Recent court decisions regarding when forensic reports prepared following a data breach may be protected from discovery have revealed that whether these reports are privileged requires a fact-intensive inquiry into when, how, and why the forensics company is engaged. The inquiry also looks at the scope of the forensics company’s engagement and how the company that has suffered a breach behaves with respect to the report and in its remediation efforts in response to the attack. There is no “secret recipe” to ensure a forensics report remains protected from disclosure. Still, there are several steps companies can take to increase the likelihood that reports of their forensics investigations are protected.
A recent court case involving Capital One decisions provided some insight into the types of forensic reports courts might deem protected from discovery during data breach litigation. Namely, these decisions suggested that taking a two-tiered approach to breach investigations, thereby separating the business purpose-related aspects of the investigation from the legal investigation, would be a prudent step to ensuring that forensic reports prepared in anticipation of litigation remain protected.
In September 2017, Clark Hill suffered a cyberattack that resulted in client data exfiltration, including its client’s sensitive personal information. Clark Hill had a standing agreement with cybersecurity vendor eSentire, which provided the firm’s IT security services. In an effort to follow the two-track approach to forensics investigations advanced during the landmark litigation concerning Target’s data breach in 2015, Clark Hill, through counsel explicitly engaged to prepare for litigation resulting from the incident, engaged Duff & Phelps to perform a forensic analysis intended to be used by Clark Hill’s counsel to render legal advice. However, the District Court rejected Clark Hill’s argument that the Duff & Phelps report was privileged.
Notably, the court did not reject the two-track approach. Instead, the court found that Clark Hill’s actions did not comply with the requirements of maintaining a two-track investigation. Though Clark Hill alleged that it conducted a two-track investigation to ensure Duff & Phelps’s investigation and report would be protected by privilege, the court found that Clark Hill’s efforts fell short. This latest decision adds to the growing body of caselaw concerning when forensic reports may be considered privileged.
If a company uses a two-track approach, companies should consider how to distinguish any ordinary -course incident investigation from a privileged investigation. For an “ordinary course of business” investigation, a company may consider generating a nonprivileged summary of attacker activity to illustrate that the internal investigation resulted in specific investigative findings and conclusions designed to inform the company of what happened and how to remediate and contain the identified activity. Conversely, companies should carefully consider the role of reports generated by a third party engaged by counsel. For example, does it supplement a company’s understanding of its legal obligations following a cyber incident, or does it serve as the basis for the company’s entire understanding of an incident? It may be easier to defend privilege if the purpose is the former.
The following are some best practices to follow to maximize the chance of successfully asserting privilege over forensic reports:
- Retain outside counsel to manage the investigation
In the event of a data breach, retain outside counsel to conduct a legally privileged investigation. Whenever possible, outside counsel should directly engage the cybersecurity response vendor, and that vendor should be different from the company’s day-to-day cybersecurity provider. Work closely with counsel to document how the investigation will differ from other cybersecurity services the company regularly receives and explicitly include in any agreement that work will be undertaken at the direction of counsel.
- Do not replace a cybersecurity vendor to provide services necessary for the rendering of legal advice
Halting the work of an already-engaged vendor and replacing it with a vendor explicitly engaged in response to the breach spells trouble. Instead, establish a “two-track approach” to the investigation, whereby the usual vendor investigates and remediates the breach to ensure business continuity, working closely with your IT team. The second vendor, engaged by breach counsel, focuses its work on providing information to counsel that can be utilized to provide legal advice.
- Avoid using stock language in the statement of work
Simply copy-pasting the vocabulary from a preexisting agreement with a cybersecurity vendor into a new agreement between counsel and the vendor does not automatically ensure the engagement is privileged. If using the same vendor for breach investigation work and day-to-day consulting is unavoidable, consider your needs in anticipation of litigation and tailor the agreement language accordingly. This factor is critical to demonstrate that any developed work product is created in a manner and form different from what would be created but for the anticipated litigation. If you have a prior relationship with the forensic firm investigating the security incident, ensure the scope of services for the forensic firm statement of work (SOW) with counsel differs from previous SOWs and retainers.
- Think critically about requesting a written report of findings
Companies should consider foregoing a written report of findings from the incident response vendor altogether. Findings and conclusions may be shared orally with key stakeholders. If a written report is prepared, advise the preparers not to speculate while the preliminary investigation is ongoing. A written report that rests on conjecture and unsupported initial findings will not be helpful in future litigation. Unverified hypotheses should be conveyed orally and thoroughly investigated before they are documented as a “fact” or “finding.” Companies might also determine that they wish any written report to include a focus on exculpatory factors.
- Create segmented teams to protect the privilege
Responding to a data breach incident will likely require responses from multiple business units and external vendors, including teams focused on managing legal, regulatory, consumer, cybersecurity, and governance aspects of the breach. To manage the response while protecting the privilege across these legal and non-legal groups, where possible, create segmented work streams assigned to distinct teams on a “need-to-know” basis. Engage outside counsel to direct the work of external vendors, including forensic analysts. The legal team may include members of in-house counsel, outside counsel, and experts retained by counsel. Consider creating a separate email listserv to restrict access to information, calls, and documents to the legal team’s designated members.
- Limit distribution of privileged attorney work product
Maintain the privileged nature of all attorney work product generated about the incident and only share it as needed for litigation purposes instead of business needs. On the other hand, if a separate report is prepared for business purposes, assume that it will not be privileged. Educate all team members on the importance of not forwarding communications or documents outside of the designated legal team and channeling incident-related communications through legal.
- Keep track of where the written findings are shared and why
If written findings must be shared outside of the legal team, document who receives the report and the distribution reason. If the need is a pure business need unrelated to preparing for litigation, avoid sharing the document to protect the privilege.
- Prepare a separate, non-privileged incident report that can be shared
After a data breach, information must often be disclosed to apprise board members, auditors, insurers, and regulators. To meet these disclosure needs while protecting the investigation’s privileged nature, consider asking counsel to prepare a cover memorandum that addresses only non-privileged business needs and verified factual findings. This memorandum may be shared externally (including with government agencies like the FBI) while protecting attorney-client privileged findings in a separate report prepared only for the use of counsel that may contain broader findings and conclusions.
- Pay expenses from the Legal budget
To the extent possible, fees related to any cybersecurity response overseen by outside counsel should come from the company’s legal budget. While it may seem natural to deduct these expenses from the cybersecurity or IT budgets, some courts have focused on this factor as an indication of whether the company has consistently treated the response as legally privileged.
- Be prepared for disclosure
Court precedent on protecting privilege over forensic reports and/or work performed in response to breaches varies by jurisdiction and is constantly changing. Companies should prepare any written report with the understanding that the final report and drafts, comments, and edits to the report may eventually be produced in litigation. For this reason, taking all necessary steps at the outset to address the incident properly and expediently will help ensure that, should information regarding the breach response ultimately be disclosed in litigation, it will not be to the company’s detriment.
Agio Healthcare shares information meant to not only make you aware of key changes in prominent cybersecurity and privacy standards, laws and frameworks, but helps to provide context and clarity to these rapidly changing and emerging topics.
Follow Agio Healthcare on LinkedIn