July 8, 2020

Volume X, Number 190

July 07, 2020

Subscribe to Latest Legal News and Analysis

July 06, 2020

Subscribe to Latest Legal News and Analysis

Capital One Required to Produce Forensic Report in Class Action

As a litigator, when responding to any security incident, thoughtful consideration is given to the possibility that the security incident may wind up in litigation, and therefore, certain decisions are made in anticipation of that litigation. Without getting into the details of the legal doctrines of attorney-client privileges, work product doctrine, and in anticipation of litigation, suffice it to say that these doctrines are long-established in order for certain information and documents to be privileged and non-discoverable in litigation if the facts and circumstances warrant protection under these doctrines.

One consideration during a security incident is whether a forensic analysis is warranted. If so, the usual course is for the attorney handling the security incident to hire the forensic firm so that the forensic firm is providing services to the attorney and the results may be protected under a legal privilege doctrine. This has been upheld by one court following the Experian data breach.

This week, a different court ordered Capital One to hand over the forensic report completed after its data breach in 2018 to the plaintiffs in a class action litigation brought against it as a result of the data breach. The court distinguished coming to the opposite conclusion than the court in the Experian case did because Capital One already had on retainer the forensic firm that conducted the forensic analysis, and the firm was not hired by the attorney handling the security incident for that specific security incident.

This conclusion is monumental because many companies have a data security and/or forensic firm pre-engaged in the event of a security incident, so that no valuable time is wasted trying to find a firm after appropriate due diligence and the negotiation of a contract, and instead the firm can jump right in to assist with mitigation. Many cyber-liability insurance companies and counsel advise companies to pre-negotiate contracts with vendors in the event of a security incident in order to be able to start the analysis immediately without expending valuable time in an urgent situation.

The court’s decision brings into question the best path forward following a security incident, and whether companies should consider using outside counsel to hire the forensic firm to complete mitigation and analysis following a security incident to preserve applicable privileges. Most outside counsel practicing in this area have existing relationships with different vendors and have pre-negotiated contracts in place to save valuable time in such instances. Since different judges come to different conclusions, consulting with outside counsel regarding the different decisions in the Experian and Capital One cases is warranted.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.National Law Review, Volume X, Number 149


About this Author

Linn F. Freedman, Robinson Cole Law Firm, Cybersecurity and Litigation Law Attorney, Providence

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She provides guidance on data privacy and cybersecurity compliance to a full range of public and private clients across all industries, such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine, and charitable organizations. Linn is a member of the firm's Business Litigation Group and chairs its Data Privacy + Cybersecurity Team. She is also a member of the Financial Services Cyber-Compliance Team (CyFi ...