Massive data breaches are frequently making headlines. It’s a chilling reality: Hackers are stealing personally identifiable information (“PII”) from corporate networks and selling it on the dark web.[1] Hackers may also decide to encrypt corporate files until the company pays a ransom (usually in cryptocurrency).[2] This is as true for the Fortune 500 as it is for smaller businesses.[3] Just recently, around 143 million Americans were affected by the Equifax data breach, which caused many to freeze their credit out of fear that their PII would end up on dark web auction websites.

Data breaches are not only troublesome for consumers but also are challenging for organizations. Following a data breach, businesses often times face legal and societal consequences even though it was a victim of a cyber crime. Interestingly, the public outcry following large data breaches confirms the notion that companies must continue to view cybersecurity, data protection, and privacy controls as critical business infrastructure. In fact, these issues are already a huge concern in C-suites as they are among the top worries for chief legal officers and general counsel.[4] Enter: Outside counsel.

Attorneys are called upon to solve the oftentimes complex and nuanced issues that companies encounter. And, in order to provide effective counsel, attorneys depend on candid discussions with clients. That is, the unencumbered truth about what is happening––good or bad––within an organization. To achieve that level of trust, clients are given many protections, two of which play an important role: The attorney-client privilege and the work product doctrine. Both protections are vital in the context of data breach incident response, as the legal and regulatory challenges that follow are seemingly inevitable.

The Attorney-Client Privilege and Work Product Doctrine in Data Breaches

The attorney-client privilege is a bedrock legal principle and, as noted by the Supreme Court of the United States, “is the oldest of the privileges for confidential communications known to the common law.”[5] The privilege facilitates “full and frank” communication from persons seeking legal advice in order to obtain sound legal advice from their attorney.[6] Generally, the attorney-client privilege attaches where the following exist: (1) an attorney-client relationship, (2) a communication, (3) intended to be confidential, and (4) for the purpose of obtaining legal advice.

When the attorney-client privilege attaches, it protects the communication from discovery but not the underlying information.[7] Notably, the attorney-client privilege even extends to communications by and to nonattorneys who serve as agents of or who are working under the direction of an attorney. [8] In essence, the attorney-client privilege can shield communications from discovery regardless of whether or not they were created in anticipation of litigation so long as the purpose of the communication with the attorney, or its agent, was to obtain legal advice.

Unlike the attorney-client privilege, the work product doctrine generally prohibits the disclosure of “documents and tangible things that are prepared in anticipation of litigation or for trial by or for another party or its representative[.]”[9] Yet, these documents can be discovered where opposing party shows that they have “substantial need” for them and cannot otherwise obtain them without “undue hardship.”[10] Significantly, however, even where a court orders disclosure of such documents, the court must protect the “mental impressions, conclusions, opinions, or legal theories of a party's attorney or other representative.”[11]

Plainly, the protections under the attorney-client privilege and work product doctrine are vital in data breach response investigations. However, there is a critical difference between them that is worth noting. The work product doctrine’s protections begin at the moment when litigation is reasonably anticipated while the attorney-client privilege protections attach even where litigation is not anticipated.

Recent Data Breach Cases

As we continue to see the rise in the number of data breaches, so too will the number of lawsuits and government investigations. Within the last two years, courts have issued rulings on the discoverability of information contained in data breach reports and other communications surrounding data breach investigations. These opinions are instructive because they shed light onto some of the factors that courts might consider when issuing a ruling on the admissibility of data breach-related documents. However, a considerable number of other factors may play a role into the discoverability of incident response documents because the caselaw on data breaches is still evolving.

Experian. In 2017, a court held in In re Experian Data Breach Litigation, that the forensic team report and other documents were protected from disclosure by the work product doctrine.[12] The Experian court noted that the “because of” standard––that the report was generated in anticipation of litigation––didn’t render the documents undiscoverable because they may have been used for another purpose.

Some of the issues that the Experian court considered in making its decision were: (1) the forensics firm was hired by outside counsel to assist outside counsel in “providing legal advice in anticipation of litigation,” (2) the forensic firm’s full report wasn’t given to Experian’s internal incident response team, (3) the report would not have been prepared in “substantially the same form or with the same content” but for the possibility of litigation, (4) even though the forensics firm had previously worked for Experian, their previous work was separate from the work it was conducting for the data breach at issue, (5) the court found that because the forensics firm used a server image instead of examining a live server, that plaintiff’s could do the same by obtaining the server images through discovery, and (6) the court ruled that Experian didn’t waive its work product protections when its outside counsel provided a redacted version of the forensic report to another attorney pursuant to a joint defense agreement.

Target. In 2015, a court held in In re: Target Corporation Customer Data Security Breach Litigation, that documents surrounding the investigation relating to legal advice were protected from disclosure both by the attorney-client privilege and by the work product doctrine.[13] The issues the Target court faced were nuanced because Target had a two-pronged investigation. The first investigation was conducted by Verizon on behalf of credit card companies. The second investigation was conducted by a separate Verizon team for the purpose of educating Target’s lawyers so that they could provide informed legal advice.

Interestingly, because of this two-pronged approach, Target only claimed privilege for documents relating to the second Verizon investigation, which was to “provide legal advice to Target, including legal advice in anticipation of litigation and regulatory inquiries.”[14] The Target court held that the attorney-client privilege and work product doctrine protected certain email communications because: (1) the Data Breach Task Force wasn’t focused on remediation but rather was focused on educating Target’s attorneys so that they could prepare for anticipated litigation, (2) the communications were written for the purpose of obtaining legal advice and made in anticipation of litigation, (3) Target provided plaintiffs other tangible things, including forensic server images, to “learn how the data breach occurred” and how Target responded to the breach.

Takeaways

The number, type, and size of data breaches are on the rise. With heightened public scrutiny and the foreseeable litigation that often follows, corporate legal departments––and outside counsel and cyber forensics firms––need to understand that tact and caution must be exercised at the onset of an investigation. Protecting key documents from discovery will be critical because lawsuits and government investigations tend to follow a data breach. The cases above, and others, reveal the multitude of litigation considerations that must be contemplated both at the onset and during the breach investigation. Here are a few things to consider:

1. Develop a data breach plan. Be sure to include the names and contact information of key personnel, duties and procedures, escalation protocol, notification requirements, etc.;

2. Outside counsel should engage the cyber forensics team. As a practice note, the engagement letter should clearly state that the cyber forensics team is: (1) working under the direction of outside counsel, (2) for the purpose of assisting the outside counsel to provide informed legal advice, and (3) that the advice sought or being given is because the attorney reasonably anticipates litigation;

3. The forensics report should not be distributed to the company’s internal data breach remediation team. Ideally, the forensics team should only communicate through outside counsel to preserve the company’s legal protections;

4. Outside counsel should educate company employees and other parties associated with the data breach about how to ensure that the protections provided by the attorney-client privilege and the work product doctrine are not waived;

5. The forensics report should be tailored (read: not “substantially the same form or with the same content”) in a manner that is consistent with providing information to outside counsel in order to provide informed legal advice to the company in anticipation of litigation; and

6. The cyber forensics teams should analyze server images instead of live servers.

Ultimately, businesses who prepare for a data breach will be in the best position to deal with the aftermath should one occur. Reputational and legal consequences can be both devastating and costly. Companies can start by examining––and reexamining––its cybersecurity policies, procedures, and privacy control mechanisms to ensure that sensitive corporate information and PII is secure. Don’t forget to develop a data breach response plan. If your company experiences a data breach, call outside counsel first and let them engage the cyber forensics team. Remember, data breach caselaw is still evolving so outside counsel will need to navigate various technology and legal issues diligently.

___________________________

[1] The “dark web” is part of the World Wide Web that can only be accessed with special computer software, which allows users and domain operators to remain anonymous.

[2] The malware that is used in this type of attack is commonly known as “ransomware.”

[3] Robert S. Mueller, Address at RSA Cybersecurity Conference (Mar. 1, 2012): “No company is immune, from the Fortune 500 corporation to the neighborhood ‘mom and pop' business. . . . I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.“

[4] Association of Corporate Counsel, Chief Legal Officers 2017 Survey, available at http://www.acc.com (last visited October 31, 2017).

[5] Upjohn Co. v. United States, 449 U.S. 383 (1981).

[6] Id. at 389; see also Hunt v. Blackburn, 128 U. S. 464, 470 (1888) (stating that "the seal of secrecy upon communications between client and attorney is founded upon the necessity, in the interest and administration of justice, of the aid of persons having knowledge of the law and skilled in its practice, which assistance can only be safely and readily availed of when free from the consequences or the apprehension of disclosure.").

[7] United States v. O’Malley, 786 F. 2d 786, 794 (7th Cir. 1986) (noting that the attorney-client privilege attaches to the communication of the information and not to the information itself).

[8] See In re Kellogg Brown & Root, Inc., 756 F.3d 754, 258 (D.C. Cir. 2014); see alsoFTC v. TRW, Inc., 628 F.2d 207, 212 (D.C. Cir. 1980).

[9] Fed. R. Civ. P. 26(b)(3)(A).

[10] Fed. R. Civ. P. 26(b)(3)(A)(ii).

[11] Fed. R. Civ. P. 26(b)(3)(B).

[12] In re Experian Data Breach Litigation, 15-01592 (C.D. Cal. May 18, 2017).

[13] In re: Target Corporation Customer Data Security Breach Litigation, No. 14-2522 (D. Minn. Oct. 23, 2015).

[14] Id. at 2.

DISCLAIMER: This post is for informational purposes only and may be construed as attorney advertising in some jurisdictions. The information provided above is not intended to be legal advice and should not be construed or relied upon as legal advice. If you need legal advice, please consult an attorney.