A data breach as a “trigger” for a litigation hold

December 2, 2014

Litigation holdLately, it seems as if there is news of another data breach nearly every day.  As technology advances and privacy concerns mount, attorneys must understand what a data breach is, and recognize that such an incident is likely a “trigger” for the implementation of a legal hold notice.

The U.S. Department of Education Privacy Technical Assistance Center (“PTAC”) defines a data breach as “an unauthorized release or access of [personally identifiable information] or other information not suitable for public release,” and explains that there are different types of data breaches, such as the hacker who gains improper access, the employee who loses his laptop or other equipment, the employee who leaves private information in a public place, or the policy or system that fails to ensure adequate backup procedures.  See PTAC Data Breach Response Checklist (September 2012).

It is likely that litigation is foreseeable upon discovery of any of these types of breaches, thereby triggering the duty to preserve relevant and non-privileged documents and data.  For this reason, it is critical that in-house counsel retain outside counsel immediately to ensure that preservation obligations are satisfied.  The other reasons why outside counsel should be part of the multi-disciplinary incident response team, including to protect attorney-client communications and attorney work product, and to comply with state notification laws, are outside the scope of this blog.


Conceivably, while the incident response team works to investigate the breach and implement a remedy, an organization faces a great risk of losing documents or other information that it has a duty to preserve.  Outside counsel must issue a timely and effective litigation hold notice as soon as possible.  Although there is a recognizable tension between issuing a timely notice and drafting an effective notice — indeed, the duty to preserve is triggered before the investigation is complete — time is of the essence.  An incomplete investigation is not an excuse for failing to comply with preservation obligations, and the risk of spoliation (and potential sanctions) is too great.

Accordingly, outside counsel must craft a practical, informative notice that does more than instruct document custodians to “preserve what’s relevant,” but instead, provides specific examples of relevant, non-privileged documents and data to be retained, and identifies all potential sources of this information.  It is important to remember that as with any litigation hold, the notice issued after a data breach should include a written acknowledgment form, and attorneys must monitor compliance with the notice and refresh its substance as often as necessary.

This is second in a series of posts addressing litigation holds.  For more information, check out eDiscovery For Corporate Counsel, available in print and online on Westlaw, and legalsolutions.com/legal-hold. Stay tuned to this blog for more to come.