It’s 8 a.m., and you just learned that a material cyber-incident occurred in your organization. You fire up your Incident Response Plan. You engage outside counsel, and outside counsel engages a forensic firm. Your company, your outside counsel, and your forensic firm all sign an agreement that the forensic firm will work at the direction of outside counsel. You feel confident that your investigation of the incident and the accompanying forensic report labeled “prepared at the direction of counsel” is protected by privilege. You may want to think again.
Dealing with a cyber-incident has always been a stress-inducing process that involves careful planning and organization. However, a recent decision in the United States District Court for the Eastern District of Virginia just made things more complicated — placing companies who fail to understand its implications in danger of substantial litigation risk.
Last year, a large financial institution suffered a data incident whereby an unauthorized person gained access to certain types of customer personal information according to a class-action complaint filed shortly after the incident. The financial institution, attempting to be prepared for this type of attack, had entered into a retainer agreement with a cyber-forensic firm prior to the data incident’s occurrence. The retainer was designated as a “business critical” expense. After discovery of the incident the financial institution hired outside counsel to provide legal advice in connection with the data incident. An agreement was entered into by outside counsel, the financial institution, and the cyber-forensic firm to engage the cyber-forensic firm to provide work at the direction of outside counsel. An addendum to the agreement also engaged the cyber-forensic firm to perform post-incident penetration testing.
The cyber-forensic firm performed the investigation and prepared a report describing the factors and technical details of the attack. The report, which was originally provided to outside counsel and internal legal, was also shared with the financial institution’s board of directors, regulators, and an accounting firm.
Shortly after the incident was publicly disclosed, class action lawsuits were filed. As part of a discovery dispute in the lawsuits, the plaintiffs filed a motion to compel the production of the cyber-forensic report. The court ordered the financial institution to produce the report, determining that the report was not prepared in a way that was substantially different than if there was no potential for litigation. In other words, routine investigative reports are not, in and of themselves, privileged even if created at the direction of counsel.
Be Prepared, but Cautious
As privacy professionals, we often advise companies to be prepared for a cyber-event. Yet, it was preparation that ultimately led the court to conclude that privilege did not exist in this case. Specifically, the defendant had a long-standing relationship with the cyber-forensic firm to perform similar services to the work that went into preparing the forensic report at issue. It is also important to note that the court zeroed in on the fact that the retainer with the forensic firm was designated as a “business” expense versus a “legal” expense at the time it was paid.
Although different jurisdictions define what constitutes privileged work product with slight nuances, the doctrine’s primary tenet is fairly universal: For cyber-reports to be protected, there must be indicia that they were created “because of the prospect of litigation.” Here, the fact that there was an existing agreement at the time of the data incident was a key factor in the court’s determination that the work would have been performed in substantially the same form even if there was no prospect of litigation. While this notion of the work product doctrine only applying to material prepared in anticipation of litigation is something counsel is very familiar with, this case serves as a stark reminder as to how narrowly this protection can be construed. The court explained that “[m]aterials prepared in the ordinary course of business or pursuant to regulatory requirements . . . are not documents prepared in anticipation of litigation” and “[i] In order to be entitled to protection, a document must be prepared ‘because of’ the prospect of litigation and the court must determine ‘the driving force behind the preparation of each requested document’ in resolving a work product immunity question.”
Outside Counsel Must Direct the Scope of the Cyber-Work
The court’s finding should send a chill through organizations that rely solely on the engagement of forensic investigators through outside counsel to protect privilege. As the court’s ruling demonstrates, the burden to demonstrate the applicability of privilege and work product in a cyber-incident is more complicated.
The mere act of hiring outside counsel to retain cyber-consultants does not, in and of itself, deputize every action as privileged, as demonstrated by cases cited in the court’s opinion. Even if a company has used a cyber-consultant in the past, it is imperative that the nature of the work that is envisioned to be performed by a cyber-investigator or forensic firm must change when outside counsel is retained. In other words, the work performed must be for a legal purpose in anticipation of litigation, not merely a business or regulatory purpose. Further, outside counsel should direct the scope of the cyber-work to ensure that the investigation or forensic analysis is relevant to the defense of litigation. Defining scope of work to differentiate preparation of reports in anticipation of litigation from other work will be imperative to maintain the protection.
Why Does This Matter?
Given this latest legal development, companies should treat the investigation of a cyber incident as the first step in defending against potential litigation. This means utilizing outside counsel to direct the scope of the investigation with an eye towards later after defending claims relating to the data incident. This has never been more important since, under statutes such as the California Consumer Protection Act (CCPA), individuals now have an explicit private right of action for data breaches. As such, there is a potential for any data breach involving a California resident, in and of itself, to serve as the basis for litigation. With this in mind, companies should not only engage outside counsel as soon as there is indication of a security-incident, but ensure that they have hired competent counsel who has experience with data breaches and can effectively direct the scope of the cyber-work in a way that helps mitigate the risk of a court later determining that related cyber-reports are not protected by privilege.