In a recent post, we addressed the role a forensic investigation plays in a company’s response to a data security incident. We noted that to maximize the likelihood that a forensic firm’s work will be covered by the work-product doctrine or attorney-client privilege, the engagement letter should include outside counsel and the forensic firm should conduct its investigation at the direction of counsel. At a minimum, the engagement letter should specify that the forensic firm has been engaged to assist counsel in providing legal advice and, when appropriate, should specify that the forensic firm is assisting counsel in anticipation of litigation. Since that post, a new court decision has shed additional light on the factors affecting whether the work-product doctrine will protect a forensic firm’s work from discovery.
In In re Experian Data Breach Litigation, Case No. 8:15-cv-01592-AG-DFM (C.D. Cal. May 18, 2017), the court denied a motion to compel discovery of a forensic firm’s report and related documents, holding that the materials were protected by the work-product doctrine. In Experian, the defendant retained outside counsel shortly after learning of an incident (but before any litigation commenced), and the outside counsel then retained the forensic firm to investigate the incident.
The court considered several facts to be significant in determining that the work-product doctrine applied. As already noted, the forensic firm was retained by outside counsel at a time when it was reasonable to anticipate litigation over the data breach. Additionally, the forensic firm’s report was shared only with outside and in-house counsel, not with the company’s broader incident response team. The company also submitted declarations establishing that the scope of the forensic firm’s engagement was limited to assisting the company’s counsel. Continue Reading