Introduction
As breach litigations increase, understanding how to protect attorney-client privilege has become critical for companies facing cybersecurity incidents. Courts continue to debate whether plaintiffs in data breach cases meet the standard of proving “actual or imminent” harm directly tied to a company's actions, with some defendants successfully challenging standing to secure early dismissals. However, with the ongoing rise in ransomware attacks, companies now face an additional challenge: defending against litigation filed by impacted individuals and class-action lawsuits seeking substantial damages.
The stages of ransomware incidents have become familiar across industries—detection, containment, remediation, rebuilding, and notifying affected parties and regulators. Yet, even as companies implement stronger cybersecurity measures post-breach, they increasingly find themselves needing to prepare for litigation as well. The surge in lawsuits filed in 2023 and 2024 against ransomware-impacted companies underscores this trend, and experts predict that the volume will continue to grow.
As legal counsel often guiding clients through these incidents, we monitor recent litigation closely to ensure that our clients' actions preserve privilege and protect their legal defenses should litigation arise.
Protecting attorney-client privilege during a cybersecurity incident requires diligent efforts, especially during the chaotic response and investigation phases. The following tips can help maintain privilege over critical aspects of an investigation, including (i) communications among core response teams, breach counsel, and data review vendors; (ii) forensic reports; and (iii) breach counsel's recommendations and directives.
Best Practices for Maintaining Privilege:
- Engage Breach Counsel Promptly: Retain
breach counsel as soon as a cybersecurity incident occurs to ensure
that all agreements, engagements, and communications are protected.
- Involve Attorneys in Incident Response Meetings: Include breach counsel in all response-related meetings to ensure deliberative conversations are legally informed, privileged, and focused on defense.
- Include Legal Counsel on Third-Party Communications: Ensure that all communications with third-party vendors are conducted through legal counsel to maintain privilege.
- Clearly Define the Scope of Investigations: Draft all engagement letters with third parties carefully, specifying the purpose of the investigation to ensure privilege protection.
- Review All Agreements with Legal Counsel: Legal counsel should review and approve all agreements, especially those with vendors handling breach response.
- Limit Information Sharing: Share sensitive information on a strictly need-to-know basis to reduce the risk of waiving privilege.
- Avoid Sharing Information with Unretained Third Parties: Limit disclosure to parties who are directly involved in the incident response and have been retained to provide legal advice.
- Prioritize Oral Communications for Sensitive Findings: For discussions on potential causes, findings, or recommendations, consider sharing this information in person or through secure conference calls with legal counsel present.
- Mark Communications as Privileged and Confidential: Label all written communications regarding the investigation with appropriate privilege and confidentiality markings.
Litigation Lessons in Privilege
Recent legal cases have shown that courts often require companies to produce forensic reports generated during data breaches, even if those reports were initially intended to be protected under attorney-client privilege or work-product doctrines. These rulings provide crucial insights for organizations aiming to maintain privilege protections.
Key Cases Challenging Privilege Claims in Cybersecurity Forensic Reports
- In re Samsung Customer Data Sec. Breach
Litigation (2024):
- Court's Decision: The court ruled that Samsung's forensic report was generated for business purposes because it was shared with 15 executives, including the security team. The wide distribution indicated the report was used for business decision-making rather than solely for legal defense.
- Leonard v. McMenamins
Inc. (2023):
- Court's Decision: Although McMenamins retained a forensics firm through counsel, the court found that privilege didn't apply since the report contained factual information for business purposes.
- Key Factors:
- The report focused on business discussions, remediation, and investigation.
- The court saw forensic and outside counsel's engagement as primarily designed for operational restoration, not for legal advice.
- The report was widely shared internally (e.g., IT), and plaintiffs had a “substantial need” for the report, as it was the only internal investigation documentation available.
- In re Rutter's Inc. Data Security Breach
Litigation (2021):
- Court's Decision: The court found the report was for business purposes, created to assess data compromise and related facts, not strictly in anticipation of litigation.
- Key Factors:
- Rutter's engagement letter with the vendor indicated a business purpose, as it focused on IT monitoring and data compromise assessment.
- Testimony confirmed Rutter did not foresee litigation at the time of the engagement.
- There was no evidence the report was specifically for legal strategy, as it was shared for general business purposes, as there was evidence that the report would have been prepared regardless of whether a suit was ultimately filed.
- There was no evidence that the law firm received the report before Rutter's did.
- Wengui v. Clark Hill,
PLC (2021):
- Court's Decision: The forensic report was not protected as it served multiple business functions, including incident management and FBI coordination.
- Key Factors:
- Clark Hill did not conduct separate privileged and non-privileged investigations, which could have shielded materials.
- The report was widely distributed for non-legal purposes, focusing on remediation and providing cybersecurity recommendations, in addition to sharing with the FBI.
- The report also revealed the forensics firm worked with other outside third parties to manage the incident without counsel present.
- In re Capital One Consumer Data Security Breach
Litigation (2020):
- Court's Decision: The court ruled that Capital One's report was not privileged, as it was prepared under pre-existing business agreements and would have been generated regardless of litigation.
- Key Factors:
- The vendor had a longstanding business relationship with Capital One, not solely for legal defense.
- The report was shared with four different regulators and business units, showing its use for regulatory and business/operational purposes, not prepared for litigation.
- The report's broad business-focused distribution indicated that it was not driven solely by legal considerations.
- The scope of work did not change when the law firm became involved.
- The vendor's retainer was originally paid as a “business expense” and not a legal expense.
- In re Dominion Dental Services USA, Inc. Data
Breach Litigation (2019):
- Court's Decision: The court found that Dominion's report was primarily for operational purposes and customer notifications, not legal defense.
- Key Factors:
- The report was shared with non-legal departments, underscoring its role in business continuity rather than legal protection.
Takeaways for Protecting Privilege
These rulings illustrate the importance of structuring forensic investigations with privilege in mind:
- Limit Distribution: Restrict access to forensic reports to only those directly involved in legal strategy.
- Clearly Define Purpose: Document that the investigation is conducted in anticipation of litigation and specify legal defense as the primary reason for the report.
- Engage Separate Tracks: Consider conducting a privileged investigation strictly for legal defense and another for business continuity if necessary.
- Involve Legal Counsel Throughout: Direct the investigation through legal counsel to maintain privilege, ensuring they are actively involved in defining the scope and handling of findings.
Having counsel that understands privilege nuances and evolving case law is essential during cybersecurity incidents. Maintaining privilege during an incident not only mitigates risk but strengthens the defense against discovery requests in subsequent litigation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.