Data Breach Forensic Reports and Privilege Challenges

p4ppppFind Your Next Job ppGoTo GuideppOver the past few years the rate of notable data breaches has risen considerably and along with that rise has come an increase in class action litigation In a world where any company can be the next victim of a breach business leaders and their legal counsel should consider in advance how to protect privilege and minimize risk in postbreach investigations But certain recent federal district court decisions have made it more difficult to assert protection over breachrelated documents and communications Traditional Approach to Data Breaches Forensic ReportsppTraditionally after data breaches of all sizes outside counsels standard approach has been to hire highly technical vendors such as forensic investigators to perform the analysis of how a breach unfolded to inform their legal advice This approach creates a threeway relationship focused on providing companies with the best legal advice possible after a breach The forensic firms role in such situations is as a consulting expert often providing a comprehensive report to support legal counsels efforts Previously lawsuits after a breach were rare and challenges to defendants breach investigation methods were even more uncommon Thus collaboration between companies legal counsel and forensic firms proceeded unquestionedppThe CCPAs Potential Effect on the LandscapeppSince 2020 the number of lawsuits filed after data breaches have increased dramatically especially where a significant number of individuals personal information is exposed The reason for the increase may be Californias data privacy law the CCPA1 which allows plaintiffs to claim statutory damages of 100 to 750 per affected person While damages are limited to California residents plaintiffs lawyers have persisted in filing nationwide class actions involving nonCalifornians resulting in a proliferation of lawsuits These lawsuits have led to increasing challenges against keeping forensic reports protected under privilegeppForensic Reports and DiscoveryppDuring the discovery phase of a lawsuit lawyers are entitled to request relevant documents and communications from the opposing party For forensic reports counsel typically claims at least one type of protection whether via the work product doctrine attorneyclient privilege or both Work product protection is permitted when a document was created in anticipation of litigation either by counsel or by a nonlawyer at counsels direction2 As seen in case law the facts of how and why a document was created determine whether its purpose was primarily for litigation or merely business purposesppAttorneyclient privilege generally applies to 1 a communication 2 made between privileged persons 3 in confidence 4 for the purpose of seeking obtaining or providing legal assistance to the client3 While powerful it can be waived such as by sharing communications with certain third parties And it does not protect underlying facts though the communications themselves often contain a mix of facts and opinionsppBut recent casesdiscussed belowshow that findings of protection over forensic reports are by no means assured On top of courts new tendency to find that there is no guarantee of protection when counsel directly retains a forensic investigator in certain circumstances a recent federal district court case has also excluded from protection communications between the victim company counsel and the forensic investigatorppFederal Courts Narrow the Scope of ProtectionppIn the last few years certain federal district courts across the nation have begun issuing decisions slimming the scope of protection for forensic reports produced in response to a data breach An early notable case was Capital One4 in 2020 which found no work product protection attached to the forensic report The dispute over work product protection arose in large part because the forensic investigator was on retainer with the victim company before the breach occurred even though the investigator conducted its investigation pursuant to a separate statement of work that outside counsel requested The court held that even though litigation may have been likely when the report was made the report was ultimately prepared for business purposes because the facts proved a similar report would have been created anyway Capital One did not appeal this rulingppIn 2021 Wengui held that there was no work product protection when a separate forensic firm drafted a forensic report at counsels request despite the report being created in parallel to a report the defendant corporations IT security advisor prepared because the forensic report was still used for business purposes The court also held that attorneyclient privilege did not apply to this report because the facts showed the defendant corporation was seeking the investigators technical advice directly rather than relying solely on their attorneys legal advice as aided by the investigators findingsppSeveral months later Rutters5 found work product protection only applies where identifiable or impending litigation is the primary motivating purpose of creating the document Because the defendant suspected but did not know for sure whether a breach had occurred at the time it engaged the forensic investigator the court decided the defendant could not have unilaterally believed that litigation would resultppAs to the attorneyclient privilege the Rutters court found it does not exist where the forensic report only discusses facts and does not involve opinions and tactics noting that the privilege does not protect any communications of fact nor does it apply merely because a legal issue is presentppAn opinion from the Western District of Washington Leonard v McMenamins6 continues this recent trend but with a twist the plaintiff requested both the forensic report and counsels email communications to the client where the forensic firm was copied In Leonard the defendant corporation suffered a ransomware attack External counsel hired a forensic investigator which investigated at counsels direction and prepared a forensic report The defendant claimed both work product and attorney client privilege over the report The court disagreed on both frontsppFor the report the court found work product protection was not present relying on prior persuasive cases to develop a list of factors 1 whether the report provides factual information to the breached company 2 whether the report is the only analysis of the breach 3 the kinds of services the retained investigator provided 4 the relationship between the retained investigator and the breached company and 5 whether the report would have been prepared in a substantially similar form absent the anticipation of litigationppUltimately the court based its opinion on its finding that the report was drafted for a purely business purpose Because the report was in the courts view the only source of meaningful analysis about the breach it held the plaintiffs would have met the Rule 26b7 exception to work product privilege That exception permits a party to overcome a work product privilege claim by demonstrating that documents are 1 otherwise discoverable under Rule 26b and 2 the party can show it has substantial need for the documents to support its arguments and would take on undue hardship if required to obtain similar documents by other meansppRegarding attorneyclient privilege for the report the court placed great weight on whether legal advice is sought when requesting the forensic report but even greater weight on whether such advice is in fact provided In the end because the report in Leonard does not provide legal advice the court found it was not privilegedppLeonard is unique because the court addressed more than just materials the forensic investigator prepared it evaluated counsels emails to the client where the forensic firm was copied After the defendant asserted attorneyclient privilege the court elucidated its view that communications involving the forensic investigator concerning the facts of the attack and the defendants response investigations and remediation are not privileged The court did leave the door open for at least some email communications with counsel to remain privileged noting that there can be circumstances when a cybersecurity consultant works with counsel to provide legal advice after a data breach However in a footnote the court expressed its expectation that in that case most if not all communications that include the forensic investigator will be removed from the privilege log and produced The court may have been alluding to the Kovel doctrine which provides that attorneyclient privilege can attach to communications with third party consultants if their primary purpose is to give or receive legal advice as opposed to business or tax advice8 The Leonard court did not acknowledge Kovel explicitly relying primarily on tests that emphasize the nature of the privilege9ppConclusionppWhile many courts have protected forensic reports and communications from disclosure in litigation the emergence of this more restrictive view may require companies to exercise caution and restraint when communicating with forensic investigators Recent cases have focused on whether a forensic firm is truly assisting legal counsel with providing advice or instead performing the business function of analyzing how a breach occurred When examining protection in light of the increasing likelihood a class action is filed after a significant breach courts appear to be struggling to align on whether that risk is the true reason reports are prepared and whether the forensic investigator is truly providing expertise to aid legal counsel At a time when litigation following a data breach is surging lending credibility to the argument that forensic reports are prepared in anticipation of such litigation courts are grappling with this essential question what is the true role of a forensic investigator following a data breachppTakeawaysppWhen breaches occur attorneys can react proactively to this district court trend Companies may want to consider the followingppMore Upcoming Eventspp ppSign Up for any or all of our 25 Newsletterspp ppYou are responsible for reading understanding and agreeing to the National Law Reviews NLRs and the National Law Forum LLCs  Terms of Use and Privacy Policy before using the National Law Review website The National Law Review is a freetouse nologin database of legal and business articles The content and links on wwwNatLawReviewcom are intended for general information purposes only Any legal analysis legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice No attorneyclient or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms attorneys or other professionals or organizations who include content on the National Law Review website If you require legal or professional advice kindly contact an attorney or other suitable professional advisor  ppSome states have laws and ethical rules regarding solicitation and advertisement practices by attorneys andor other professionals The National Law Review is not a law firm nor is wwwNatLawReviewcom  intended to be a referral service for attorneys andor other professionals The NLR does not wish nor does it intend to solicit the business of anyone or to refer anyone to an attorney or other professional  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us ppUnder certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements Attorney Advertising Notice Prior results do not guarantee a similar outcome Statement in compliance with Texas Rules of Professional Conduct Unless otherwise noted attorneys are not certified by the Texas Board of Legal Specialization nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional CredentialsppThe National Law Review National Law Forum LLC 2070 Green Bay Rd Suite 178 Highland Park IL 60035  Telephone  708 3573317 or tollfree 877 3573317  If you would like to contact us via email please click hereppCopyright 2025 National Law Forum LLCp