For many of us that attend DFIR meetups and actively track breaches and all that relates including the inevitable class action lawsuits that follow, an important decision was announced last week on the Experian data breach case with regards to data security law:
Breach investigation reports created by forensic firms investigating data breaches can be protected by client-attorney privileges given the right circumstances.
Here are a few key takeaways from the below analysis from legal firm Shook, Hardy & Bacon:
The reason there has been such a strong argument against allowing any leanency on the protection of these reports is stated in the analysis:
"The reports often contain information that plaintiffs’ lawyers would love to get their hands on—they can provide details about why the breach occurred, how it could have been prevented, and whether the company’s safeguards were consistent with standards of reasonableness. It is important that the forensic firm be able to perform its investigation without fear that its reports will be subject to misinterpretation and criticism by a plaintiff’s lawyer or other third party—hence the need for protection of these reports in civil litigation. For the time being, there is no statutory protection for these types of documents (though there should be) so we must turn to the attorney-client privilege and work-product doctrines for protection."
So given proper planning and knowledge of various traps, breach investigation reports can be protected by client-attorney privileges.
Read the full alert analysis here.