This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.

The Central District of California recently joined the small growing list of courts that have held forensic reports created by outside security companies following a data breach are protected from disclosure in civil litigation in certain circumstances. In the case In re Experian Data Breach Litigation, Judge Andrew J. Guilford held that a forensic report created by the security firm Mandiant at the direction of Experian's outside counsel, Jones Day, qualified as trial preparation material (or “work product”) under Federal Rule of Civil Procedure (FRCP) 26(b)(3) and denied a motion to compel its production.

Experian is only the third case to result in a ruling addressing these important questions. While all three rulings protected forensic reports from disclosure, the analysis in each case was highly fact-dependent. Judge Guilford's reasoning in Experian addresses several key issues not directly raised in those other cases and sheds light on several others.