Why Every Data Breac ...

Why Every Data Breach Response Plan Should Involve Outside Counsel

December 3, 2015 | by Melody McAnally

The importance of retaining outside counsel after a data breach was recently underscored in the Target data breach class-action litigation filed by the financial institutions.  Plaintiffs filed a motion to compel Target to produce certain documents it withheld from production (and identified on a privilege log) based on claims of attorney-client privilege and work-product protection.  Plaintiffs challenged two categories of information:  (1) information involving Target’s Data Breach Task Force and (2) information involving Verizon Business Network Services retained by outside counsel to investigate the data breach.

Following Target’s massive data breach in December 2013, Target retained outside counsel which requested the formation of the Data Breach Task Force.  Target claimed it was established (a) to educate Target’s attorneys about the aspects of the breach and (b) to coordinate activities on behalf of Target’s outside counsel.  Target’s outside counsel also entered into an engagement agreement with Verizon Business Network Services to investigate the data breach.

Plaintiffs challenged the claims of privilege arguing that “Target would have had to investigate and fix the data breach regardless of any litigation, to appease its customers and ensure continued sales, discovery its vulnerabilities, and protect itself against future breaches.”

On October 23, 2015, the MDL judge largely upheld Target’s claim of attorney-client privilege and work-product protection.  After an in-camera review of certain documents, the court ruled that communications involving the Data Breach Task Force was protected by the attorney-client privilege and work-product doctrine because its work was not focused on remediation of the breach but on informing Target’s lawyers about the breach “so that Target’s attorneys could provide the company with legal advice and prepare to defend the company in litigation that was already pending and was reasonably expected to follow.”  The court further ruled that Plaintiffs had not carried their burden to demonstrate that they have a substantial need for information involving Verizon Business Network Services to prepare their case or that they cannot, without undue hardship, obtain the substantial equivalent by other means.  The court emphasized that Target separately retained a different team with Verizon Business Network Services to conduct a non-privileged investigation of the data breach on behalf of the credit card companies, from which Target produced documents including forensic images from which Plaintiffs could learn how the data breach occurred and about Target’s response to the breach.

It is key that Target’s outside counsel requested the formation of the Data Breach Task Force and entered into the engagement agreement with Verizon Business Network Services – both of which was to obtain legal advice about the breach.  Essentially all of the critical steps Target took after the data breach was at the direction of and involved outside counsel.  Hiring outside counsel should be one of the first steps in every company’s data breach response plan.