Data security incident response activities usually involve the creation of sensitive communications and documents that might be subject to legal disclosure obligations unless they are protected by legal privilege.
An organization’s ability to assert legal privilege over a communication or document depends on the purpose of the communication or document and the circumstances surrounding the creation and use of the communication or document. An organization that asserts legal privilege over a communication or document has the burden of proving the privilege applies.
For those reasons, it is prudent for an organization to establish a legal privilege strategy for its cyber risk management activities, including preparing for and responding to data security incidents, so that the organization is able to establish legal privilege, where appropriate, over communications and documents created in the course of those activities.
The recent U.S. District Court decision in Re Experian Data Breach Litigation provides helpful guidance for establishing legal privilege over data security incident investigation reports prepared for use in connection with litigation.
Read more here.