Six Considerations to Preserve Privilege

When an organization that has suffered a data breach launches its investigation, preserving attorney-client privilege and work-product protection is not always top of mind. But preserving privilege and work-product protections should be a priority from the outset of the incident response process.

Non‑privileged documents that must be turned over to regulators or private plaintiffs during litigation can present hurdles when attempting to resolve future regulatory proceedings or litigation on favorable terms. If made public, the information could also seriously damage an organization’s reputation. (Not because adverse facts are hidden within privileged material, but because people speak candidly in such material—exactly what the privilege is designed to encourage. Naturally, plaintiffs and regulators seize on such candid remarks, take them out of context, and spin them to support their cases.)

Although courts are continuing to scrutinize whether documents pertaining to breach investigations are protected, the best steps that organizations can take to bolster privilege and work-product arguments down the road are to structure their investigations correctly from day one. Here are six things you should keep in mind when doing so.

1. Outside counsel should retain third-party forensics firms for each distinct security incident.

When it comes to third parties providing services to organizations in connection with anticipated litigation, the best way to bolster arguments for applying the attorney‑client privilege or work-product protection to any reports or communications is to have the organization’s outside law firm retain and direct the work of the third parties.

But what if the third-party forensics firm that an organization plans to engage for its breach investigation is already working with the organization? Based on the ruling in In re Premera Blue Cross Customer Data Security Breach Litigation, 296 F. Supp. 3d 1230, 1245-46 (D. Or. 2017), the best practice would be for the organization’s outside law firm to directly retain the forensics firm under a separate agreement covering only services related to the breach at issue. Additionally, the engagement letter or scope of work should identify how the third party’s investigation or report is related to the provision of legal advice or made in anticipation of litigation. See Leonard v. McMenamins Inc., No. C22-0094-KKE, 2023 WL 8447918, at *3-5 (W.D. Wash. Dec. 6, 2023). In the absence of a separate agreement with outside counsel for the distinct incident, courts are unlikely to rule that privilege applies—even when an organization directs its forensics firm to report directly to its outside counsel regarding the firm’s work on a particular breach. See In re Cap. One Consumer Data Sec. Breach Litig., No. 1:19md2915 (AJT/JFA), 2020 WL 2731238, at *8-10 (E.D. Va. May 26, 2020), aff’d, No. 1:19md2915 (AJT/JFA), 2020 WL 3470261 (E.D. Va. June 25, 2020).

2. Organizations and their forensics firms should be strategic about the contents of incident reports.

The information contained in an organization’s incident report regarding a particular data breach will inevitably be of interest to unfriendly third parties. Regulators and private plaintiffs will be chomping at the bit to get their hands on that report and will likely request the report during their investigation or through discovery. Shareholders seeking corporate records under a Delaware Section 220 demand could be next in line, as they look for a basis to bring derivative claims against directors or officers.

To preserve privilege and work-product protections for incident reports, organizations and their forensics firms should think carefully about the information they put into those reports.

For example, the attorney-client privilege or the work-product doctrine are unlikely to cover an incident report focused primarily on the business or technical aspects of a breach. See Guo Wengui v. Clark Hill, PLC, No. 19-3195 (JEB), 2021 WL 106417, at *11-13 (D.D.C. Jan. 12, 2021) (finding incident response report was not privileged or work product because the “true objective” animating the preparation of the report was the defendant’s effort to “glean[] Duff & Phelps’s expertise in cybersecurity, not in ‘obtaining legal advice from [its] lawyer,’” and “substantially the same [document] would have been prepared. . . as part of the ordinary course of business” (citations omitted)); In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382, 2021 WL 3733137, at *1-3 (M.D. Pa. July 22, 2021) (denying privilege or work-product protection for incident response report based on court’s conclusion that litigation could not have been the “primary motivating factor” behind the report). For similar reasons, an organization should consult with outside counsel before utilizing the investigative report for non-litigation purposes. See McMenamins Inc., 2023 WL 8447918, at *3-5.

Similarly, if multiple reports are prepared with overlapping facts, disclosure of one report could constitute waiver with regard to another. See In re Am. Med. Collection Agency, Inc., Customer Data Sec. Breach Litig., 2023 WL 8595741, at *12 (D.N.J. Oct. 16, 2023) (finding that disclosure of a shorter forensic analysis report constituted a waiver of the work-product protection over the full investigative report by “revealing the goals, scope, methodology, and findings of [the] investigation”). Organizations should endeavor to ensure separate reports are in fact separate, and not simply summaries or paraphrases of protected materials. Even though the goal at the outset may be to ensure all materials prepared throughout an investigation are protected, if materials are properly delineated by purpose, organizations may be able to mitigate exposure even in the event that some disclosure is compelled. In re Samsung Customer Data Sec. Breach Litig., 2024 WL 3861330 (D.N.J. Aug. 19, 2024) (requiring disclosure of investigative update PowerPoints and report with technical findings and analysis, but upholding protections over memorandum prepared by forensic firm at the direction of counsel containing counsel’s mental impressions).

However, when information stemming from the investigation is integrated into outside counsel’s mental impressions and opinions about legal exposure or strategy, there is a stronger argument for protection from disclosure.

3. In-house attorneys should consider which documents their organizations may eventually share with federal agencies.

When an organization is dealing with federal regulators concerning a data breach, its in-house counsel should keep Federal Rule of Evidence 502 top of mind. Rule 502 provides that when intentional disclosures are made in federal proceedings or to a federal office or agency that waive attorney-client privilege or work-product protection, the waiver may also extend to undisclosed communications or information sharing the same subject matter. (As a saving grace, Rule 502(d) allows federal courts to limit the waiver of privilege and the work-product doctrine.)

Thanks to Rule 502, sharing privileged documents with a federal agency can cause a chain reaction of disclosure that extends to all documents sharing that same subject matter. In-house counsel must carefully weigh the benefits of sharing information with federal regulators against the risks of waiver. Sometimes sharing information makes sense. Sometimes there is no real choice. No matter the situation, in-house counsel must understand the risks of sharing before deciding to do so.

Also, in-house counsel should consider entering a confidentiality agreement or pursuing a Rule 502(d) order providing that a particular disclosure does not constitute a waiver. See Target Corp. v. ACE Am. Ins. Co., 576 F. Supp. 3d 609, 617-18 (D. Minn. 2021) (denying subject matter waiver because the parties’ contract provided that the entire “process was confidential and that all communications were privileged”). A Rule 502(d) order may require litigation, but it could be worth the effort if an agreement cannot be reached.

Even more broadly, courts have held that reports that are prepared primarily to fulfill regulatory compliance obligations, rather than in preparation for litigation, are not privileged. See In re Lakeview Loan Servicing Data Breach Litig., 2025 WL 928716 (S.D. Fla. Mar. 27, 2025). Organizations can bolster protections by asking themselves, before asserting privilege, whether the predominant purpose for creating the report is regulatory compliance, or whether the report in fact serves the dual purpose of complying with regulatory obligations and preparing for litigation.  

4. International companies should think twice about in-house attorneys supervising internal members of a breach investigation team.

In the United States, attorney-client privilege applies to an attorney’s communications with individuals inside an organization who are part of a breach investigation team regardless of whether the attorney is in-house counsel or from an outside law firm. Privilege will apply so long as the communications were part of the attorney’s efforts to provide legal advice to the organization.

It is a different story for organizations operating outside the United States. A number of countries—including Austria, the Czech Republic, France, Italy, Luxembourg, and Sweden—do not consider in-house attorneys’ communications with their colleagues to be privileged (with some exceptions). In these countries, only communications between external attorneys and the in-house employees are generally privileged.

Thus, organizations with operations in certain non-U.S. countries may want to structure their breach investigation teams so that only their outside counsel are communicating with the organization (in-house counsel or the business team) concerning a breach investigation.

5. When it comes to privilege and data breach investigations, an ounce of prevention is worth a pound of cure.

In the wake of a data breach, an organization and its in-house attorneys will have a lot of work to do in an impossibly short amount of time. Taking some time to structure a breach investigation from the outset to prioritize the preservation of attorney-client privilege and work-product protection is a small investment of effort that could pay off if government investigations or litigation arise as a result of that breach.

6. Urge your incident response teams to communicate carefully.

Although there is a case for applying privilege or work-product protection to incident response reports (if the engagement with the consultant is properly structured and managed), the decisions in Lakeview Loan, McMenamins, Capital One, Guo Wengui, and Rutter’s show there is no guarantee. With that in mind, urge your teams to communicate carefully and responsibly, with the knowledge that anything put in writing may come out in discovery. While it goes without saying that your incident response teams must speak honestly (and that you must take steps to preserve any documents relevant to an incident), speaking honestly necessarily means avoiding speculation and hyperbole—the kinds of communications that often raise issues in litigation that could easily be avoided by more responsible communications during an incident.