8 Ways to Preserve Legal Privilege After a Cybersecurity Incident

Knowing your legal distinctions can make defense easier should you end up in court after a breach, attack, or data loss.

Caroline Morgan & Melissa Parisi, Partner, Culhane Meadows, PLLC / Senior Director of Worldwide Privacy, Herbalife Nutrition

July 2, 2021

4 Min Read

When an organization faces a cybersecurity incident, taking appropriate steps to preserve the attorney-client privilege and work-product protection is critical, particularly given that government investigations or litigation can follow. Courts are applying the privilege more narrowly and may require a company to disclose documents in litigation that the business believed were confidential, including details on how a company was compromised and how many of its clients were affected by the attack.

Earlier this year in Wengui v. Clark Hill, a federal court declined to apply the privilege to a consultant's investigative report of a cyber breach despite being retained by counsel. The court found that the defendant company relied on the report solely for its root cause analysis, which would have occurred in the ordinary course of business.

Generally, to protect communications and work product, organizations must demonstrate that their purpose was for legal advice or made in anticipation of litigation, not ordinary business reasons. Here are eight key actions organizations should take to preserve privilege during a cybersecurity incident.

Involve Counsel at the Outset
Counsel should lead and supervise every aspect of a breach investigation. If a cyber incident has occurred or is suspected, in-house counsel should be promptly notified. But because they often provide business and legal advice, it is prudent to retain outside counsel as well, since investigations in some countries only apply the privilege with external counsel.

Counsel Should Retain Third Parties
Counsel should retain third parties, such as forensic teams, with a retainer agreement stating the third party is being retained to assist counsel in providing legal advice in anticipation of litigation. If a company retains them directly, a court may be more likely to find it was prepared in the ordinary course of business.

Have a Separate Vendor Agreement for Breach Response
Organizations retain vendors to perform a variety of routine work from penetration testing to audits. If an organization retains the same vendor in response to a cyber incident, breach counsel should retain them under a separate agreement and clearly define the incident-specific scope of work as distinct from the pre-existing business relationship. Communications and work product are more likely to remain confidential if a distinct statement of work is used for breach response rather than a master services agreement.

Treat Legal Fees as a Legal Expense
Characterizing legal fees as a business, IT, or cybersecurity expense may be convenient for budgets, but it can make a legal investigation look like a business one. To avoid disclosure, an organization should pay legal fees out of its legal budget.

Separate Business from Legal Communications
Organizations should avoid mixing protected information with communications reflecting ordinary business purposes. Employees should label documents "Privileged and Confidential," "Prepared at the Direction of Counsel," or "Prepared in Anticipation of Litigation" when it relates to legal advice or anticipated litigation. Where feasible, organizations should have a dual-track investigation where one team conducts an investigation in the ordinary course of business and a separate team provides the organization with legal advice.

Consider Whether a Report Is Necessary
If so, include in writing it is being prepared for the purpose of anticipated litigation or legal advice.

When there is a cyber incident, counsel relies on a forensic team to understand what happened and as a factor to formulate the legal strategy. Such analysis is often memorialized in a report, which unsurprisingly is sought after discovery in litigation or a regulatory proceeding. An organization should consider whether it needs the report in the first place, and if so, the report should avoid business matters and include counsel's mental impressions, conclusions, and legal opinions.

Limit Distribution of Protected Information
Organizations should avoid sharing the forensics report or other protected communications with third parties and even employees beyond those who need to know. This includes not using the report for business purposes, like public relations or responding to shareholder inquiries. Distribution should be tracked to demonstrate limited distribution. If information must be shared more widely, provide it in a way that will not compromise the privilege or work product protection.

For example, provide a separate nonprivileged summary report to a board of directors, public relations consultant, auditor, or regulator. If an organization must disclose the full report, for example, to comply with regulatory requirements, the organization should expressly state that it does not intend to waive privilege through disclosure.

Continue to Guard Against Risk of Disclosure, Even if Information Is Protected
Though privilege can prevent disclosure, organizations should assume protected information could be disclosed. Therefore, in protected communications and work product, avoid speculating, discussing matters that are outside the scope of a cyber incident, and including damaging business information that is peripheral to the investigation.

The law around what is attorney-client privileged or work product is constantly evolving. Nevertheless, best practices can make disclosure less likely. Upon discovering an incident, retaining counsel who then retains third parties with agreements specific to incident response is key.

Similarly, bifurcating business from legal analysis in investigations is critical, including providing reports on a need-to-know basis and paying legal expenses from legal budgets. Finally, and importantly, by assuming disclosure can happen, organizations can limit the amount of information that is subject to disclosure in the first place.

About the Author(s)

Caroline Morgan & Melissa Parisi

Partner, Culhane Meadows, PLLC / Senior Director of Worldwide Privacy, Herbalife Nutrition

Caroline Morgan

Caroline Morgan is a Partner at Culhane Meadows PLLC, the largest national women owned full-service law firm in the country. She counsels companies on navigating state, federal and international data privacy and breach notification laws, including the California Consumer Privacy Act (CCPA), the European Union's General Data Protections Regulation (GDPR), and New York's Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). Caroline also assists clients with data security incident plans, privacy policies and achieving cybersecurity best practices to minimize losses. She is a frequent speaker and writer on a wide variety of emerging data privacy and cybersecurity legal developments. In addition, Caroline is a seasoned litigator, advocate, and negotiator with a particular focus on business litigation, representing companies in a variety of complex commercial disputes. Caroline is a graduate of Brown University and Wake Forest University School of Law.

Melissa Parisi

Melissa Evidente Parisi is the Senior Director of Worldwide Privacy at Herbalife Nutrition, a global leader in meal replacement protein shakes, dietary supplements and skin care products. She advises on global data protection and privacy issues and builds upon the company's compliance with global privacy standards by implementing proactive privacy management through Herbalife Nutrition's developed privacy vision, mission statement, and defined worldwide privacy program scope. Prior to joining Herbalife, Melissa was at the law firm of Sidley Austin LLP, where her practice focused on government enforcement matters, internal investigations, and commercial litigation and disputes. Melissa has represented companies in the health, wellness and fitness industry, as well as a wide range of other industries, including apparel, pharmaceutical, medical device, energy, oil and gas, banking, and insurance. Melissa earned her J.D. from Northwestern University School of Law and B.A. cum laude from the University of California, San Diego. 

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights