Facebook Tracking
May 27, 2017

How the Experian Data Breach Case Might Change the Protection of Breach Investigation Reports

Categories: Blog, From The Front Lines

For many of us that attend DFIR meetups and actively track breaches and all that relates including the inevitable class action lawsuits that follow, an important decision was announced last week on the Experian data breach case with regards to data security law:


Breach investigation reports created by forensic firms investigating data breaches can be protected by client-attorney privileges given the right circumstances.


Here are a few key takeaways from the below analysis from legal firm Shook, Hardy & Bacon:

  1. The forensic firm should be hired by outside counsel, not by the incident response team or the information security department.
  2. Hire outside counsel early—the work a forensic firm undertakes before outside counsel is involved will not be protected, so the breached entity should engage counsel immediately.
  3. Create a record and think about privilege issues early in the engagement.
  4. Sharing a forensic report with legal counsel for a co-defendant in the same data breach lawsuit may not waive the privilege or work-product protection.


The reason there has been such a strong argument against allowing any leanency on the protection of these reports is stated in the analysis:

"The reports often contain information that plaintiffs’ lawyers would love to get their hands on—they can provide details about why the breach occurred, how it could have been prevented, and whether the company’s safeguards were consistent with standards of reasonableness. It is important that the forensic firm be able to perform its investigation without fear that its reports will be subject to misinterpretation and criticism by a plaintiff’s lawyer or other third party—hence the need for protection of these reports in civil litigation. For the time being, there is no statutory protection for these types of documents (though there should be) so we must turn to the attorney-client privilege and work-product doctrines for protection."


So given proper planning and knowledge of various traps, breach investigation reports can be protected by client-attorney privileges.


Read the full alert analysis here.

About the Author

Co-Founder and CTO of AttackIQ

Stephan Chenette is a 20 year veteran of information security, servicing clients ranging from startups to multinational corporations as a pentester, security and risk consultant, solutions architect and head of research and development. He has presented at numerous conferences including RSA, Blackhat, ToorCon, BSides, CanSecWest, RECon, AusCERT, SecTor, SOURCE and PacSec.