Law.com has addressed the growing issue courts are facing in their article “Cyber Breach Forensic Reports: Is Your Report Discoverable?” (sub. req.)
The article highlights the increasingly possible scenario of a firm encountering a data breach and hiring a forensic firm to perform an examination of the company’s information systems. Often,when the examination is complete, a findings report will be issued containing specific information including details of how the incident most likely occurred. This brings up a potential issue, whether or not the report is available to an opposing party.
Companies are likely to want to maintain control of forensic reports because of the potential value they could offer to a plaintiff. If a vulnerability within the information systems of a firm is highlighted in a forensic report’s findings, it is possible the company may have failed to maintain best practices to protect their data security. This type of negligence may result in a breach of protecting valuable client information.
The court system has held that forensic reports are often protected by attorney-client privilege. However, it is important to not accidently waive that privilege. If the report, or information contained in the report, is voluntarily shared with a third party, the report would likely fall into discoverable territory. It is suggested that attorneys consult directly with the forensic firms when discussing the matter and any work product materials.
If a report must be produced to a third party, such as insurance carriers, auditors, or affiliate companies, there are a few measures attorneys can take to make sure the work product protection is not waived. These measures include redacting unnecessary information from the report as well as signing a confidentiality agreement with the receiving party.
Email: firstname.lastname@example.org Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology