Privilege Considerations in Cyber Incident Response

By Bart W. Huffman, Esq. and Charles M. Salmon, Esq. of Locke Lord LLP As with other types of crisis situations, a cyber security incident can generate not only operational issues, but also significant legal exposure. Affected companies should think through the associated privilege issues, especially when consultants are used. A companyaEUR(TM)s response has a number of purposes: (a) containment, remediation, and continuity; (b) investigation and analysis to determine the cause and extent of the compromise; (c) internal and external communications and messaging; (d) compliance with legal requirements and regulatory expectations; and (e) preparation for the possibility of litigation or administrative proceeding. Various types of non-public written records may be created and used, such as:
  • minutes of meetings;
  • communications among the response team, with the employee base, with consultants, with potentially affected third parties, and with law enforcement;
  • notes (e.g., generated during an investigation); and
  • work papers and reports.
Some of these records may be privileged as attorney-client communications or protected under the work product doctrine. If litigation ensues and a consultant serves as a testifying or non-testifying expert, the consultantaEUR(TM)s work may be protected under the applicable procedural rules. Applicable Contours of the Privilege The attorney-client privilege protects communications made for the purpose of obtaining or providing legal advice. In Upjohn Co. v. United States, the U.S. Supreme Court held that communications by a companyaEUR(TM)s employees to the companyaEUR(TM)s legal counsel relating to an internal investigation, made for the purpose of securing legal advice, are protected by the attorney-client privilege. 449 U.S. 383, 386-87, 394-97 (1981). The work product doctrine protects an investigation or analytical work done at the direction of an attorney to prepare for litigation. See Fed. R. Civ. P. 26(b)(3); Hickman v. Taylor, 329 U.S. 495 (1947). Courts have clarified that obtaining or providing legal advice need not be the only purpose for an investigation in order to maintain privilege. As applicable in the context of an internal investigation, it is sufficient if providing legal advice was aEURoeone of the significant purposes.aEUR? In re Kellogg Brown & Root, Inc., 756 F.3d 754, 758 (D.C. Cir. 2014) (incorrect to presume that communication could have only one primary purpose). In other words, the fact that there are also business purposes to a post-breach investigation does not necessarily render the investigation (and communications associated with it) non-privileged. However, it is important to also remember that an investigation that would have been undertaken regardless of the need for legal advice or anticipated litigation will not become privileged simply by being directed by an attorney. Hickman, 329 U.S. at 513. In the infamous Target payment card breach, a judge assessed claims of privilege with respect to various reports. As required by the payment brands, Target had engaged a PCI Forensic Investigator (PFI), whose work Target did not assert was privileged (because the PFI reports to the payment brands and/or the acquiring banks). Order, In re Target Corp. Customer Data Security Breach Litig., MDL No. 14-2522 (D. Minn. Oct. 23, 2015). In addition, it appears that Target formed a business response team, presumably focused on operational concerns aEUR" also not privileged. Id. at 1. Separate from that team, TargetaEUR(TM)s counsel directed a response aEURoetask force,aEUR? and the court did not have a problem upholding the privilege for the work of that task force. Id. at 1-2. To maximize privilege protection, a lawyer (in-house or outside counsel) should be directing that portion of the response and investigation for which privilege is sought. The work should have as one of its significant purposes the rendering of legal advice. Beyond that, it would be helpful for any outside consultants to be engaged by the attorneys; and if they are not, they should at a minimum still be working under the direction of the attorneys. See, e.g., id. at 3 (law firm a party to engagement letter). Along with those measures, a company that sets up a separate aEURoeprivilegedaEUR? team effort should consider establishing rules for the topics and scope of any separable business functions (so that the work of the aEURoenon-privilegedaEUR? team does not overlap with the work of the aEURoeprivilegeaEUR? team). Further, as a general matter, the companyaEUR(TM)s attorneys should take measures to remind employees about the confidentiality and privilege associated with communications with and work performed at the direction of counsel. Waiver In some situations, a company may desire (or be required) to share an investigative report or other information with a third party. Sharing of privileged information may have unintended consequences, especially if the sharing is outside of any confidential relationship. Although the non-testifying expert aEURoeprivilegeaEUR? is not subject to waiver, see Fed. R. Civ. P. 26(b)(D)(4), the attorney-client privilege and work product protection can be waived. A party asserting a privilege bears the burden of demonstrating that the privilege has been preserved; the privilege may be waived by consent, disclosure to a third party, failure to properly assert the privilege, assertion of an advice-of-counsel defense, or aEURoeby conduct which implies a waiver of the privilege or a consent to disclosure.aEUR? See 6-26 Moore's Federal Practice - Civil ?26.49[5].

Meet The Experts

    Enter name of Insurance Company and press GO button.