Data breach incident investigation materials are not automatically protected from discovery in civil litigation or government investigations. Whether such materials are protected from discovery can have serious cost and public relations implications for a company that has become a victim of a data breach and the target of resultant civil litigation and/or government regulatory investigations. In the wake of dozens of post-breach lawsuits and investigations over the last year alone, it has become clear that steps taken on the front end by the General Counsel can make all the difference.
The first step in establishing and preserving privilege and work product protections over a data breach investigation is to involve the GC in the development of an incident response plan. As a best practice, the GC’s office should play a lead role in the formation and implementation of a data breach incident response plan before a data breach takes place. This will enable the company to best prepare for the likely legal (as well as financial and business) fallout of a data breach – notably by being mindful of, and taking definitive steps to maximize, the protections provided by attorney-client privilege and work product protections pertaining to a data breach investigation’s findings.
Second, consider utilizing three-way contracts (a Master Services
Agreement) between: (a) outside counsel, (b) the investigator, and (c)
your company when engaging a cyber security expert to investigate and
remediate a data breach. In a perfect world, companies would put these
agreements in place in advance of any breach, so as to be prepared to
move quickly in the event of an attack.
Ideally, the Master Services Agreement will explicitly state that:
- The cyber security expert
is being hired by outside counsel for the benefit of the company “in
order to aid the obtaining of legal advice.” (These terms would also
ideally be used in the event a cybersecurity expert is being engaged
to conduct penetration testing as part of the company’s data breach
prevention plans prior to a data breach incident.)
expert’s work is being performed “in anticipation of litigation”
(when the cyber security expert is being engaged as the result of a
- The expert is working “at the direction
of” outside counsel, and that outside counsel will have final say
over all statements to outside parties, including customers,
third-parties, regulators and the press.
- The contract
should indicate that the internal point of contact at the company is
the General Counsel (rather than the Chief Information Officer or
the Data Privacy Officer).
- The scope of the work should be
made as explicit as possible in the contract, through a detailed
statement of work (“SOW”) that is incorporated into the contract by
reference. If needed, additional SOW’s can be added later and
incorporated into the contract by reference.
- The contract
should be signed by both the forensic expert and the outside
attorney, in addition to the company.
The hiring of a cyber security expert through a traditional vendor
purchase agreement driven and signed by the IT Department will likely
not provide attorney-client privilege protections for
communications related to the engagement. Nor will it provide the
protections afforded by the attorney work product or testifying expert privileges.
Post-breach, things will be moving quickly as the target company is
working to assess and contain the breach, fulfill its notification
obligations, and return its attention to core business operations.
Accurate and transparent information flow is essential at this time,
and the last thing a GC wants to worry about is how business-critical,
urgent communications might appear to an outside party in subsequent litigation.
By taking steps to attach privilege (and work-product protections)
during the preparedness phase, long before any breach, and being
mindful of preserving the privilege throughout the post-breach
investigation phase, the GC can help maximize the protections provided
by the attorney-client privilege and work product protection so that
their company can be in a position to decide whether, and when, it
will waive privilege in fulfilment of its strategic objectives and in
the best interests of its shareholders.
Cathleen Donohoe is an attorney at Pillsbury Winthrop Shaw Pittman LLP.