On May 23, 2017, it was announced that Target Corporation had settled the investigation initiated by the Attorneys General[1] of 47 states and the District of Columbia resulting from its 2013 data security incident. Besides the $18.5 million being paid (the largest State AG data breach settlement amount to date), it is the promised remedial measures that are of most interest to those following data breach enforcement actions.
Data breach investigation documents protected by attorney-client privilege and work product doctrine
On October 23, 2015, the Federal District Court in Minnesota upheld Target’s assertion that documents produced pursuant to an internal investigation of its 2013 security incident fell within the protections of the attorney-client privilege and work-product doctrine.