider segregating investigations and/or investigatory reports designed
to aid counsel from those intended to further other breach-related
activities, such as remediation. Running two separate investigations may
not always be feasible, but keep in mind that courts may be skeptical of
attempts to protect every stitch of information pertaining to a breach
investigation by asserting legal privilege. And when a payment card breach
occurs, it may be a necessity to bifurcate if privilege will be asserted
over any portion. The mandatory investigation required by the payment card
industry is a contractual obligation; attempting to also privilege that
investigation poses challenges since opposing counsel will argue that the
investigation would have been pursued anyway due to the payment card
requirements and regardless of any need for legal counsel. The Target
court’s order describes Target’s two-track approach to investigating the
breach (one designed to address payment card requirements and the other
designed to aid counsel) and relied on that strategy in support of the
privilege argument. The court also cited a declaration of outside counsel
that the two investigative teams did not communicate about the
attorney-directed investigation. Even if an investigation is not required
by payment card operating rules or other legal obligations, segregating
results for counsel is also important because privilege is not absolute. If
a party can show a compelling need for the information that cannot be
satisfied other than through disclosure of the materials sought, a court
may order disclosure. Therefore, a smart strategy may be to assume that
some factual information will or should be disclosed, and bifurcate
conclusions and predictions designed to aid counsel from the factual
results and remediation efforts are more readily disclosed. The Target
court found that the privileged material it reviewed was focused on
obtaining legal advice and preparation of defense, not remediation of the
breach, which cut against the plaintiffs’ argument that the material would
have been generated by necessity when responding to the breach and not only
due to the need for legal advice. The court also noted that the plaintiffs
had access to pertinent information about the response through documents
that were already disclosed.

- Email + Lawyer + Request for Advice = Privilege.  Email – Lawyer –
Request for Advice = No Privilege. It’s basic privilege math. If the
communication does not include or facilitate a request for advice, and
there is no lawyer anywhere in sight, your assertion of attorney-client
privilege will likely fail. The only records that the Target court found
not subject to privilege were email updates from Target's CEO to its board
of directors. The court stated, “Nothing in the record supports a claim for
attorney-client privilege for these communications as they do not involve
any confidential communications between attorney and client, contain
requests for or discussion necessary to obtain legal advice, nor include
the provision of legal advice.” Target may have obtained a favorable
outcome if counsel had been the sender and/or requests for meetings with
the board had recounted the need to include a lawyer and receive legal
advice.

Again, legal privileges are never absolute. These strategies are intended
to clarify a few points that often positively influence assertions of
privilege, but they do not guaranty success. However, keeping these
approaches top-of-mind at the outset of a breach response, or even
including them in your practice breach response drills, is good exercise to
help ensure your privilege defense remains fit throughout the (hopefully)
controlled chaos of a data breach.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!