Recent high-profile cases have changed how forensic reports are handled in data breach incident response-related litigation, requiring victimized companies to turn over findings relevant to investigations.
We spoke with Craig Hoffman and Paul Karlsgodt of BakerHostetler about evolving notions of “attorney-client privilege” and “work product protections” in cybersecurity and how they’re impacting the way companies engage with incident response vendors.
Should insurers and insureds be concerned about cases such as Eastern District of Virginia that reinterpret attorney-client privilege in cybersecurity?
CH: Establishing attorney-client privilege over an investigation of a security incident has received outsized attention compared to its importance. There’s an absolute need for it to apply and to be preserved and protected for advice related to the investigation of a security incident. But I don’t think the term has to be defined as broadly as some think it should be. The number of times it actually gets tested and matters is really low.
In what situations are courts more or less likely to uphold attorney-client privilege?
CH: Looking at recent cases, we see that if the court thinks you’re being too aggressive in how you’re applying “privilege,” there’s a lesser chance of upholding it. The same is true if the court thinks underlying facts are unavailable.
However, if from the beginning of the investigation you identify the narrow areas where you need information from a third party to help you advise your client, and then create a dedicated channel with a small group of people in such a way that later on, if you’re challenged, you have evidence to show that the primary purpose for this work was to advise the company, you have a better chance.
Of course, you have to fight the battle of preserving it. Many challenges come in because stakeholders think they should be able to access the forensic report. There are also scenarios like a service provider with affected clients who want to see it. How the report is used can later support an argument that the real reason you did this was to address business issues, not to give legal advice.
Why is it important to share forensic reports in these cases?
PK: In most cases, there’s no litigation strategy reason to protect the report from disclosure. In some cases, it’s not necessary to create a forensic report and that’s a different consideration.
Usually, the idea isn’t to try to hide the facts. It’s whether producing that type of information could then be construed as a waiver of privilege over the real communications between the outside law firm and the vendor for the purpose of the lawyers providing advice.
In those cases, we ask whether we can reach an agreement on a non-waiver. Oftentimes, a different report can be produced. A good example is payment card incidents: A PFI investigation is never going to be privileged because it’s required by the card brand. It’s easier in those cases to have a separate report solely for providing legal advice.
How have recent decisions impacted IR strategy and the way companies engage with third-party IR vendors?
CH: It’s more important to identify in what areas relationships or third parties are appropriate and related to legal advice. In a ransomware event, you may bring in a third party to restore systems and you may not need to establish the basis for privilege. Conversely, there’s a legitimate basis for connecting advice from a crisis communications firm to legal advice, such as when you’re legally obligated to provide notice through a press release or on a website.
But if there’s no connection, it’s better to build a separate workstream and keep the vendor disconnected from others, like the forensic firm. It’s the default mode for companies in a crisis to get everybody on the phone and work at the same time, but we need to be more segmented in managing privilege.
One area to pay attention to is the retainer or pre-existing relationship. Some decisions mention the existence of a relationship prior to the incident as a factor that was considered. I don’t think that should be a dispositive factor. You can build relationships with a forensic firm and clearly establish that the company has different roles for the vendor through separate statements of work. If you were being clear upfront, it positions you to establish privilege.
What are the biggest public misconceptions about attorney-client privilege in these cases?
PK: Attorney-client privilege only applies to communications—not to relationships or even documents unless they are also communication. By contrast, the attorney work product doctrine only applies to documents prepared in anticipation of litigation. The two concepts are thrown around, often wrongly. A reason defendants take the position that forensic reports and related communications are work product is not that that’s a better argument, but because with losing the argument, there’s less of a risk of waiver.
CH: If you polled companies’ general counsels about their top five concerns in a cybersecurity incident, I’ll bet establishing and proving attorney-client privilege would be towards the bottom of the list. They want to manage the incident, protect their company, mitigate risk. But if there’s a choice between getting the company operating and having the best case for attorney-client privilege, they’re going to choose the former.
PK: As a litigator, I believe that the company must meet its notice obligations to handle any of its business interests, whether that’s giving notice to customers or regulators. The least important is the impact of producing a report in litigation. And the reason for that is, as far as I’m aware, there hasn’t been any data breach case of any appreciable size going to trial. Anything harmful in a forensic report is going to relate to the question of whether the defendant breached an applicable standard of care, which is almost always a trial issue.
In summary…
We want to thank Mr. Hoffman and Mr. Karlsgodt for their insights into this matter, which can, unfortunately, impact a cyber policyholder facing litigation after a cybersecurity incident. Guidance from counsel with deep backgrounds in handling data breach matters is paramount. The BakerHostetler team are thought leaders and regular speakers at the NetDiligence Cyber Risk Summit conference events, helping to educate the industry and this is greatly appreciated. BakerHostetler is a NetDiligence authorized Breach Coach® practice. Learn more about Breach Coaches.