The outlines of the attorney-client privilege and work-product doctrine are well-established. But how should they apply when an organizational client suffers a cybersecurity event or other intrusion that results in a data breach? Should information about the company’s security policies pre-breach and its post-breach response be given any enhanced protection? Under what circumstances?
The questions