November 13, 2015
by Allyson Haynes Stuart
On October 23, 2015, the Federal District Court of Minnesota upheld Target’s assertion of attorney-client privilege and work product protection for emails it created in the wake of the 2013 breach of customer financial information.
Target hired outside counsel shortly after discovering the possibility that a data breach had occurred. After Target publicly announced the breach, consumers filed several class action lawsuits against it. Shortly thereafter, Target established the Data Breach Task Force at the request of its in-house lawyers and retained outside counsel so that it could inform counsel about the breach, and so that counsel could advise the company in pending and future litigation. Emails arising from the investigation included communications with counsel and with a team from Verizon hired by outside counsel to assist in the investigation.
The court upheld the assertion of privilege and/or work product protection, noting that “the work of the Data Breach Task Force was focused not on remediation of the breach, as Plaintiffs contend, but on informing Target’s in-house and outside counsel about the breach so that Target’s attorneys could provide the company with legal advice and prepare to defend the company in litigation that was already pending and was reasonably expected to follow.”
In a blog post about the ruling, Norton Rose Fulbright attorneys note that the decision “underscores the importance of retaining legal counsel early on to direct an organization’s response to and forensic investigation of a data security incident,” which can in turn strengthen privilege arguments.
In re Target Corporation Customer Data Security Breach Litigation, MDL No. 0:14-02522 (D. Minn.).
For more information, Allyson Haynes Stuart