Photo of Jennifer Brumfield

Jennifer Brumfield

Subscribe to Jennifer Brumfield's Posts

Jennifer is a litigator on the Privacy + Cyber team. She represents clients in complex cybersecurity and privacy class actions — including cases that involve emerging legal questions related to jurisdiction and standing — and manages all phases of litigation from case assessment through discovery, dispositive motions, settlement, and appeals.

Contact:Read more about Jennifer Brumfield
Cyber_1200x600_GettyImages-1987307560

In Part 1 of this series, we outlined the basics of the California Consumer Privacy Act’s (CCPA) new cybersecurity audit requirement: who is covered, when audits are required, and the key obligations to keep in mind. In Part 2, we explored the mechanics and explained what the California Privacy Protection Agency (CalPrivacy) expects the cybersecurity audit to look like in practice, including what must be evaluated, who may conduct the audit, how thorough it must be, and what goes into the audit report.

Data-Breach_1200x600_GettyImages-1895498673

This article was originally published on The Legal Intelligencer and is republished here with permission as it originally appeared on March 12, 2026.

In this third and final article in a three-part series on the FirstEnergy decision, we turn to what happens when litigation arrives and privilege is challenged.

Over the past several years, district courts have been skeptical of privilege claims over forensic investigation materials in the cybersecurity context. FirstEnergy provides a framework for defending those materials. Every cyber investigation serves two purposes. From a legal perspective, the investigation informs litigation exposure and defense strategy. But the same investigation also identifies compromised systems, drives remediation and supports business operations. After FirstEnergy, those dual purposes do not defeat privilege, provided the investigation was initiated because of legal risk and directed by counsel. This article also examines how the lessons of FirstEnergy apply in cases involving multiple defendants that may have both a desire and need—for both business and legal purposes—to work together to understand an incident and share information.

Cyber_1200x600_GettyImages-2155090853

In Part 1 of this series, we walked through the basics of the California Consumer Privacy Act’s (CCPA) new cybersecurity audit requirement: which businesses are covered, when audits are required, and the high-level obligations to have on your radar.

This five-part series provides an introductory roadmap to the California Consumer Privacy Act’s (CCPA) new cybersecurity audit requirement and the California Privacy Protection Agency’s (CalPrivacy) implementing regulations.