When an organization faces a cybersecurity incident, taking appropriate steps to preserve the attorney-client privilege and work-product protection is critical, particularly given that government investigations or litigation can follow. Courts are applying the privilege more narrowly and may require a company to disclose documents in litigation that the business believed were confidential, including details on how a company was compromised and how many of its clients were affected by the attack.
Earlier this year in Wengui v. Clark Hill, a federal court declined to apply the privilege to a consultant's investigative report of a cyber breach despite being retained by counsel. The court found that the defendant company relied on the report solely for its root cause analysis, which would have occurred in the ordinary course of business.
Generally, to protect communications and work product, organizations must demonstrate that their purpose was for legal advice or made in anticipation of litigation, not ordinary business reasons. Here are eight key actions organizations should take to preserve privilege during a cybersecurity incident.
Involve Counsel at the Outset
Counsel should lead and supervise every aspect of a breach investigation. If a cyber incident has occurred or is suspected, in-house counsel should be promptly notified. But because they often provide business and legal advice, it is prudent to retain outside counsel as well, since investigations in some countries only apply the privilege with external counsel.
Counsel Should Retain Third Parties
Counsel should retain third parties, such as forensic teams, with a retainer agreement stating the third party is being retained to assist counsel in providing legal advice in anticipation of litigation. If a company retains them directly, a court may be more likely to find it was prepared in the ordinary course of business.
Have a Separate Vendor Agreement for Breach Response
Organizations retain vendors to perform a variety of routine work from penetration testing to audits. If an organization retains the same vendor in response to a cyber incident, breach counsel should retain them under a separate agreement and clearly define the incident-specific scope of work as distinct from the pre-existing business relationship. Communications and work product are more likely to remain confidential if a distinct statement of work is used for breach response rather than a master services agreement.
Treat Legal Fees as a Legal Expense
Characterizing legal fees as a business, IT, or cybersecurity expense may be convenient for budgets, but it can make a legal investigation look like a business one. To avoid disclosure, an organization should pay legal fees out of its legal budget.
Separate Business from Legal Communications
Organizations should avoid mixing protected information with communications reflecting ordinary business purposes. Employees should label documents "Privileged and Confidential," "Prepared at the Direction of Counsel," or "Prepared in Anticipation of Litigation" when it relates to legal advice or anticipated litigation. Where feasible, organizations should have a dual-track investigation where one team conducts an investigation in the ordinary course of business and a separate team provides the organization with legal advice.
Consider Whether a Report Is Necessary
If so, include in writing it is being prepared for the purpose of anticipated litigation or legal advice.
When there is a cyber incident, counsel relies on a forensic team to understand what happened and as a factor to formulate the legal strategy. Such analysis is often memorialized in a report, which unsurprisingly is sought after discovery in litigation or a regulatory proceeding. An organization should consider whether it needs the report in the first place, and if so, the report should avoid business matters and include counsel's mental impressions, conclusions, and legal opinions.
Limit Distribution of Protected Information
Organizations should avoid sharing the forensics report or other protected communications with third parties and even employees beyond those who need to know. This includes not using the report for business purposes, like public relations or responding to shareholder inquiries. Distribution should be tracked to demonstrate limited distribution. If information must be shared more widely, provide it in a way that will not compromise the privilege or work product protection.
For example, provide a separate nonprivileged summary report to a board of directors, public relations consultant, auditor, or regulator. If an organization must disclose the full report, for example, to comply with regulatory requirements, the organization should expressly state that it does not intend to waive privilege through disclosure.
Continue to Guard Against Risk of Disclosure, Even if Information Is Protected
Though privilege can prevent disclosure, organizations should assume protected information could be disclosed. Therefore, in protected communications and work product, avoid speculating, discussing matters that are outside the scope of a cyber incident, and including damaging business information that is peripheral to the investigation.
The law around what is attorney-client privileged or work product is constantly evolving. Nevertheless, best practices can make disclosure less likely. Upon discovering an incident, retaining counsel who then retains third parties with agreements specific to incident response is key.
Similarly, bifurcating business from legal analysis in investigations is critical, including providing reports on a need-to-know basis and paying legal expenses from legal budgets. Finally, and importantly, by assuming disclosure can happen, organizations can limit the amount of information that is subject to disclosure in the first place.