Maintaining Attorney/Client Privilege After a Data Breach

Nathan Morales, writing on the Stoel Rives Global Privacy & Security Blog, says that many courts have ruled that after a data breach occurs, a cybersecurity vendor’s work is for business or PR reasons, not legal reasons unless they were retained directly by legal counsel.

Attorney-client privilege protects confidential legal analysis and advice. Work-product protection protects confidential legal work in “anticipation of litigation.” Attaching those protections to a forensics provider’s work is best accomplished by retaining cybersecurity services through legal counsel.

But even that is no guarantee. Courts probe whether the report would have been pretty much the same even if the breach posed no risk of litigation. If so, many courts rule that the information is not protected from disclosure no matter who retained the cyber expert. 

They also often rule that a cyber-forensics provider’s report is a “dual purpose” document. It provides legal advice in respect to the response to a data breach, and business advice about finding and fixing the systemic problems that resulted in a data breach. The legal purpose may be protected, but not the business purpose. 

When deciding whether dual-purpose documents are protected, courts ask whether the report would have been substantially the same without the risk of litigation. If so, courts have held that the information is not legally protected from disclosure, regardless of whether legal counsel retained the cyber expert.

Morales makes the following suggestions: 

• Have legal counsel who is familiar with cyber-forensics providers on retainer
• Hire those providers through legal counsel.
• Consider hiring a separate cyber expert to conduct a business investigation without the expectation of protection
• Clarify which work was done for legal purposes and which was done for the business in all discovery responses