Data breaches are on the rise. So are the lawsuits that follow. This has led to an environment where cyber-forensics service providers are more important than ever. Clients seeking these services, however, often do so after becoming the unwilling victims of a data breach. And those circumstances create uncertainty for protecting — either as attorney-client privileged or work product — the findings and conclusions from a cyber-forensics provider.
HIRE AND RETAIN A CYBER-FORENSICS EXPERT THROUGH LEGAL COUNSEL
Because the attorney-client privilege protects (and requires) confidential communications for the purposes of legal analysis and advice to a client, and work-product protection protects (and requires) confidential legal work in “anticipation of litigation,” the best way to ensure that both those protections attach to the work of a forensics provider is to retain and conduct those services through and under the direction of legal counsel. This serves the public policy of candor between attorneys and clients in analyzing and addressing legal issues.
Accordingly, if you are the victim of a data breach, it is advisable to call legal counsel before anyone else, so that they can help guide the factual investigation, legal analysis, and supporting work of cyber-forensics professionals with candid legal advice. Numerous courts have held that, in the context of a data breach, the work from forensics vendors not retained directly by legal counsel is not protected by privilege or as work product — for example, where that work was done primarily for business or PR reasons (not for legal reasons).
HIRING THROUGH LEGAL COUNSEL DOES NOT GUARANTEE PROTECTION
Although hiring a cyber-forensics provider through legal counsel can help promote the applicability of both the attorney-client privilege and work-product protection to a cyber expert’s findings and conclusions, that is not at all guaranteed. Courts looking at this issue have held that, in the context of a data breach, cyber forensics are needed for two primary reasons: (1) to provide legal advice to a client, regarding the response to a data breach; and (2) to provide business advice, ensuring that a company discovers and fixes the internal compromise resulting in a data breach. Thus, courts regularly conclude that the report from a cyber-forensics provider is a “dual purpose” (legal and business) document. The former purpose may be protected by legal privilege and/or as work product — the latter may not.
When analyzing whether dual-purpose documents are protected by the attorney-client privilege or work-product doctrine, courts attempt to determine whether the information would have been created in a substantially similar form absent any risk of litigation from the data breach. If the answer to that question is “yes,” many courts have held that the information is not legally protected from disclosure, regardless of whether legal counsel retained the cyber expert. Therefore, retaining these experts through counsel, alone, is not enough.
Given those outcomes, in order to bolster any claims of privilege or work-product protection over the work from a cyber-forensics provider, businesses should ensure that they:
- As a component of a cyber-preparedness plan, have privacy/cyber legal counsel on retainer, who can line up a slate of forensics firms, in advance;
- Hire cyber-forensics experts through legal counsel;
- During an incident response, potentially hire a separate cyber expert to conduct a different (and not protected) business investigation;
- In written discovery responses, make it clear which work was retained for legal purposes, and which was retained for the business; and
- Include legal counsel in conversations with your cyber expert for the purpose of developing well-informed and actionable legal advice.
Each of these will ensure that the victim of a data breach protects as much privileged and confidential information as possible, so clients and their experts can freely work through a breach response to fix the problems, with full candor and consideration of legal issues, without worrying that the confidential information they are creating for purposes of legal advice will be available to others in a future lawsuit.