Most companies are careful that sensitive information doesn’t fall into the wrong hands. And when faced with a data breach, they want to know that things like incident reports are not public domain.
But did you know that the way you handle a cyber event can either protect sensitive data under attorney-client privilege or leave it open to discovery in a lawsuit?
Even when following best practices, though, not all courts have the same view of privilege. As some recent court decisions highlight, attorney-client privilege for cyber events may not be as solid as we once thought.
How Privilege Is Usually Established After a Cyber Event
After a cyber event occurs and you notify the insurer, the first resource you’ll be directed to is your approved attorney. This is important because when you follow the right protocols, the attorney will hire all of the necessary vendor resources on your behalf.
This includes all parties involved in the response: IT forensics specialists, the breach notification provider, a credit monitoring provider, and others. Traditionally, because it is the attorney who hires those vendors, not you, all vendor work products are protected under attorney-client privilege.
This includes things like reports from forensics providers who evaluate how the hackers got in, if the attacks are ongoing, and other important details that companies may not want exposed.
The other scenario, however, is when you have a cyber breach and hire all of the vendors directly. If a lawsuit later arose due to the security incident, key reports and findings would be discoverable and potentially made public
A question often comes up: Can we hire our own attorney directly and not use the carrier-provided attorney?
Most policies require you to have pre-approved counsel (meaning before the time of the claim). If your attorney is pre-approved by the carrier, you’re free to use them at the time of a claim.
Regardless, following the protocol of having your attorney hire vendors on your behalf should extend the attorney-client privilege in the same manner.
But there could be some exceptions to privilege as we are seeing played out in court. The most recent case being Capital One’s cyber incident litigation.
Cyber Litigation: Courts Weigh in on Attorney-Client Privilege
In late May of 2020, a Virginia federal court ordered Capital One to disclose its forensic analysis related to a massive data breach in 2019. The court rejected the argument that the report was protected under attorney-client privilege.
From the Law360 article linked to above, Capital One claimed during the court hearing that “it should not be forced to turn over the analysis from cybersecurity consultant Mandiant because the document was prepared to help Capital One’s attorneys deal with the lawsuits.”
But the judge disagreed:
“Capital One has not presented sufficient evidence to show that the incident response services performed by Mandiant would not have been done in substantially similar form even if there was no prospect of litigation,” Judge Anderson wrote. “The retention of outside counsel does not, by itself, turn a document into work product,” the judge added.
Among the evidence that the judge cited in rejecting Capital One’s bid to keep the report private was that the bank already had a relationship with Mandiant, which is now part of the cybersecurity giant FireEye Inc., before the breach occurred. The company had also internally referred to its retainer paid to the cybersecurity consultants as a “business critical” expense rather than a “legal” expense, the judge wrote.
Though there have been other cases that test the attorney-client privilege, cyber case law is still fuzzy. For example, a 2017 Experian case demonstrated that Experian didn’t have to produce investigation documents for a data breach because the report was ordered and prepared for their law firm as it geared up for litigation.
On the other hand, according to Law360, the Capital One judge cited a 2017 case where Premera Blue Cross had to produce a chunk of documents prepared by Mandiant after a 2015 data breach.
The Sedona Conference is a nonprofit dedicated to the advanced study of law and policy. They are proposing an expansion of attorney-client privilege during cybersecurity events specifically.
Douglas Meal is a partner at Orrick Herrington & Sutcliffe LLP who chaired the Sedona Conference working group that drafted the paper. In a quote to Law360, he weighed in on the basics of attorney-client privilege:
“The argument is that there should be limited protection given to cybersecurity-related information even where lawyers aren’t involved in creating it, so as to not in effect chill people from engaging in frank discussions about how best to address cybersecurity situations for fear that by engaging in those discussions, they’ll create documents that can be used against them down the road.”
According to experts who also commented in the article, attorney-client privilege and documentation is a tricky area no matter what type of case—cyber or not.
The Law360 article states, however, that:
The working group argued that giving special consideration to cybersecurity-related documents made sense, because while “substantial case law” exists on the applicability of the attorney-client privilege and work-product protection to documents like financial reports and product safety investigations, courts have had “little occasion to rule on” whether information such as penetration test reports or data-breach forensic investigations qualify for either protection.
To Pre-Select Vendors or Not?
The Capital One case points to a question we receive from clients often: Should we pre-select the vendors that we want to respond to a breach?
Generally, pre-selecting the vendors you want to respond has been a useful tool in streamlining the response to a cyber incident. Particularly when it comes to IT forensics specialists, hiring a firm that is already familiar with your network and security controls can limit the required response time and get you back to business faster.
Many forensics firms are not in a position to guarantee their availability at the time of an event. In a widespread security event, such as a particularly damaging new malware strain, some security firms may be so swamped with requests for work that they simply can’t get to everyone in a short amount of time.
Sensing customers’ dissatisfaction with this possibility, forensics specialists started offering retainer agreements for a set fee, regardless of whether the incident response services were required.
While this is an interesting way to guarantee the availability of your preferred vendor, as we learned in the Capital One case above, it may ultimately prove problematic when it comes to protecting the forensics reports under attorney-client privilege.
That’s because it may be difficult to suggest that a retainer paid in advance of a security incident is a legal expense when you’ve paid them well before the actual event occurred.
Most attorneys or forensics providers today would say that if the attorney hires a vendor for cyber incident response, everything produced would fall under attorney-client privilege. The way courts are interpreting privilege, however, may be a major disruption to that line of thinking.
Until there is more case law, best practices still remain and that is to have your attorney oversee the cyber incident response and to do the hiring on your behalf.