If You Do This, You Might Not Get “Attorney Work Product” Protection During a Cyber Breach

Read more for insight on how structuring is critical for protecting attorney-client privilege, as well as what's known as "Attorney work product."

Clients often ask about who they should call and who’s going to help if, and when, a cyber incident arises. Often, businesses first think about IT forensics providers to help them through a cyber incident.

Lawyer speaking to a judge

And while I encourage companies to think through these types of issues, I recommend that they first focus on the legal counsel that is going to support them when things go wrong.

Outside of their experience in handling cyber incident response matters, there are two primary protections available to you by focusing on legal counsel first:


Attorney-client privilege


Attorney work produce doctrine

These are two important legal mechanisms to protect communications and strategies from having to be disclosed during breach litigation.

Cornell explains the attorney work product doctrine:

... an adverse party generally may not discover or compel disclosure of written or oral materials prepared by or for an attorney in the course of legal representation, especially in preparation for litigation... that there is a presumption that an adverse party may not have access to materials prepared by a party's lawyers in anticipation of litigation. The (Supreme) Court maintained that this presumption may be overcome when a party has relevant and non-privileged facts which would be essential to the preparation of the adverse party's case.

In a perfect world, communications, including phone calls, meetings, and emails between an attorney and client are protected from snooping defense attorneys, as is research, notes, and materials that are used to build a defense case in litigation.

However, if legal counsel engagement is not structured correctly, some of the research could be deemed unprotected and would have to be produced, but only if the court says so.

How is Structuring Engagement Relevant to Cyber Risk and Incident Response?

I’ve spoken before about the Capital One data breach litigation where the IT forensics report was not deemed to be protected as attorney work product due to a pre-existing retainer agreement with the IT forensics provider.

From my earlier article on the topic:

In late May of 2020, a Virginia federal court ordered Capital One to disclose its forensic analysis related to a massive data breach in 2019. The court rejected the argument that the report was protected under attorney-client privilege.

… Capital One claimed during the court hearing that “it should not be forced to turn over the analysis from cybersecurity consultant Mandiant because the document was prepared to help Capital One’s attorneys deal with the lawsuits.

The judge in that case disagreed and stated that “The retention of outside counsel does not, by itself, turn a document into work product.”

And now we have another example of attorney work product in litigation in the recent Rutter’s case in a District Court in Pennsylvania.

In the Rutter’s example, the judge dismissed claims of protection for attorney work product and attorney-client privilege for a few reasons:


The description of services in the statement of work (SOW) executed by the outside attorney and IT forensics provider made no mention of potential litigation.


Rutter’s paid the IT provider directly, suggesting the relationship was between the two parties and did not involve the attorney.


Rutter’s executives and IT employees interfaced with the forensics vendor directly, without legal counsel.


The forensics provider delivered the report directly to Rutter, bypassing any review by legal counsel.


Rutter’s executives acknowledged that they would have done the forensics investigation regardless of the involvement of counsel.

Looking at the judge’s decision in this case (and Capital One’s case) provides a good outline for the mechanics of how an incident response process should work.

It starts with hiring experienced and knowledgeable legal counsel to act as a breach coach and shepherd your organization through the complexities of responding to a cyber incident. In the chaotic first few hours of a cyber incident, having the steady hand of an experienced legal counsel to provide guidance can prove invaluable.

From there, the ruling in the Rutter’s case provides the specifics on how to move forward. Legal counsel should hire the IT forensics provider and execute a statement of work that mentions the work being performed in anticipation of potential litigation.

Billing for the IT forensics provider should be invoiced and paid through your legal counsel.
And finally, the final report should be delivered to legal counsel first—who can then provide it to you under the context of providing legal advice.

By following this incident response structure, you just might avoid the fate of Capital One and Rutter’s and find that your incident response process is afforded the benefits of attorney-client privilege and the attorney work product doctrine.

For more insights like this, check out the Cyber Notebook or get more Cyber Dan insights by subscribing to our YouTube channel.



Table of Contents