Few would argue that it’s a good idea for a football team to show up to the Super Bowl without a defensive game plan. Yet just showing up and playing is often how a company hit with a cyberattack scrambles to hire a cybersecurity forensic vendor. To make matters even worse, the company might hire the vendor without realizing they just lost the opportunity to assert attorney-client privilege relating to that vendor’s work down the road.
There are situations when a company may have concerns about a breach but is unsure if one has occurred. Other times, they wish to investigate without putting their carrier on notice. In either situation, many companies just hire the forensic vendor and don’t consult with legal counsel.
A few days later, the company finds out they have a data breach and engage a legal adviser with specific cyber experience. At that point, they learn that they needed to engage their forensic vendor through legal counsel to protect attorney-client privilege with respect to the forensic vendor’s work.
Three court cases have dramatically impacted the assertion of attorney-client privilege in the context of cyber incident response: In Re Capital One, Guo Wengui v. Clark Hill, PLC, and In Re Rutter’s. These cases indicate that engaging a cyber forensic incident response vendor should follow these best practices:
- The agreement should be a tri-party agreement among legal counsel, the forensic vendor and the company
- The tri-party agreement and statement of work should be standalone and separate from any other engagement the company has with the incident response vendor
- The incident response agreement should specifically include language that the purpose of the engagement supports litigation defense in anticipation of litigation
- The incident response agreement should avoid scope creep such as language about working alongside the company’s IT team and/or identifying issues or vulnerabilities
- All communication should be directed to legal counsel
- Client representatives might be included on a need-to-know basis
Companies that suffer data breaches have seen judges in the cases mentioned above rule that breach forensic reports don’t fall under privilege. These cases provide a roadmap of factors to weigh when considering whether to issue any breach forensic report. The factors that can impact assertion of privilege over a breach forensic report include:
Tight control of the recipients of the report. Disclosing it widely to the executive team, the board, the IT team, and auditors has been viewed as a factor to support it wasn’t intended to be a privileged report.
Excluding recommendations on remedial measures. Inclusion of remedial measures that are outside litigation purposes can undermine assertion of privilege that is litigation-focused.
Focus of report. The focus of the report should be on information to help legal counsel as opposed to merely stating the facts relating to the incident.
Two-track reporting. Consider two-track reporting, with one report intended for privilege and another report to satisfy non-privilege business purposes (such as a board or auditor report).
These principles seem straightforward in their application. However, an executive confronting a data breach for the first time may find the decision is very difficult. Thinking about privileged forensic reports is easily overlooked when all the following happen in 48 hours: the network is encrypted, clients are demanding answers, social media is rife with rumors, regulators have inquiring minds, and the executive’s spouse is receiving cell phone calls from the threat actor.
Having your forensic team in place with a contract structured to protect privilege allows a company to preserve its most precious resource in a data breach—time. When a data breach happens, properly structured incident response allows the company to focus it precious time working the problem instead of negotiating an incident response agreement.
Initial engagement of the forensic vendor without counsel spells doom for later efforts to assert attorney-client privilege with respect to any issued forensic report. The decision to issue a forensic report also depends on careful consideration of competing business and legal factors. Use your time and choose wisely.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author Information
Justin Daniels is a shareholder in Baker Donelson’s data protection, privacy and cybersecurity practice.
Write for Us: Author Guidelines
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.