Executive Perspectives

Two Simple Ways to Maximize Privilege and Work Product Protections in Data Breach Investigations

Data breach incident investigation materials are not automatically protected from discovery in civil litigation or government investigations. Whether such materials are protected from discovery can have serious cost and public relations implications for a company that has become a victim of a data breach and the target of resultant civil litigation and/or government regulatory investigations. In the wake of dozens of post-breach lawsuits and investigations over the last year alone, it has become clear that steps taken on the front end by the General Counsel can make all the difference.

The first step in establishing and preserving privilege and work product protections over a data breach investigation is to involve the GC in the development of an incident response plan. As a best practice, the GC’s office should play a lead role in the formation and implementation of a data breach incident response plan before a data breach takes place. This will enable the company to best prepare for the likely legal (as well as financial and business) fallout of a data breach – notably by being mindful of, and taking definitive steps to maximize, the protections provided by attorney-client privilege and work product protections pertaining to a data breach investigation’s findings.

While it is possible the company may later elect to waive privilege (depending upon specific facts and circumstances), it is always best for the company to have the option to waive privilege, rather than failing to establish privilege in the first instance.

Note that courts may deem privilege to be implicitly waived if, in a resulting litigation, the company elects to use the investigation’s findings to assert a defense in the litigation that would in fairness require the examination of the underlying investigation documents. See, e.g.In re United Shore Fin. Servs., LLC, No. 17-2290, 2018 WL 2283893, at *2 (6th Cir. Jan. 3, 2018) and cases cited therein. Nonetheless, it is always better for the company to be in a position to choose whether or not to waive privilege for strategic reasons, than to be left with no option at the outset.

Second, consider utilizing three-way contracts (a Master Services Agreement) between: (a) outside counsel, (b) the investigator, and (c) your company when engaging a cyber security expert to investigate and remediate a data breach. In a perfect world, companies would put these agreements in place in advance of any breach, so as to be prepared to move quickly in the event of an attack.

Ideally, the Master Services Agreement will explicitly state that:

  • The cyber security expert is being hired by outside counsel for the benefit of the company “in order to aid the obtaining of legal advice.” (These terms would also ideally be used in the event a cybersecurity expert is being engaged to conduct penetration testing as part of the company’s data breach prevention plans prior to a data breach incident.)
  • The expert’s work is being performed “in anticipation of litigation” (when the cyber security expert is being engaged as the result of a breach incident).
  • The expert is working “at the direction of” outside counsel, and that outside counsel will have final say over all statements to outside parties, including customers, third-parties, regulators and the press.
  • The contract should indicate that the internal point of contact at the company is the General Counsel (rather than the Chief Information Officer or the Data Privacy Officer).
  • The scope of the work should be made as explicit as possible in the contract, through a detailed statement of work (“SOW”) that is incorporated into the contract by reference.  If needed, additional SOW’s can be added later and incorporated into the contract by reference.
  • The contract should be signed by both the forensic expert and the outside attorney, in addition to the company.

The hiring of a cyber security expert through a traditional vendor purchase agreement driven and signed by the IT Department will likely not provide attorney-client privilege protections for communications related to the engagement. Nor will it provide the protections afforded by the attorney work product or testifying expert privileges.

Post-breach, things will be moving quickly as the target company is working to assess and contain the breach, fulfill its notification obligations, and return its attention to core business operations. Accurate and transparent information flow is essential at this time, and the last thing a GC wants to worry about is how business-critical, urgent communications might appear to an outside party in subsequent litigation.

By taking steps to attach privilege (and work-product protections) during the preparedness phase, long before any breach, and being mindful of preserving the privilege throughout the post-breach investigation phase, the GC can help maximize the protections provided by the attorney-client privilege and work product protection so that their company can be in a position to decide whether, and when, it will waive privilege in fulfilment of its strategic objectives and in the best interests of its shareholders.

Cathleen Donohoe is an attorney at Pillsbury Winthrop Shaw Pittman LLP.