The answer, maybe, but it depends on the facts in each case.

Merely because a company has its outside legal counsel directly retain a third party service provider for an incident response, i.e., digital forensics, does not guarantee that the forensic breach report provided to the outside counsel can be protected from disclosure under the attorney work product doctrine. In a recent court decision, In re: Capital One Customer Data Security Breach Litigation, E.D. Va., No. 1:19-md-02915, the court refused to protect a post-breach forensic report under the attorney work product doctrine, even though it was contracted for by, and provided to, outside counsel.

The reasons given by the Court for not protecting the post-breach forensic report were: (1) a “business critical” Master Services Agreement (MSA) was entered into directly between the end client and the service provider prior to the breach to provide “incident response services in the event such services were necessary;” (2) the post-breach agreement between the end client’s outside counsel and the service provider used an essentially identical Statement of Work (SOW) as in the MSA, although it required all reports to be provided to the outside counsel; and (3) the actual report provided by the service provider was not exclusively used to support the post-breach litigation (copies were provided to the end client’s Board of Directors, fifty internal personnel not necessarily involved with the litigation, four government regulatory agencies, and an accounting firm).

The takeaways from this decision, as well as two prior decisions ¹, is that to improve the likelihood that post-breach forensics reports will be protected from disclosure to third parties, companies should contact outside counsel immediately after a breach is discovered, and request that outside counsel specifically retain the service provider to prepare for potential litigation. Additional considerations that can support post-breach forensic reports being protected attorney work product include: (1) tailor the post-breach SOW to the specific circumstances of the breach, and avoid using the same SOW services in the post-breach agreement as was used in a general pre-breach agreement; (2) consider using different service providers for the pre-breach MSA work and the post-breach forensics work; (3) carefully draft the post-breach SOW so the work is exclusively “conducted because of the litigation and not work that would have been done in any event”; and (4) strictly limit the distribution of the post-breach report to those with a litigation need-to-know.

¹ In re Premera Blue Cross Customer Data Sec. Litig., 296 F. Supp. 3d 1230 (D. Or. 2017); and In re Dominion Dental Servs. USA, Inc. Data Breach Litig., 2019 WL 7592343 (E.D. Va. Dec. 19, 2019).

Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. The author has provided the links referenced above for information purposes only and by doing so, does not adopt or incorporate the contents. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.