Photo of Tom Spahn

Tom practices as a commercial litigator. He regularly advises Fortune 500 companies on such high-stakes issues as properly creating and preserving the attorney-client privilege and work product protections when conducting corporate investigations, when hiring outside consultants, when dealing with the government, and during other daily and extraordinary situations. He also advises in-house counsel on ethics issues, including conflict of interest, confidentiality, and dealing with corporate wrongdoing.

Last week’s Privilege Point described a data breach victim’s latest losing effort to claim privilege protection for its consultant’s investigation report. Leonard v. McMenamins Inc., Case No. C22-0094-KKE, 2023 U.S. Dist. LEXIS 217502 (W.D. Wash. Dec. 6, 2023). Before bluntly rejecting McMenamins’ privilege claim, the court spent more time analyzing its work product claim

Companies and even law firms suffer data breaches, and usually claim privilege and work product protection for the inevitable resulting investigation. Unfortunately, courts seem to have rejected such protection claims in all but a few cases. Most of the other data breach victims have tried to emulate two of the winners, but have failed.

In

One might think that any company reasonably anticipates litigation after suffering a data breach, so the work product doctrine would almost inevitably protect its data breach investigation. But only a handful of companies have succeeded in claiming such protection.

In In re Rutter’s Data Security Breach Litigation, Civ. A. No. 1:20-CV-382, 2021 U.S. Dist.

Data privacy is a top concern for many in-house legal professionals – and for good reason – data privacy and cybersecurity legal requirements are complex and continually evolving. Data Privacy Day is a great day to start addressing your organization’s data privacy and cybersecurity needs.

On Data Privacy Day 2021, here is what is top of mind for some of our Data Privacy & Security Team members:

  • Andrew Konia – A Federal Privacy Law: “Calls (pleas?) for federal privacy legislation are nothing new, and last year we came close, with both parties presenting draft bills for consideration (surprise, neither passed!).  But now, with the White House and both chambers of Congress under Democratic control, there appears to be renewed (and more serious) interest in a federal privacy law. We have seen (admittedly narrow) hints of the federal government taking a stronger stance on cybersecurity standards with the IoT Cybersecurity Improvement Act of 2020, which applies to federal agency purchases. But you take the recent and intense backlash on “Big Tech’s” use/sharing of data and perceived lack of data transparency, and mix in the Biden Administration’s prioritization of consumer protection generally, and you have the recipe – and a strong political appetite – for a comprehensive federal privacy law.”
  • Bethany Lukitsch – California: “CPRA will be here before we know it, and most companies are going to have a lot to do to get ready. Updating privacy policies and adding ‘do-not-share’ links are one thing, but as with CCPA, it’s the behind-the-scenes work that is really going to take some time.  It’s certainly not too early to get started.”

Continue Reading Data Privacy Day 2021: Privacy and Cybersecurity Are On Our Minds, Too

Corporations’ investigations generally deserve (1) privilege protection only if the corporations are primarily motivated by their need for legal advice; and (2) work product protection only if they are motivated by anticipated litigation, and the company would not have created the investigation-related documents in the same form but for that anticipated litigation.

In In re