Case May Impact Role of Lawyers in Data Breaches and IR - Security Boulevard
Case May Impact Role of Lawyers in Data Breaches and IR
Avatar photoby Mark Rasch on January 31, 2023
On January 9, 2023, the U.S. Supreme Court heard oral arguments on a criminal tax investigation case out of California that might impact the scope and extent of attorney-client privileges in data forensic investigations. The case, called In Re Grand Jury, Dkt. No. 21-1397, involves a federal grand jury demand for records created by a law firm in connection with a client’s decision whether or not to “expatriate”—that is, to renounce U.S. citizenship and obtain other citizenship to achieve a certain tax result. The government opened a criminal investigation related to the taxpayer’s status and subpoenaed documents from the law firm. The firm produced some documents which were not privileged but withheld others; it claimed that a “significant purpose” for the creation of the documents was to render legal advice. The trial court and the federal appeals court held that the documents could not be withheld unless it was “the primary purpose” of the creation of the documents to provide legal advice, as opposed to simple tax or business advice, and that the burden of demonstrating that this was “the primary purpose” lay with the person asserting the privilege—the law firm on behalf of the client. The courts also rejected the claim that documents could be privileged if it was “a” primary purpose to provide legal advice. Yet another test for whether such records could be privileged is the “but for” test: Would the documents and records exist “but for” the existence of the privilege and the sought legal advice? In other words, are these documents necessary for the rendering of legal advice, or mere business advice? This is all the more true when the records are documents sent from a third party (in the Supreme Court case, an accountant) to a client with copies to counsel. Since pure tax advice is not privileged, the advice does not obtain the status of privilege simply because a lawyer is on the email chain. But if one purpose of including the lawyer is for the lawyer to provide legal advice based on the third-party document, then the issue is muddier. Hence, the Supreme Court’s consideration.
Use of Counsel in Data Breach and Other Cybersecurity Investigations
One of the first things companies do when they suffer from a data breach or other cybersecurity incident is to contact their legal counsel—either in-house or outside counsel. Counsel can be useful and effective in ensuring that the company, in its incident response, adheres to applicable laws and regulations, including data privacy laws, data breach and incident disclosure laws and preservation of evidence requirements, as well as adhering to data reporting and security requirements imposed by any of the various contracts the company may have entered into. In addition, specialized counsel can help direct the incident response process itself, answering questions like whether the company can lawfully read the personal email of employees or contractors sent through corporate networks or sent on personal devices linked to corporate networks. Trained counsel can also help limit a company’s exposure to things like regulatory enforcement actions, class action litigation and other post-incident legal proceedings. All told, it is important that counsel be integrally involved in data privacy, data security, data breach and internal investigative processes.
TechStrong Con 2023
Sponsorships Available
When counsel is involved, there is typically a privilege established between the attorney and the incident response team which includes both internal and external investigators. The attorney may insist that all communications concerning an incident (or even a proposed new product or service that could impact compliance and privacy) be routed through the counsel’s office and that all such communications be clearly marked “Attorney-client privileged.” Actions taken by third parties at the direction of, or under the auspices of the lawyers are also typically protected by a related doctrine called the “Attorney Work Product Privilege.”
While these things are all necessary, they may not be sufficient to shield things like external forensic reports from discovery and disclosure under either the attorney-client privilege (protecting communications between an attorney and his/her client, including a corporate client) and attorney work product protection (shielding work done by the attorney or the agent of the attorney necessary for the rendering of such legal advice or representation).
Data Breaches and Privilege
After Target suffered a massive and multi-million dollar data breach, their counsel took the lead in directing the resulting forensic and other investigations. In the course of the class action litigation that followed, counsel for impacted parties sought copies of the forensic reports conducted on behalf of Target’s lawyers. In In re Target Corp. Customer Data Sec. Breach Litig., No. MDL142522PAMJJK, 2015 WL 6777384 (D. Minn. Oct. 23, 2015)) the court held that vast swaths of documents sought by plaintiff’s counsel were not subject to discovery because, for example, the communications were “focused not on remediation of the breach, as Plaintiffs contend, but on informing Target’s in-house and outside counsel about the breach so that Target’s attorneys could provide the company with legal advice and prepare to defend the company in litigation that was already pending and was reasonably expected to follow.” A similar result was obtained in the massive data breach investigation involving credit reporting agency Experian. In re Experian Data Breach Litig., No. SACV1501592AGDFMX, 2017 WL 4325583, at *2 (C.D. Cal. May 18, 2017) where the lawyers provided the court with declarations that the reason for the investigation was to address actual or potential litigation.
In re Zimmer Holdings, Inc. Securities Litigation (7th Cir. 2012) Zimmer Holdings, a medical device company, experienced a data breach in which hackers accessed the personal information of employees and their dependents. The company retained outside counsel to investigate the breach and to advise on legal and regulatory issues. Zimmer’s insurer sought to obtain the investigative reports produced by the outside counsel, arguing that they were not protected by attorney-client privilege because the insurer was paying for the investigation. The 7th Circuit Court of Appeals ruled that the attorney-client privilege applied, finding that the insurer’s payment of legal fees did not waive the privilege. In In re Oracle Corp. Derivative Litigation (Cal. Sup. Ct. 2014), the software company retained outside counsel to investigate a potential data breach and to advise on legal and regulatory issues. The company’s board of directors received summaries of the investigative reports but did not review the full reports. Shareholders brought a derivative action against the board, alleging that the board had breached its fiduciary duties by failing to properly investigate the data breach. The California Supreme Court ruled that the attorney-client privilege applied to the full investigative reports, even though they were not shared with the board, because the reports were prepared for the purpose of obtaining legal advice.
In re Target Corp. Customer Data Security Breach Litigation (D. Minn. 2015)
Summary: Target, a retail company, experienced a data breach in which hackers accessed the personal information of millions of customers. The company retained outside counsel to investigate the breach and to advise on legal and regulatory issues. Target produced redacted versions of the investigative reports to the Department of Justice and to a congressional committee but argued that the full reports were protected by attorney-client privilege. The District Court of Minnesota ruled that the attorney-client privilege did not apply to the full reports because Target had waived the privilege by producing redacted versions of the reports to third parties.
United States v. Chen (9th Cir. 2016)
Summary: Hsiu-Ying “Lisa” Chen, the CEO of a technology company, retained outside counsel to investigate a potential data breach and to advise on legal and regulatory issues. The Department of Justice subpoenaed the investigative reports as part of a criminal investigation into Chen. The 9th Circuit Court of Appeals ruled that the attorney-client privilege did not apply to the investigative reports because the privilege had been waived when Chen shared the reports with the board of directors and the company’s employees.
In re CareFirst Data Breach Litigation (D.D.C. 2016)
Summary: CareFirst, a health care company, experienced a data breach in which hackers accessed the personal information of millions of customers. The company retained outside counsel to investigate the breach and to advise on legal and regulatory issues. CareFirst produced redacted versions of the investigative reports to a state insurance commissioner but argued that the full reports were protected by attorney-client privilege. The District Court of the District of Columbia ruled that the attorney-client privilege applied to the full reports, finding that CareFirst had not waived the privilege by producing redacted versions of the reports.
A number of courts have declined to follow the Target/Experian precedent or to distinguish these investigations on their facts. Thus, in both In re Premera Blue Cross Customer Data Security Breach Litigation, 296 F. Supp. 3d 1230, 1245-46 (D. Or. 2017) and In re Dominion Dental Servs. USA, Inc. Data Breach Litig., 429 F. Supp. 3d 190, 193 (E.D. Va. 2019), the courts respectively found forensic reports in support of data breach investigations were not privileged because the law firms “failed to show that the driving force behind the report’s creation was litigation.” Rather, the court found that “discovering how the breach occurred was a necessary business function regardless of litigation or regulatory inquiries. [The company] needed to conduct an investigation as a business in order to figure out the problem that allowed the breach to occur so that [the company] could solve that problem and ensure such a breach could not happen again.” Id. The court found it relevant that the forensic team had been hired by the client to perform a scope of work before it was aware of a breach or retained outside counsel. That scope of work “did not change after outside counsel was retained.”
Most significantly, in In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382, 2021 WL 3733137, at *2 (M.D. Pa. July 22, 2021), when a company hired an outside law firm to help it respond to a data breach, the firm also hired an outside forensic investigator to conduct the investigation, with communications sent to counsel. The court concluded that “It is clear from the contract between [the investigative firm] and Defendant that the primary motivating purpose behind the [Investigative] Report was not to prepare for the prospect of litigation. Included in the contract is a “statement of work” (SOW) which includes a description of services [which states] “The overall purpose of this investigation will be to determine whether unauthorized activity within the Rutter’s systems environment resulted in the compromise of sensitive data, and to determine the scope of such a compromise if it occurred.” The court concluded that “[t]his language demonstrates that Defendant did not have a unilateral belief that litigation would result at the time it requested the [investigative] Report.”
The DC federal court took a somewhat more subtle approach in Guo Wengui v. Clark Hill, PLC, 338 F.R.D. 7, 10–11 (D.D.C. 2021) where it applied the “but for” test to the creation of the forensic report, holding that a forensic report conducted at the request of a law firm was not privileged because the firm had not met its burden of showing that the report, or a substantially similar document, would not have been created in the ordinary course of business irrespective of litigation. The court found that it was highly likely that the data breach victim would have conducted the forensic investigation “irrespective of the prospect of litigation.” The court also rejected the law firm’s contention that the forensic report was designed to serve two separate purposes—first to ascertain the nature and remediate the effects of the attack, but second “for the sole purpose of assisting [the firm] in gathering information necessary to render timely legal advice.”
The court rejected this “two-track” approach simply because the law firm had no record on which the court could rely to establish that this was the purpose of the forensic report.
How the Supreme Court Can Alter the Balance
In each of these cases, the Courts have focused on whether the reason for retaining the forensics company or for creating the investigative reports was to assist counsel in preparation for actual or anticipated litigation. The Supreme Court case potentially complicates this analysis in that the high court could not only require evidence that preparation for litigation is a purpose of the report but also that this is the “primary” purpose for the generation of the report.
Moreover, case law focuses on whether the reports relate to actual or anticipated litigation. However, there are many other reasons lawyers may seek to investigate data breaches and incidents other than preparing for lawsuits. Forensic investigations are necessary for an entity to determine its reporting requirements, regulatory compliance status and, most importantly, with entities like CISA and others mandating specific security processes, lawyers may be used to ensure that the company is meeting those standards and processes.
Preserving Attorney-Client Privilege and Work Product Doctrine
Organizations facing a data breach can take certain actions to shield documents and communications protected by the attorney-client privilege and the work product doctrine from disclosure. Organizations should:
Identify the attorney and client: It is important to clearly identify who is acting as the attorney and who the client is. This may seem obvious, but it is important to ensure no confusion on this point. In breach or other security-related investigations, the client will typically be the breached entity. If the law firm is selected by or paid by the cyberinsurance company, it must still be clearly understood that the firm represents the client company and not the insurance company. Decisions about what data to share with the insurer are to be made by the attorney independently.
Document the attorney-client relationship: It is a good idea to document the attorney-client relationship in writing, such as through a retainer agreement or engagement letter. This can help to establish that the relationship exists and that attorney-client privilege applies, who holds the privilege, who retains the experts and how each are paid.
Document the scope and purpose of the representation: It should be clear that the scope of the representation is for the lawyer or law firm to provide legal advice to the client (breached entity) with respect to specific and discrete matters. Thus, the firm should include within the scope of representation, conducting or causing to be conducted a forensic investigation to determine whether the company suffering the breach has any civil, criminal, administrative, contractual or other exposure as a result of the breach, whether its overall security and incident response were compliant with applicable laws and regulations, to review any contracts or other agreements related to data protection, to advise on privacy and related matters in the conduct of the investigations as well as to prepare for any actual or anticipated litigation. The law firm retained to assist in the internal investigation may or may not be the same firm that may handle any ultimate data breach litigation (or FTC or other investigation). The retainer agreement should make it clear whether the representation anticipates that lawyer or firm handling litigation.
Communicate through legal counsel: To ensure that attorney-client privilege applies, it is important for forensic companies, insurers, and other third parties to communicate through legal counsel rather than directly with the client. This means that communications should be routed through the attorney rather than sent directly to the client. In addition, any forensic experts should be retained by the law firm rather than the client. In several cases where the courts have found a lack of privilege, they emphasized that there was a standing retainer between the forensics firm and the client, irrespective of whether the matter involved providing legal advice. As such, the forensic investigation was deemed something that the client would have done anyway. If the forensic investigator is retained and controlled by the lawyer, then the lawyer determines whether a forensic investigation is necessary for providing legal advice and the privilege is more likely to be retained.
Understand the jurisdiction and applicable privilege laws: Each jurisdiction has its own laws governing attorney-client privilege, so it is important to be aware of the specific laws that apply to the investigation.
Consider the timing of the investigation: Attorney-client privilege may not apply if the investigation is conducted for a purpose other than seeking legal advice. Therefore, it is important to consider the primary purpose of the investigation and to ensure that it is for the purpose of seeking legal advice.
Understand the rules: Ensure that employees of both the company and the forensic investigator understand the rules for privileged and work product protection, that they appropriately mark and segregate privileged materials and that they not share such documents outside the scope of the privilege.
Track and document: Track and document whether and when the organization reasonably anticipated litigation and, if so, provide the basis for such belief. If third parties are retained by the law firm in anticipation of litigation, the retainer agreement should so specify and document how the third party is to report to the firm.
If only part of the forensic investigation is to provide legal advice and part is for “pure business” advice, consider creating two tracks—one of which is not presumptively privileged and the other of which contains information which is privileged—and follow the rules for privilege and protection for the second track. Document which records are in which track. In this way, the “primary purpose” test being reviewed by the Supreme Court may still apply to the documents in the “prepared for litigation” track, even if not preserved for the other track.
Where third parties may also be involved in the investigation (e.g., vendors, suppliers, insurers, counsel representing other entities, cloud providers), enter into “joint defense” agreements with their counsel to permit the sharing of information and strategies with respect to defenses without waiving the privilege as to others. Make sure, however, that such joint defense agreements permit (and indeed mandate) withdrawal from the joint defense when the interest of parties diverge, and that they require return and non-use of joint defense shared documents in the event of withdrawal.
Consider also the law of other jurisdictions which may or may not recognize the same privileges or to the same extent. Just because something enjoys a privilege from disclosure in the United States does not mean that these records are privileged everywhere.
Conclusion
The most important analysis is for the entity to establish the reason the report was created. If the report was created for business purposes (e.g., if the funding comes from a business unit rather than the legal department or the report is shared with outside accountants in a way not typical for legal analysis) then a court is not likely to determine that the report’s “primary purpose” was for legal advice and representation. The courts will also look to ensure that the reports were generated at the behest of and for the benefit of counsel, that they were not disseminated to anyone outside the scope of the privilege and that the privilege was not waived or being sought to be invoked to perpetuate any crime or fraud. For example, with mandatory “incident” and “ransomware” disclosure laws being furthered by CISA and others, one cannot expect to be shielded from compliance with the law simply because the report from which the lawyer concluded a report was required was protected by privilege. If you have to report, you have to report. Just make sure that this is an informed decision made by counsel armed with the best evidence available to them.
Avatar photoby Mark Rasch on January 31, 2023
On January 9, 2023, the U.S. Supreme Court heard oral arguments on a criminal tax investigation case out of California that might impact the scope and extent of attorney-client privileges in data forensic investigations. The case, called In Re Grand Jury, Dkt. No. 21-1397, involves a federal grand jury demand for records created by a law firm in connection with a client’s decision whether or not to “expatriate”—that is, to renounce U.S. citizenship and obtain other citizenship to achieve a certain tax result. The government opened a criminal investigation related to the taxpayer’s status and subpoenaed documents from the law firm. The firm produced some documents which were not privileged but withheld others; it claimed that a “significant purpose” for the creation of the documents was to render legal advice. The trial court and the federal appeals court held that the documents could not be withheld unless it was “the primary purpose” of the creation of the documents to provide legal advice, as opposed to simple tax or business advice, and that the burden of demonstrating that this was “the primary purpose” lay with the person asserting the privilege—the law firm on behalf of the client. The courts also rejected the claim that documents could be privileged if it was “a” primary purpose to provide legal advice. Yet another test for whether such records could be privileged is the “but for” test: Would the documents and records exist “but for” the existence of the privilege and the sought legal advice? In other words, are these documents necessary for the rendering of legal advice, or mere business advice? This is all the more true when the records are documents sent from a third party (in the Supreme Court case, an accountant) to a client with copies to counsel. Since pure tax advice is not privileged, the advice does not obtain the status of privilege simply because a lawyer is on the email chain. But if one purpose of including the lawyer is for the lawyer to provide legal advice based on the third-party document, then the issue is muddier. Hence, the Supreme Court’s consideration.
Use of Counsel in Data Breach and Other Cybersecurity Investigations
One of the first things companies do when they suffer from a data breach or other cybersecurity incident is to contact their legal counsel—either in-house or outside counsel. Counsel can be useful and effective in ensuring that the company, in its incident response, adheres to applicable laws and regulations, including data privacy laws, data breach and incident disclosure laws and preservation of evidence requirements, as well as adhering to data reporting and security requirements imposed by any of the various contracts the company may have entered into. In addition, specialized counsel can help direct the incident response process itself, answering questions like whether the company can lawfully read the personal email of employees or contractors sent through corporate networks or sent on personal devices linked to corporate networks. Trained counsel can also help limit a company’s exposure to things like regulatory enforcement actions, class action litigation and other post-incident legal proceedings. All told, it is important that counsel be integrally involved in data privacy, data security, data breach and internal investigative processes.
TechStrong Con 2023
Sponsorships Available
When counsel is involved, there is typically a privilege established between the attorney and the incident response team which includes both internal and external investigators. The attorney may insist that all communications concerning an incident (or even a proposed new product or service that could impact compliance and privacy) be routed through the counsel’s office and that all such communications be clearly marked “Attorney-client privileged.” Actions taken by third parties at the direction of, or under the auspices of the lawyers are also typically protected by a related doctrine called the “Attorney Work Product Privilege.”
While these things are all necessary, they may not be sufficient to shield things like external forensic reports from discovery and disclosure under either the attorney-client privilege (protecting communications between an attorney and his/her client, including a corporate client) and attorney work product protection (shielding work done by the attorney or the agent of the attorney necessary for the rendering of such legal advice or representation).
Data Breaches and Privilege
After Target suffered a massive and multi-million dollar data breach, their counsel took the lead in directing the resulting forensic and other investigations. In the course of the class action litigation that followed, counsel for impacted parties sought copies of the forensic reports conducted on behalf of Target’s lawyers. In In re Target Corp. Customer Data Sec. Breach Litig., No. MDL142522PAMJJK, 2015 WL 6777384 (D. Minn. Oct. 23, 2015)) the court held that vast swaths of documents sought by plaintiff’s counsel were not subject to discovery because, for example, the communications were “focused not on remediation of the breach, as Plaintiffs contend, but on informing Target’s in-house and outside counsel about the breach so that Target’s attorneys could provide the company with legal advice and prepare to defend the company in litigation that was already pending and was reasonably expected to follow.” A similar result was obtained in the massive data breach investigation involving credit reporting agency Experian. In re Experian Data Breach Litig., No. SACV1501592AGDFMX, 2017 WL 4325583, at *2 (C.D. Cal. May 18, 2017) where the lawyers provided the court with declarations that the reason for the investigation was to address actual or potential litigation.
In re Zimmer Holdings, Inc. Securities Litigation (7th Cir. 2012) Zimmer Holdings, a medical device company, experienced a data breach in which hackers accessed the personal information of employees and their dependents. The company retained outside counsel to investigate the breach and to advise on legal and regulatory issues. Zimmer’s insurer sought to obtain the investigative reports produced by the outside counsel, arguing that they were not protected by attorney-client privilege because the insurer was paying for the investigation. The 7th Circuit Court of Appeals ruled that the attorney-client privilege applied, finding that the insurer’s payment of legal fees did not waive the privilege. In In re Oracle Corp. Derivative Litigation (Cal. Sup. Ct. 2014), the software company retained outside counsel to investigate a potential data breach and to advise on legal and regulatory issues. The company’s board of directors received summaries of the investigative reports but did not review the full reports. Shareholders brought a derivative action against the board, alleging that the board had breached its fiduciary duties by failing to properly investigate the data breach. The California Supreme Court ruled that the attorney-client privilege applied to the full investigative reports, even though they were not shared with the board, because the reports were prepared for the purpose of obtaining legal advice.
In re Target Corp. Customer Data Security Breach Litigation (D. Minn. 2015)
Summary: Target, a retail company, experienced a data breach in which hackers accessed the personal information of millions of customers. The company retained outside counsel to investigate the breach and to advise on legal and regulatory issues. Target produced redacted versions of the investigative reports to the Department of Justice and to a congressional committee but argued that the full reports were protected by attorney-client privilege. The District Court of Minnesota ruled that the attorney-client privilege did not apply to the full reports because Target had waived the privilege by producing redacted versions of the reports to third parties.
United States v. Chen (9th Cir. 2016)
Summary: Hsiu-Ying “Lisa” Chen, the CEO of a technology company, retained outside counsel to investigate a potential data breach and to advise on legal and regulatory issues. The Department of Justice subpoenaed the investigative reports as part of a criminal investigation into Chen. The 9th Circuit Court of Appeals ruled that the attorney-client privilege did not apply to the investigative reports because the privilege had been waived when Chen shared the reports with the board of directors and the company’s employees.
In re CareFirst Data Breach Litigation (D.D.C. 2016)
Summary: CareFirst, a health care company, experienced a data breach in which hackers accessed the personal information of millions of customers. The company retained outside counsel to investigate the breach and to advise on legal and regulatory issues. CareFirst produced redacted versions of the investigative reports to a state insurance commissioner but argued that the full reports were protected by attorney-client privilege. The District Court of the District of Columbia ruled that the attorney-client privilege applied to the full reports, finding that CareFirst had not waived the privilege by producing redacted versions of the reports.
A number of courts have declined to follow the Target/Experian precedent or to distinguish these investigations on their facts. Thus, in both In re Premera Blue Cross Customer Data Security Breach Litigation, 296 F. Supp. 3d 1230, 1245-46 (D. Or. 2017) and In re Dominion Dental Servs. USA, Inc. Data Breach Litig., 429 F. Supp. 3d 190, 193 (E.D. Va. 2019), the courts respectively found forensic reports in support of data breach investigations were not privileged because the law firms “failed to show that the driving force behind the report’s creation was litigation.” Rather, the court found that “discovering how the breach occurred was a necessary business function regardless of litigation or regulatory inquiries. [The company] needed to conduct an investigation as a business in order to figure out the problem that allowed the breach to occur so that [the company] could solve that problem and ensure such a breach could not happen again.” Id. The court found it relevant that the forensic team had been hired by the client to perform a scope of work before it was aware of a breach or retained outside counsel. That scope of work “did not change after outside counsel was retained.”
Most significantly, in In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382, 2021 WL 3733137, at *2 (M.D. Pa. July 22, 2021), when a company hired an outside law firm to help it respond to a data breach, the firm also hired an outside forensic investigator to conduct the investigation, with communications sent to counsel. The court concluded that “It is clear from the contract between [the investigative firm] and Defendant that the primary motivating purpose behind the [Investigative] Report was not to prepare for the prospect of litigation. Included in the contract is a “statement of work” (SOW) which includes a description of services [which states] “The overall purpose of this investigation will be to determine whether unauthorized activity within the Rutter’s systems environment resulted in the compromise of sensitive data, and to determine the scope of such a compromise if it occurred.” The court concluded that “[t]his language demonstrates that Defendant did not have a unilateral belief that litigation would result at the time it requested the [investigative] Report.”
The DC federal court took a somewhat more subtle approach in Guo Wengui v. Clark Hill, PLC, 338 F.R.D. 7, 10–11 (D.D.C. 2021) where it applied the “but for” test to the creation of the forensic report, holding that a forensic report conducted at the request of a law firm was not privileged because the firm had not met its burden of showing that the report, or a substantially similar document, would not have been created in the ordinary course of business irrespective of litigation. The court found that it was highly likely that the data breach victim would have conducted the forensic investigation “irrespective of the prospect of litigation.” The court also rejected the law firm’s contention that the forensic report was designed to serve two separate purposes—first to ascertain the nature and remediate the effects of the attack, but second “for the sole purpose of assisting [the firm] in gathering information necessary to render timely legal advice.”
The court rejected this “two-track” approach simply because the law firm had no record on which the court could rely to establish that this was the purpose of the forensic report.
How the Supreme Court Can Alter the Balance
In each of these cases, the Courts have focused on whether the reason for retaining the forensics company or for creating the investigative reports was to assist counsel in preparation for actual or anticipated litigation. The Supreme Court case potentially complicates this analysis in that the high court could not only require evidence that preparation for litigation is a purpose of the report but also that this is the “primary” purpose for the generation of the report.
Moreover, case law focuses on whether the reports relate to actual or anticipated litigation. However, there are many other reasons lawyers may seek to investigate data breaches and incidents other than preparing for lawsuits. Forensic investigations are necessary for an entity to determine its reporting requirements, regulatory compliance status and, most importantly, with entities like CISA and others mandating specific security processes, lawyers may be used to ensure that the company is meeting those standards and processes.
Preserving Attorney-Client Privilege and Work Product Doctrine
Organizations facing a data breach can take certain actions to shield documents and communications protected by the attorney-client privilege and the work product doctrine from disclosure. Organizations should:
Identify the attorney and client: It is important to clearly identify who is acting as the attorney and who the client is. This may seem obvious, but it is important to ensure no confusion on this point. In breach or other security-related investigations, the client will typically be the breached entity. If the law firm is selected by or paid by the cyberinsurance company, it must still be clearly understood that the firm represents the client company and not the insurance company. Decisions about what data to share with the insurer are to be made by the attorney independently.
Document the attorney-client relationship: It is a good idea to document the attorney-client relationship in writing, such as through a retainer agreement or engagement letter. This can help to establish that the relationship exists and that attorney-client privilege applies, who holds the privilege, who retains the experts and how each are paid.
Document the scope and purpose of the representation: It should be clear that the scope of the representation is for the lawyer or law firm to provide legal advice to the client (breached entity) with respect to specific and discrete matters. Thus, the firm should include within the scope of representation, conducting or causing to be conducted a forensic investigation to determine whether the company suffering the breach has any civil, criminal, administrative, contractual or other exposure as a result of the breach, whether its overall security and incident response were compliant with applicable laws and regulations, to review any contracts or other agreements related to data protection, to advise on privacy and related matters in the conduct of the investigations as well as to prepare for any actual or anticipated litigation. The law firm retained to assist in the internal investigation may or may not be the same firm that may handle any ultimate data breach litigation (or FTC or other investigation). The retainer agreement should make it clear whether the representation anticipates that lawyer or firm handling litigation.
Communicate through legal counsel: To ensure that attorney-client privilege applies, it is important for forensic companies, insurers, and other third parties to communicate through legal counsel rather than directly with the client. This means that communications should be routed through the attorney rather than sent directly to the client. In addition, any forensic experts should be retained by the law firm rather than the client. In several cases where the courts have found a lack of privilege, they emphasized that there was a standing retainer between the forensics firm and the client, irrespective of whether the matter involved providing legal advice. As such, the forensic investigation was deemed something that the client would have done anyway. If the forensic investigator is retained and controlled by the lawyer, then the lawyer determines whether a forensic investigation is necessary for providing legal advice and the privilege is more likely to be retained.
Understand the jurisdiction and applicable privilege laws: Each jurisdiction has its own laws governing attorney-client privilege, so it is important to be aware of the specific laws that apply to the investigation.
Consider the timing of the investigation: Attorney-client privilege may not apply if the investigation is conducted for a purpose other than seeking legal advice. Therefore, it is important to consider the primary purpose of the investigation and to ensure that it is for the purpose of seeking legal advice.
Understand the rules: Ensure that employees of both the company and the forensic investigator understand the rules for privileged and work product protection, that they appropriately mark and segregate privileged materials and that they not share such documents outside the scope of the privilege.
Track and document: Track and document whether and when the organization reasonably anticipated litigation and, if so, provide the basis for such belief. If third parties are retained by the law firm in anticipation of litigation, the retainer agreement should so specify and document how the third party is to report to the firm.
If only part of the forensic investigation is to provide legal advice and part is for “pure business” advice, consider creating two tracks—one of which is not presumptively privileged and the other of which contains information which is privileged—and follow the rules for privilege and protection for the second track. Document which records are in which track. In this way, the “primary purpose” test being reviewed by the Supreme Court may still apply to the documents in the “prepared for litigation” track, even if not preserved for the other track.
Where third parties may also be involved in the investigation (e.g., vendors, suppliers, insurers, counsel representing other entities, cloud providers), enter into “joint defense” agreements with their counsel to permit the sharing of information and strategies with respect to defenses without waiving the privilege as to others. Make sure, however, that such joint defense agreements permit (and indeed mandate) withdrawal from the joint defense when the interest of parties diverge, and that they require return and non-use of joint defense shared documents in the event of withdrawal.
Consider also the law of other jurisdictions which may or may not recognize the same privileges or to the same extent. Just because something enjoys a privilege from disclosure in the United States does not mean that these records are privileged everywhere.
Conclusion
The most important analysis is for the entity to establish the reason the report was created. If the report was created for business purposes (e.g., if the funding comes from a business unit rather than the legal department or the report is shared with outside accountants in a way not typical for legal analysis) then a court is not likely to determine that the report’s “primary purpose” was for legal advice and representation. The courts will also look to ensure that the reports were generated at the behest of and for the benefit of counsel, that they were not disseminated to anyone outside the scope of the privilege and that the privilege was not waived or being sought to be invoked to perpetuate any crime or fraud. For example, with mandatory “incident” and “ransomware” disclosure laws being furthered by CISA and others, one cannot expect to be shielded from compliance with the law simply because the report from which the lawyer concluded a report was required was protected by privilege. If you have to report, you have to report. Just make sure that this is an informed decision made by counsel armed with the best evidence available to them.
