Five Considerations For In-House Counsel When Attempting to Preserve Privilege and Work-Product Protection During a Data Breach Investigation

When an organization that has suffered a data breach begins to investigate the breach, preserving attorney-client privilege and work-product protection is probably not top of mind for the organization and its in-house counsel. After all, the organization just suffered an event that is likely to have business and legal consequences for the foreseeable future.

But preserving privilege and work-product protection should not be an afterthought. Non-privileged documents and communications that must be turned over to regulators or private plaintiffs during litigation can be a hurdle for an organization in its efforts to resolve a proceeding or litigation against it on favorable terms. If made public, these documents and communications could also wreak havoc on an organization’s reputation and financial picture. (Not because adverse facts are hidden within privileged material, but because people speak candidly in such material—exactly what the privilege is designed to encourage. Naturally, plaintiffs and regulators seize on such candid remarks, take them out of context, and spin them to support their cases. They can’t help themselves.)

The good news is that organizations and their in-house counsel can structure their breach investigations from the get-go to bolster privilege and work-product arguments they may need to make down the road. Here are five things you should keep in mind when doing so.

1. Outside counsel should retain third-party forensics firms for each distinct security incident.

When it comes to third parties providing services to organizations in connection with expected litigation, it is no secret that the best way to bolster arguments for the application of attorney-client privilege or work-product protection to these relationships is to have the organizations’ outside law firms retain and direct the work of the third parties.

But what about when the third-party forensics firm an organization will engage for its data breach investigation is already working with the organization? Based on the ruling in In re: Premera Blue Cross Customer Data Security Breach Litigation, 296 F. Supp. 3d 1230, 1245-46 (D. Or. 2017), the best practice would be for the organization’s outside law firm to directly retain the forensics firm under a separate agreement covering only services related to the breach at issue. In the absence of a separate agreement written for the distinct incident, courts are unlikely to rule that privilege applies—even when an organization directs its forensics firm to report directly to its outside counsel regarding the firm’s work on a particular breach.

2. Organizations and their forensics firms should be strategic about the contents of incident reports.

The information contained in an organization’s incident report regarding a particular data breach will surely be of interest to unfriendly third parties. Regulators and private plaintiffs will be chomping at the bit to get their hands on that report, and will likely request the report during their investigation or through discovery. Shareholders seeking corporate records under a Delaware Section 220 demand could be next in line, as they look for a basis for bringing derivative claims against directors or officers.

To preserve privilege and work-product protections over incident reports, organizations and their forensics firms should think carefully about the information they put into those reports.

For example, information in an incident report focused solely on the business or technical issues raised by a breach are unlikely to be covered by attorney-client privilege or the work-product doctrine. When, however, that information is integrated into outside counsel’s mental impressions and opinions about legal exposure, there is a stronger argument for that information being protected from disclosure.

3. In-house attorneys should consider which documents their organizations may eventually share with federal agencies.

When an organization is dealing with federal regulators concerning a data breach, its in-house counsel should keep Federal Rule of Evidence 502 top of mind. FRE 502 provides that when intentional disclosures are made in federal proceedings or to a federal office or agency that waive attorney-client privilege or work-product protection, the waiver also extends to undisclosed communications or information sharing the same subject matter. (As a saving grace, FRE 502(d) allows federal courts to limit the waiver of privilege and the work-product doctrine.)

Thanks to FRE 502, sharing privileged documents with a federal agency can cause a chain reaction of disclosure that extends to all documents sharing that same subject matter. In-house counsel must carefully weigh the benefits of sharing information with federal regulators against the risks of waiver as a result. Sometimes, sharing information makes sense. Sometimes, there is no real choice. No matter the situation, in-house counsel must understand the risks of sharing before deciding to do so.

Also, in-house counsel should consider pursuing a Rule 502(d) order providing that a particular disclosure does not constitute a waiver. Such an order may require litigation, but it could be worth the effort.

4. International companies should think twice about in-house attorneys supervising internal members of a breach investigation team.

In the United States, the application of attorney-client privilege to an attorney’s communications with individuals inside an organization who are part of a breach investigation team will not depend on whether the attorney is in-house counsel or from an outside law firm. Privilege will apply so long as the communications were part of the attorney’s efforts to provide legal advice to the organization.

It is a different story for organizations operating outside the United States. A number of countries—including Austria, the Czech Republic, France, Germany, Hungary, Italy, Luxembourg, and Sweden—do not consider in-house attorneys’ communications with their colleagues to be privileged, even when the attorneys are providing legal advice to the organization. In these countries, only communications between external attorneys and the in-house employees are privileged.

Thus, organizations with operations in certain non-U.S. countries may want to structure their breach investigation teams so that their outside counsel are the only attorneys communicating directly with internal team members.

5. When it comes to privilege and data breach investigations, an ounce of prevention is worth a pound of cure.

In the wake of a data breach, an organization and its in-house attorneys will have a lot of work to do in an impossibly short amount of time. Taking some time to structure a breach investigation from the outset to prioritize the preservation of attorney-client privilege and work-product protection is a small investment of effort that could pay off in spades should government investigations or litigation arise as a result of that breach.

This article in our “Beyond the Breach” series was authored by Mark David McPherson, a partner in Morrison & Foerster’s Privacy + Data Security Group.