Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
10:00 AM
Connect Directly
E-Mail vvv

8 Ways to Preserve Legal Privilege After a Cybersecurity Incident

Knowing your legal distinctions can make defense easier should you end up in court after a breach, attack, or data loss.

When an organization faces a cybersecurity incident, taking appropriate steps to preserve the attorney-client privilege and work-product protection is critical, particularly given that government investigations or litigation can follow. Courts are applying the privilege more narrowly and may require a company to disclose documents in litigation that the business believed were confidential, including details on how a company was compromised and how many of its clients were affected by the attack.

Related Content:

Incident Response: 3 Easy Traps & How to Avoid Them

Special Report: Building the SOC of the Future

New From The Edge: rMTD: A Deception Method That Throws Attackers Off Their Game

Earlier this year in Wengui v. Clark Hill, a federal court declined to apply the privilege to a consultant's investigative report of a cyber breach despite being retained by counsel. The court found that the defendant company relied on the report solely for its root cause analysis, which would have occurred in the ordinary course of business.

Generally, to protect communications and work product, organizations must demonstrate that their purpose was for legal advice or made in anticipation of litigation, not ordinary business reasons. Here are eight key actions organizations should take to preserve privilege during a cybersecurity incident.

Involve Counsel at the Outset
Counsel should lead and supervise every aspect of a breach investigation. If a cyber incident has occurred or is suspected, in-house counsel should be promptly notified. But because they often provide business and legal advice, it is prudent to retain outside counsel as well, since investigations in some countries only apply the privilege with external counsel.

Counsel Should Retain Third Parties
Counsel should retain third parties, such as forensic teams, with a retainer agreement stating the third party is being retained to assist counsel in providing legal advice in anticipation of litigation. If a company retains them directly, a court may be more likely to find it was prepared in the ordinary course of business. 

Have a Separate Vendor Agreement for Breach Response 
Organizations retain vendors to perform a variety of routine work from penetration testing to audits. If an organization retains the same vendor in response to a cyber incident, breach counsel should retain them under a separate agreement and clearly define the incident-specific scope of work as distinct from the pre-existing business relationship. Communications and work product are more likely to remain confidential if a distinct statement of work is used for breach response rather than a master services agreement.

Treat Legal Fees as a Legal Expense 
Characterizing legal fees as a business, IT, or cybersecurity expense may be convenient for budgets, but it can make a legal investigation look like a business one. To avoid disclosure, an organization should pay legal fees out of its legal budget.

Separate Business from Legal Communications
Organizations should avoid mixing protected information with communications reflecting ordinary business purposes. Employees should label documents "Privileged and Confidential," "Prepared at the Direction of Counsel," or "Prepared in Anticipation of Litigation" when it relates to legal advice or anticipated litigation. Where feasible, organizations should have a dual-track investigation where one team conducts an investigation in the ordinary course of business and a separate team provides the organization with legal advice. 

Consider Whether a Report Is Necessary
If so, include in writing it is being prepared for the purpose of anticipated litigation or legal advice.

When there is a cyber incident, counsel relies on a forensic team to understand what happened and as a factor to formulate the legal strategy. Such analysis is often memorialized in a report, which unsurprisingly is sought after discovery in litigation or a regulatory proceeding. An organization should consider whether it needs the report in the first place, and if so, the report should avoid business matters and include counsel's mental impressions, conclusions, and legal opinions. 

Limit Distribution of Protected Information 
Organizations should avoid sharing the forensics report or other protected communications with third parties and even employees beyond those who need to know. This includes not using the report for business purposes, like public relations or responding to shareholder inquiries. Distribution should be tracked to demonstrate limited distribution. If information must be shared more widely, provide it in a way that will not compromise the privilege or work product protection. 

For example, provide a separate nonprivileged summary report to a board of directors, public relations consultant, auditor, or regulator. If an organization must disclose the full report, for example, to comply with regulatory requirements, the organization should expressly state that it does not intend to waive privilege through disclosure. 

Continue to Guard Against Risk of Disclosure, Even if Information Is Protected
Though privilege can prevent disclosure, organizations should assume protected information could be disclosed. Therefore, in protected communications and work product, avoid speculating, discussing matters that are outside the scope of a cyber incident, and including damaging business information that is peripheral to the investigation.

The law around what is attorney-client privileged or work product is constantly evolving. Nevertheless, best practices can make disclosure less likely. Upon discovering an incident, retaining counsel who then retains third parties with agreements specific to incident response is key.

Similarly, bifurcating business from legal analysis in investigations is critical, including providing reports on a need-to-know basis and paying legal expenses from legal budgets. Finally, and importantly, by assuming disclosure can happen, organizations can limit the amount of information that is subject to disclosure in the first place.

Caroline Morgan is a Partner at Culhane Meadows PLLC, the largest national women owned full-service law firm in the country. She counsels companies on navigating state, federal and international data privacy and breach notification laws, including the California Consumer ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
7/12/2021 | 10:13:05 PM
Re: Relate advice here to cyber liability insurance
As a disclaimer please note that I am not providing legal advice and these communications do not create an attorney client relationship. Some carriers have third party vendors that are approved just like they have panel counsel. That said, the attorney can still retain the vendor even if ultimately the carrier is paying.  
User Rank: Apprentice
7/8/2021 | 9:15:06 AM
Relate advice here to cyber liability insurance
Really good read.  Thank you.  Regarding how forensic skills are brought in under legal rather than business auspices, what about instances where cyber liability insurance is invoked?  Often in the policy the provider has a list of forensic servicers and may be involved in brokering those services.  Is there any specific advice around maintaining the attorney client privilege when getting forensic (or other) services via the cyber insurnace instrument?
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file