Six Considerations to Preserve Privilege

When an organization that has suffered a data breach launches its investigation, preserving attorney-client privilege and work-product protection is often not top of mind. But preserving privilege and work-product protection should not be an afterthought.

Non‑privileged documents that must be turned over to regulators or private plaintiffs during litigation can present a hurdle in resolving a future regulatory proceeding or litigation on favorable terms. If made public, the information could also seriously damage an organization’s reputation. (Not because adverse facts are hidden within privileged material, but because people speak candidly in such material—exactly what the privilege is designed to encourage. Naturally, plaintiffs and regulators seize on such candid remarks, take them out of context, and spin them to support their cases.)

The good news is that organizations can structure their breach investigations from the get-go to bolster privilege and work-product arguments they may need to make down the road. Here are six things you should keep in mind when doing so.

1. Outside counsel should retain third-party forensics firms for each distinct security incident.

When it comes to third parties providing services to organizations in connection with anticipated litigation, it is no secret that the best way to bolster arguments for applying the attorney‑client privilege or work-product protection to any reports or communications is to have the organizations outside law firms retain and direct the work of the third parties.

But what about when the third-party forensics firm that an organization will engage for its breach investigation is already working with the organization? Based on the ruling in In re Premera Blue Cross Customer Data Security Breach Litigation, 296 F. Supp. 3d 1230, 1245-46 (D. Or. 2017), the best practice would be for the organization’s outside law firm to directly retain the forensics firm under a separate agreement covering only services related to the breach at issue. Additionally, the engagement letter or scope of work should identify how the third party’s investigation or report is related to the provision of legal advice or made in anticipation of litigation. See Leonard v. McMenamins Inc., No. C22-0094-KKE, 2023 WL 8447918, at *3-5 (W.D. Wash. Dec. 6, 2023). In the absence of a separate agreement with outside counsel for the distinct incident, courts are unlikely to rule that privilege applies—even when an organization directs its forensics firm to report directly to its outside counsel regarding the firm’s work on a particular breach. See In re Cap. One Consumer Data Sec. Breach Litig., No. 1:19md2915 (AJT/JFA), 2020 WL 2731238, at *8-10 (E.D. Va. May 26, 2020), aff’d, No. 1:19md2915 (AJT/JFA), 2020 WL 3470261 (E.D. Va. June 25, 2020).

2. Organizations and their forensics firms should be strategic about the contents of incident reports.

The information contained in an organization’s incident report regarding a particular data breach will surely be of interest to unfriendly third parties. Regulators and private plaintiffs will be chomping at the bit to get their hands on that report and will likely request the report during their investigation or through discovery. Shareholders seeking corporate records under a Delaware Section 220 demand could be next in line, as they look for a basis for bringing derivative claims against directors or officers.

To preserve privilege and work-product protections over incident reports, organizations and their forensics firms should think carefully about the information they put into those reports.

For example, the attorney-client privilege or the work-product doctrine are unlikely to cover an incident report focused primarily on the business or technical aspects of a breach. See Guo Wengui v. Clark Hill, PLC, No. 19-3195 (JEB), 2021 WL 106417, at *11-13 (D.D.C. Jan. 12, 2021) (finding incident response report was not privileged or work product because the “true objective” animating the preparation of the report was the defendant’s effort to “glean[] Duff & Phelps’s expertise in cybersecurity, not in ‘obtaining legal advice from [its] lawyer,’” and “substantially the same [document] would have been prepared. . . as part of the ordinary course of business” (citations omitted)); In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382, 2021 WL 3733137, at *1-3 (M.D. Pa. July 22, 2021) (denying privilege or work product protection over incident response report based on court’s conclusion that litigation could not have been the “primary motivating factor” behind the report). For similar reasons, an organization should consult with outside counsel before utilizing the investigative report for non-litigation purposes. See McMenamins Inc., 2023 WL 8447918, at *3-5. However, when information stemming from the investigation is integrated into outside counsel’s mental impressions and opinions about legal exposure or strategy, there is a stronger argument for protection from disclosure.

3. In-house attorneys should consider which documents their organizations may eventually share with federal agencies.

When an organization is dealing with federal regulators concerning a data breach, its in-house counsel should keep Federal Rule of Evidence 502 top of mind. Rule 502 provides that when intentional disclosures are made in federal proceedings or to a federal office or agency that waive attorney-client privilege or work-product protection, the waiver may also extend to undisclosed communications or information sharing the same subject matter. (As a saving grace, Rule 502(d) allows federal courts to limit the waiver of privilege and the work-product doctrine.)

Thanks to Rule 502, sharing privileged documents with a federal agency can cause a chain reaction of disclosure that extends to all documents sharing that same subject matter. In-house counsel must carefully weigh the benefits of sharing information with federal regulators against the risks of waiver. Sometimes, sharing information makes sense. Sometimes, there is no real choice. No matter the situation, in-house counsel must understand the risks of sharing before deciding to do so.

Also, in-house counsel should consider entering a confidentiality agreement or pursuing a Rule 502(d) order providing that a particular disclosure does not constitute a waiver. See Target Corp. v. ACE Am. Ins. Co., 576 F. Supp. 3d 609, 617-18 (D. Minn. 2021) (denying subject matter waiver because the parties’ contract provided that the entire “process was confidential and that all communications were privileged”). A Rule 502(d) order may require litigation, but it could be worth the effort if an agreement cannot be reached.

4. International companies should think twice about in-house attorneys supervising internal members of a breach investigation team.

In the United States, attorney-client privilege applies to an attorney’s communications with individuals inside an organization who are part of a breach investigation team regardless of whether the attorney is in-house counsel or from an outside law firm. Privilege will apply so long as the communications were part of the attorney’s efforts to provide legal advice to the organization.

It is a different story for organizations operating outside the United States. A number of countries—including Austria, the Czech Republic, France, Italy, Luxembourg, and Sweden—do not consider in-house attorneys’ communications with their colleagues to be privileged (with some exceptions). In these countries, only communications between external attorneys and the in-house employees are generally privileged.

Thus, organizations with operations in certain non-U.S. countries may want to structure their breach investigation teams so that only their outside counsel are communicating with the organization (in-house counsel or the business team) concerning a breach investigation.

5. When it comes to privilege and data breach investigations, an ounce of prevention is worth a pound of cure.

In the wake of a data breach, an organization and its in-house attorneys will have a lot of work to do in an impossibly short amount of time. Taking some time to structure a breach investigation from the outset to prioritize the preservation of attorney-client privilege and work-product protection is a small investment of effort that could pay off if government investigations or litigation arise as a result of that breach.

6. Urge your incident response teams to communicate carefully.

Although there is a case for applying privilege or work-product protection over incident response reports (if the engagement with the consultant is properly structured and managed), the decisions in McMenamins, Capital One, Guo Wengui, and Rutter’s show there is no guarantee. With that in mind, urge your teams to communicate carefully and responsibly, with the knowledge that anything put in writing may come out in discovery. While it goes without saying that your incident response teams must speak honestly (and that you must take steps to preserve any documents relevant to an incident), speaking honestly necessarily means avoiding speculation and hyperbole—the kinds of communications that often raise issues in litigation that could easily be avoided by more responsible communications during an incident.