Privilege Considerations in Cyber Incident Response

Locke Lord LLP

Locke Lord LLP

As with other types of crisis situations, a cyber security incident can generate not only operational issues, but also significant legal exposure. Affected companies should think through the associated privilege issues, especially when consultants are used.

A company’s response has a number of purposes: (a) containment, remediation, and continuity; (b) investigation and analysis to determine the cause and extent of the compromise; (c) internal and external communications and messaging; (d) compliance with legal requirements and regulatory expectations; and (e) preparation for the possibility of litigation or administrative proceeding. Various types of non-public written records may be created and used, such as:

  • minutes of meetings;
  • communications among the response team, with the employee base, with consultants, with potentially affected third parties, and with law enforcement;
  • notes (e.g., generated during an investigation); and
  • work papers and reports.

Some of these records may be privileged as attorney-client communications or protected under the work product doctrine. If litigation ensues and a consultant serves as a testifying or non-testifying expert, the consultant’s work may be protected under the applicable procedural rules.

Applicable Contours of the Privilege
The attorney-client privilege protects communications made for the purpose of obtaining or providing legal advice. In Upjohn Co. v. United States, the U.S. Supreme Court held that communications by a company’s employees to the company’s legal counsel relating to an internal investigation, made for the purpose of securing legal advice, are protected by the attorney-client privilege. 449 U.S. 383, 386-87, 394-97 (1981). The work product doctrine protects an investigation or analytical work done at the direction of an attorney to prepare for litigation. See Fed. R. Civ. P. 26(b)(3); Hickman v. Taylor, 329 U.S. 495 (1947).

Courts have clarified that obtaining or providing legal advice need not be the only purpose for an investigation in order to maintain privilege. As applicable in the context of an internal investigation, it is sufficient if providing legal advice was “one of the significant purposes.” In re Kellogg Brown & Root, Inc., 756 F.3d 754, 758 (D.C. Cir. 2014) (incorrect to presume that communication could have only one primary purpose). In other words, the fact that there are also business purposes to a post-breach investigation does not necessarily render the investigation (and communications associated with it) non-privileged. However, it is important to also remember that an investigation that would have been undertaken regardless of the need for legal advice or anticipated litigation will not become privileged simply by being directed by an attorney. Hickman, 329 U.S. at 513.

In the infamous Target payment card breach, a judge assessed claims of privilege with respect to various reports. As required by the payment brands, Target had engaged a PCI Forensic Investigator (PFI), whose work Target did not assert was privileged (because the PFI reports to the payment brands and/or the acquiring banks). Order, In re Target Corp. Customer Data Security Breach Litig., MDL No. 14-2522 (D. Minn. Oct. 23, 2015). In addition, it appears that Target formed a business response team, presumably focused on operational concerns – also not privileged. Id. at 1. Separate from that team, Target’s counsel directed a response “task force,” and the court did not have a problem upholding the privilege for the work of that task force. Id. at 1-2.

To maximize privilege protection, a lawyer (in-house or outside counsel) should be directing that portion of the response and investigation for which privilege is sought. The work should have as one of its significant purposes the rendering of legal advice. Beyond that, it would be helpful for any outside consultants to be engaged by the attorneys; and if they are not, they should at a minimum still be working under the direction of the attorneys. See, e.g., id. at 3 (law firm a party to engagement letter).

Along with those measures, a company that sets up a separate “privileged” team effort should consider establishing rules for the topics and scope of any separable business functions (so that the work of the “non-privileged” team does not overlap with the work of the “privilege” team). Further, as a general matter, the company’s attorneys should take measures to remind employees about the confidentiality and privilege associated with communications with and work performed at the direction of counsel.

In some situations, a company may desire (or be required) to share an investigative report or other information with a third party. Sharing of privileged information may have unintended consequences, especially if the sharing is outside of any confidential relationship.

Although the non-testifying expert “privilege” is not subject to waiver, see Fed. R. Civ. P. 26(b)(D)(4), the attorney-client privilege and work product protection can be waived. A party asserting a privilege bears the burden of demonstrating that the privilege has been preserved; the privilege may be waived by consent, disclosure to a third party, failure to properly assert the privilege, assertion of an advice-of-counsel defense, or “by conduct which implies a waiver of the privilege or a consent to disclosure.” See 6-26 Moore's Federal Practice - Civil §26.49[5].

Some courts may be more lenient than others, depending on the underlying state law. See, e.g., Genesco, Inc. v. Visa U.S.A., Inc., 302 F.R.D. 168, 193-96 (M.D. Tenn. 2014) (analyzing contentions of waiver by failure to provide a privilege log and disclosure of reports, and concluding that privilege had not been waived); Weil v. Investment/Indicators, Research and Mgmt, Inc., 647 F.2d 18, 24 (9th Cir. 1981) (“[I]t has been widely held that [under California law] voluntary disclosure of the content of a privileged attorney communication constitutes waiver of the privilege as to all other such communications on the same subject.”).

In some situations, a company may also consider whether a “common interest” might suffice to maintain the privilege in the sharing of information with third parties who are subject to loss, claims, or regulatory scrutiny based on the same underlying events. See 6-26 Moore's Federal Practice - Civil § 26.49[b]; In re LTV Securities Litigation, 89 F.R.D. 595, 604 (N.D. Tex. 1981) (joint defense privilege available in connection with S.E.C. investigation). Third parties with a common interest could be a service provider, trade partner, or an insurance company.

* * * * *

Data breach response is a tricky undertaking, especially as cyber criminals adopt more sophisticated tactics, and the stakes remain high. Like other aspects of addressing a situation that has potentially significant business and legal ramifications, preserving the privilege should be approached in an intentional, thoughtful manner.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Locke Lord LLP | Attorney Advertising

Written by:

Locke Lord LLP

Locke Lord LLP on:

Reporters on Deadline

Related Case Law

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.