As CPW’s Kristin Bryan and Rafael Langer-Osuna cover in depth at Law360, one developing area of the law that sends shivers down the spine of data breach litigators is a growing number of federal courts holding that the attorney-client and work product privilege do not apply to internal investigatory reports and related communications.  As these cases demonstrate, it is now routine for plaintiffs counsel to seek data event incident reports. These cases would seem to suggest that it is also routine for courts to compel production of incident reports and related materials.  That is, however, not necessarily the case. It remains feasible to avoid the disclosure of an incident response report prepared for litigation, and it remains possible for litigation counsel to consult with cybersecurity experts in preparation for litigating a matter. Incident response and litigation counsel must coordinate closely, and litigation counsel must be acutely mindful of these issues from the start.

You can read their expert analysis at Law360 here.