The Middle District of Tennessee recently issued a key decision in the ongoing Genesco, Inc. v. Visa U.S.A., Inc. data breach litigation. The court denied discovery requests by Visa for analyses, reports, and communications made by two cybersecurity firms Genesco retained after it suffered a data breach on grounds that those materials were protected by the attorney-client privileged and work product doctrine. The decision is crucially important for two reasons.
First, it confirms that cybersecurity consultants' work product and communications—like that of other retained experts—are subject to confidentiality under the attorney-client privilege and/or the work product doctrine when counsel retains the consultants for the purpose of obtaining technical assistance to enable counsel to render legal advice to a client.
Second, it validates the decision by organizations to designate legal counsel as the lead in key cybersecurity activities, such as scoping and directing proactive security risk assessments and directing reactive forensic investigations and response efforts following a data breach.
Accordingly, organizations should think ahead, and carefully, about the underlying purposes for any cybersecurity assessment or cyberattack response effort, and the role that counsel (inside or outside)
The Genesco litigation resulted from a data breach suffered by the parent company of several apparel and accessory retailers. Between 2009 and 2010, Genesco's computer systems were attacked by cybercriminals who gained access to unencrypted payment card data as it was transmitted to two banks for payment authorization. Following a PCI forensic investigation, Visa assessed Genesco's merchant banks, which processed Visa credit and debit card transactions at Genesco's stores, over $13 million in fines and reimbursement expenses. The fine was based on the banks' purported failures to ensure that Genesco (as the merchant) met the Payment Card Industry Data Security Standards ("PCI DSS"). Genesco's merchant banks passed these fines and assessments to Genesco pursuant to the parties' processing agreements. Genesco brought suit against Visa in federal court, alleging that Visa had no factual basis for levying the fines, and setting the stage for a closely watched discovery fight.
In connection with its breach remediation efforts, Genesco hired two cybersecurity firms to provide technical and consulting services to Genesco's outside counsel: one in connection with purported past violations of PCI DSS and the second in connection with efforts to comply with PCI DSS. In discovery, Visa sought to compel the information, arguing that it was entitled to information regarding "Genesco's investigation, analysis and reviews . . . in relation to the [cyberattack], including but not limited to those performed internally or through vendors or service providers; communications and reports relating to the first cybersecurity firm's analysis of the purported PCI DSS violations; and the second firms' post-cyberattack PCI DSS compliance analysis."
The court denied Visa's requests for discovery. In its original January 2014 Order, the court ruled that the requested materials were protected under the attorney-client privilege because "attorneys' factual investigations fall comfortably within the protection of the attorney-client privilege," and "[t]his privilege extends to the [cybersecurity] firm that assisted counsel in its investigation." The court reasoned that in principle, cybersecurity consultants are no different that accounting consultants, whose work product and communications have traditionally been held to be subject to the attorney-client privilege because the "concepts are a foreign language to some lawyers in almost all cases . . . [h]ence . . . the presence of the [consultant] is necessary, or at least highly useful, for the effective consultation between the client and the lawyer which the privilege is designed to permit." Similarly, the court held that the forensic reports constituted protected attorney work product because "work product privilege also attaches to an agent's work under counsel's direction." This is because "attorneys must often rely on the assistance of investigators and other agents in the compilation of materials in preparation for trial." The court reaffirmed its prior holding in a March 2015 Order denying Visa's renewed attempts to obtain discovery of investigative material via subpoena.
Not only does the Genesco opinion offer a roadmap for confidentiality protections, but it underscores legal counsel's critical role in today's digital economy where the question is not "if" but "when," an organization will be breached. Second possibly only to brand and reputational issues, regulatory enforcement and litigation risks are likely the most significant drivers of cybersecurity preparedness and response efforts. Accordingly, companies are well-advised to embrace counsel's important role in cybersecurity risk assessment, mitigation, and incident response strategies to take advantage of attorney-client privilege and work product protections. There is good, substantive reason for this, as well. Covering these activities under legal privilege offers a "safe place" for clients to request and receive legal advice, and therein, to deliberate over issues such as the remedial efforts that will—and, more importantly, will not—be undertaken in response to a cyberattack or identification of a vulnerability. Moreover, the "safe place" created by thoughtful, appropriate use of the attorney-client privilege and work product doctrines can be leveraged to ensure that your organization is gathering the best and most accurate information about its cybersecurity posture (regardless of whether it is good or bad) when implementing a stronger risk mitigation strategy.