Bloomberg Law
Jan. 11, 2021, 9:00 AM

Protecting Data Breach Investigations From Disclosure

Gavin Reinke
Gavin Reinke
Alston & Bird
Ashley Miller
Ashley Miller
Alston & Bird

Lawyers play an important role in helping companies respond to data breaches, including by determining whether notification obligations are triggered and representing the company in litigation or government investigations that often follow. Forensic investigators also provide invaluable support, helping the company’s counsel understand what happened so they can appropriately advise the company.

Regulators and plaintiffs’ lawyers often view forensic investigators’ reports as a “holy grail” of sorts because they provide information about the breach that could be helpful to their claims. Company lawyers often seek to protect the investigators’ work from disclosure under the attorney-client privilege, the work product doctrine, the protection from disclosure of opinions of non-testifying experts, or some combination of the three.

Courts that have addressed whether forensic investigators’ reports are discoverable have gone both ways, often relying on highly fact-specific factors.

Because some courts have found forensic investigators’ work discoverable, companies should think carefully about how they structure their relationships with forensic investigators to maximize the chances their investigations will be protected from disclosure in litigation. Whether these investigations are protected from disclosure is a highly fact-specific inquiry that depends on the specific circumstances of the case.

Steps to Maximize Protection

Below are some considerations and steps that companies can take to maximize the likelihood that the forensic investigation will be held to be protected. To be clear, these are merely factors that could improve a company’s ability to protect its forensic investigator’s work—none is required for the investigation to remain protected, and the failure to satisfy any of these steps does not mean that the investigator’s work will be discoverable.

  • Retain forensic investigators through counsel. Doing so improves the odds that a court will find the forensic investigator’s work was prepared in anticipation of litigation. Retention by outside counsel is not required.
  • Pay forensic investigators from the company’s legal budget. This may strengthen the case that the forensic investigator’s work was performed in anticipation of litigation.
  • Express language in engagement letter. Expressly state in the engagement letter that the forensic investigator’s work is being performed in anticipation of litigation or to assist the company’s counsel in providing legal advice.
  • Carefully describe the forensic investigator’s work. Parties seeking disclosure of the forensic investigator’s work could argue that public statements, including statements to customers that suggest the forensic investigator is being retained in part to reassure customers or to assist with a communications strategy, could suggest that the forensic investigator is performing a business function and therefore the forensic investigator’s work was not prepared in anticipation of litigation.
  • Limit and track the dissemination of the forensic investigator’s report. The written report should only be shared with people that have a demonstrated need to see it for litigation purposes, and it should be clearly marked as privileged and confidential. Legal counsel should be involved in deciding who receives a copy of the report. The company may also wish to consider taking affirmative steps to limit disclosure, like disabling forwarding and printing of the report.
  • Consider retaining a forensic investigator with no prior business relationship. Parties seeking disclosure of a forensic investigator’s work may argue that if a company has already entered into a relationship with a forensic investigator well before the data breach, when there was no prospect of litigation, the relationship was not created in anticipation of litigation and therefore should not be protected. As a matter of law, this fact should not matter since the existence or absence of a prior relationship with the forensic investigator is not an element of establishing the elements of the attorney-client privilege or the work product doctrine or that the forensic investigator’s work is protected from disclosure as a consulting expert. But to take this argument out of the adversary’s arsenal, a company may wish to consider a forensic investigator it has no prior relationship with to conduct its privileged investigation following a data breach.
  • Steps to protect investigator’s prior work. If the company wants to work with a forensic investigator it does have a preexisting relationship with, it can take steps to maximize the chances that the forensic investigator’s work will be protected. The company should ensure the scope of the forensic investigator’s privileged activities are sufficiently different from those previously contracted for so that they can be fairly characterized as being performed in anticipation of litigation, not ordinary business activities. A key question will be whether the forensic investigator’s work would have taken substantially the same form if there had been no litigation filed.

In short, the ultimate question of whether a forensic investigation is protected from disclosure in litigation will depend on the unique circumstances of each case. But by carefully structuring the relationship with the forensic investigator from the outset, companies can maximize the likelihood that their investigations performed in anticipation of litigation will be protected.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Write for Us: Author Guidelines

Author Information

Gavin Reinke and Ashley Miller are senior associates in the Litigation & Trial practice group at Alston & Bird in Atlanta.