From: JDSupra Business Advisor
by Shea Gordon Leitch, Antony Kim, Aravind Swaminathan | Orrick, Herrington & Sutcliffe LLP
The Middle District of Tennessee recently issued a key decision in the ongoing Genesco, Inc. v. Visa U.S.A., Inc. data breach litigation. The court denied discovery requests by Visa for analyses, reports, and communications made by two cybersecurity firms Genesco retained after it suffered a data breach on grounds that those materials were protected by the attorney-client privileged and work product doctrine. The decision is crucially important for two reasons.
- First, it confirms that cybersecurity consultants’ work product and communications—like that of other retained experts—are subject to confidentiality under the attorney-client privilege and/or the work product doctrine when counsel retains the consultants for the purpose of obtaining technical assistance to enable counsel to render legal advice to a client.
- Second, it validates the decision by organizations to designate legal counsel as the lead in key cybersecurity activities, such as scoping and directing proactive security risk assessments and directing reactive forensic investigations and response efforts following a data breach.
Leave a Reply