Six Considerations to Preserve Privilege
Six Considerations to Preserve Privilege
When an organization that has suffered a data breach begins to investigate the breach, preserving attorney-client privilege and work-product protection is probably not top of mind for the organization and its in-house counsel. After all, the organization just suffered an event that is likely to have business and legal consequences for the foreseeable future.
But preserving privilege and work-product protection should not be an afterthought. Non‑privileged documents and communications that must be turned over to regulators or private plaintiffs during litigation can be a hurdle for an organization in its efforts to resolve a proceeding or litigation against it on favorable terms. If made public, these documents and communications could also wreak havoc on an organization’s reputation and financial picture. (Not because adverse facts are hidden within privileged material, but because people speak candidly in such material—exactly what the privilege is designed to encourage. Naturally, plaintiffs and regulators seize on such candid remarks, take them out of context, and spin them to support their cases. They can’t help themselves.)
The good news is that organizations and their in-house counsel can structure their breach investigations from the get-go to bolster privilege and work-product arguments they may need to make down the road. Here are six things you should keep in mind when doing so.
When it comes to third parties providing services to organizations in connection with expected litigation, it is no secret that the best way to bolster arguments for the application of attorney‑client privilege or work-product protection to these relationships is to have the organizations’ outside law firms retain and direct the work of the third parties.
But what about when the third-party forensics firm that an organization will engage for its data breach investigation is already working with the organization? Based on the ruling in In re: Premera Blue Cross Customer Data Security Breach Litigation, 296 F. Supp. 3d 1230, 1245-46 (D. Or. 2017), the best practice would be for the organization’s outside law firm to directly retain the forensics firm under a separate agreement covering only services related to the breach at issue. In the absence of a separate agreement written for the distinct incident, courts are unlikely to rule that privilege applies—even when an organization directs its forensics firm to report directly to its outside counsel regarding the firm’s work on a particular breach. See In re Cap. One Consumer Data Sec. Breach Litig., No. 1:19MD2915 (AJT/JFA), 2020 WL 2731238 (E.D. Va. May 26, 2020), aff’d, No. 1:19MD2915 (AJT/JFA), 2020 WL 3470261 (E.D. Va. June 25, 2020).
The information contained in an organization’s incident report regarding a particular data breach will surely be of interest to unfriendly third parties. Regulators and private plaintiffs will be chomping at the bit to get their hands on that report and will likely request the report during their investigation or through discovery. Shareholders seeking corporate records under a Delaware Section 220 demand could be next in line, as they look for a basis for bringing derivative claims against directors or officers.
To preserve privilege and work-product protections over incident reports, organizations and their forensics firms should think carefully about the information they put into those reports.
For example, information in an incident report focused solely on the business or technical issues raised by a breach is unlikely to be covered by attorney-client privilege or the work-product doctrine. See Guo Wengui v. Clark Hill, PLC, et al., 2021 WL 106417 (D.D.C. 2021) (finding incident response report was not privileged because the “true objective” animating the preparation of the report was the defendant’s effort to “glean Duff & Phelps’s expertise in cybersecurity, not in ‘obtaining legal advice from [its] lawyer.’”); In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220 (M.D. Pa. July 22, 2021) (denying privilege or work product protection over incident response report based on court’s conclusion that litigation could not have been the “‘primary motivating factor’” behind the report). However, when that information is integrated into outside counsel’s mental impressions and opinions about legal exposure, there is a stronger argument for that information being protected from disclosure.
When an organization is dealing with federal regulators concerning a data breach, its in-house counsel should keep Federal Rule of Evidence 502 top of mind. FRE 502 provides that when intentional disclosures are made in federal proceedings or to a federal office or agency that waive attorney-client privilege or work-product protection, the waiver also extends to undisclosed communications or information sharing the same subject matter. (As a saving grace, FRE 502(d) allows federal courts to limit the waiver of privilege and the work-product doctrine.)
Thanks to FRE 502, sharing privileged documents with a federal agency can cause a chain reaction of disclosure that extends to all documents sharing that same subject matter. In-house counsel must carefully weigh the benefits of sharing information with federal regulators against the risks of waiver as a result. Sometimes, sharing information makes sense. Sometimes, there is no real choice. No matter the situation, in-house counsel must understand the risks of sharing before deciding to do so.
Also, in-house counsel should consider pursuing a Rule 502(d) order providing that a particular disclosure does not constitute a waiver. Such an order may require litigation, but it could be worth the effort.
In the United States, the application of attorney-client privilege to an attorney’s communications with individuals inside an organization who are part of a breach investigation team will not depend on whether the attorney is in-house counsel or from an outside law firm. Privilege will apply so long as the communications were part of the attorney’s efforts to provide legal advice to the organization.
It is a different story for organizations operating outside the United States. A number of countries—including Austria, the Czech Republic, France, Germany, Hungary, Italy, Luxembourg, and Sweden—do not consider in-house attorneys’ communications with their colleagues to be privileged (with some exceptions). In these countries, only communications between external attorneys and the in-house employees are generally privileged.
Thus, organizations with operations in certain non-U.S. countries may want to structure their breach investigation teams so that only their outside counsel are communicating with the organization (in-house counsel or the business team) concerning a breach investigation.
In the wake of a data breach, an organization and its in-house attorneys will have a lot of work to do in an impossibly short amount of time. Taking some time to structure a breach investigation from the outset to prioritize the preservation of attorney-client privilege and work-product protection is a small investment of effort that could pay off should government investigations or litigation arise as a result of that breach.
Although the case for privilege or work product protection over incident response reports is strong (if the engagement with the consultant is properly structured and managed), the decisions in Capital One, Guo Wengui, and Rutter’s show that there is no guarantee. With that in mind, urge your teams to communicate carefully and responsibly, without the false sense of security that nothing they put in writing is subject to discovery. While it goes without saying that your incident response teams must speak honestly (and that you must take steps to preserve any documents relevant to an incident), speaking honestly necessarily means avoiding speculation and hyperbole—the kinds of communications that often raise issues in litigation that could easily be avoided by more responsible communications during an incident.
This article in our “Beyond the Breach” series was authored by Mark David McPherson, a partner in Morrison & Foerster’s Privacy + Data Security Group.