Judge: Capital One Must Provide Lawyers With a Copy of Digital Forensic Breach Report
A US federal judge in Virginia has ordered Capital One to provide a copy of a forensic report regarding a data breach to attorneys who are suing the company on behalf of affected customers. The Capital One breach, which was disclosed last year, affected payment card application data for more than 100 million people.
Subsequent to a breach, first hire experienced and competent legal counsel; let them hire and supervise the investigators. Any report of the investigators should be "attorney work product," so labeled, and arguably privileged. While transparency is desirable, litigation may increase transparency, and courts are entitled to all evidence, one does not want one's legitimate efforts used against one.
William Hugh Murray
Understanding data protection and disclosure restrictions, particularly around security audits, assessments, and reports is key before the engagement begins. When taking legal action, be certain that the case, for or against, doesn't depend on disclosing the very documents you wish to keep private. Sometimes a redacted document can be offered as a compromise, particularly when protecting information with regulatory driven or mandatory protections such as PII, HIPAA, and CUI; even so, your legal and information management teams should validate your assumptions up front.