Once Upon A Time At Your CU. Are you Ready To Respond To The Next Data Breach?  

June 17, 2020 at 11:18 am Leave a comment

One of these days you’re going to grab some coffee, turn on your computer and start your work day and, while dutifully reading this blog, get an email from your IT person informing you that your credit union has been hacked.  You don’t know exactly how much data has been exposed, but there’s a pretty good chance a third party gained access to your member’s personally identifiable information.

You spring into action by pulling out your credit union’s Data Breach Protocols, which will of course have just been updated a few months ago as part of the credit union’s on-going planning. The Data Breach Response Team is called into action and everyone knows exactly what to do.   Of course, you quickly want to nail down exactly what has happened.  So even before you contact your outside counsel, you reach out to a third party information security team that you know has experience dealing with data breaches.

Since contracts are always important and closely adhered to, your outside counsel quickly drafts a contract for the IT team and it quickly gets to work.  Within days the IT consultant reports back with a written document describing what happened and why, some of which doesn’t paint the credit union in the best light.  You contact your regulators and notify your members that a data breach has occurred and quicker than the coronavirus can spread through a bunch of drunk college kids on Spring Break, the first class-action lawsuit has been filed against your credit union.

The scenario I just described is similar to the one confronted by Capital One when it discovered it was hacked in 2019.  In re: Capital One Consumer Data Security Breach LitigationCapital One Ordered To Release Report Of Massive Data Heist OPINION PDF

My guess is that, while many of you have at least thought about the issues raised by the above hypothetical, you probably haven’t given much thought to the issue of attorney-client privilege in general or attorney work product in particular.  It’s time for that to change.  Capital One is now battling to keep a report produced by an outside IT team exempt from discovery from attorneys suing it over the data breach.  It has lost the first round in its battle which is an unfortunate development for anyone who works to protect financial institutions.

Attorney Work Product refers to work performed by attorneys or their agents in response to or in anticipation of litigation (Federal Rule of Evidence 502 and New York CPLR 3101).  This seemingly straightforward definition is not as easy to apply as it should be.  For instance, in Capital One’s case a third party IT report was done at the request of the bank’s outside counsel and its results were given first to the law firm.  Nevertheless, the court concluded that the report would have been produced with or without the threat of litigation.  It pointed out for example that the work being performed by the IT team was similar to work it was performing on behalf of the bank pursuant to a contract that was entered into before anyone knew of a data breach.  In addition, the report could be used to comply with regulatory requirements of which the bank had to comply regardless of the lawsuit.  The bank is appealing.

Although the scope of and deference given to attorney-client communications varies by state, the case underscores the importance of considering how best to keep attorney communications private in your data response plan.  A good data breach response has to allow for frank discussions and analysis.  This is precisely why the attorney-client privilege exists.  Mistakes are going to happen.  The consequences of these mistakes will be exacerbated if attorneys aren’t free to give the most straightforward advise they can.

Entry filed under: Legal Watch. Tags: , , , .

Does The SC’s Bostock Ruling Impact Your Credit Union? Seven Things You Need To Know To Start Your CU Day

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 667 other followers

Archives