chevron-down Created with Sketch Beta.
March 11, 2015 Articles

How to Preserve Privilege During Data Breach Investigations

What steps should a corporation take after a cyber attack?

By Leslie C. Thorne and Laurel D. Brewer

Every month, news reports emerge about another high-profile data breach. From Target to Sony, the recent increase in cyber attacks is impossible to ignore. But this raises the question: What are the steps that should be taken after the data breach occurs and a corporation is left to deal with the consequences? Of course, corporations are concerned with stemming the breach and investigating how the hack occurred. These tasks are obviously important, but an immediate, vital step can be overlooked: hiring legal counsel. While the affected company is a victim of a crime and should consider its remedies from that perspective, many breaches also subject the company to its own liability.

Depending on the circumstances, the targeted company may find itself a defendant in suits brought by everyone from consumers to shareholders to credit card companies. As soon as a breach occurs, companies should engage legal counsel to develop a legal strategy to deal with these various risks. But, equally important, immediately hiring a law firm enables the corporation to claim both attorney-client privilege and work-product protection from day one. By securing counsel early on and making that counsel an integral part of the investigation process, a corporation can limit the discovery into its investigations.

The Important Tools: Attorney-Client Privilege and Work-Product Protection

Attorney-client privilege provides protection for communications between the client and attorney. See Upjohn Co. v. United States, 449 U.S. 383 (1981) (“The attorney-client privilege is the oldest of the privileges for confidential communications known to the common law.”). Attorney-client privilege allows clients to make “full and frank” disclosures to their attorneys, which then enable the attorneys to give better advice. In order for a communication between client and attorney to be privileged, the communication must be confidential and for the purpose of securing or obtaining legal advice. Once counsel is hired after a data breach, subsequent communications with the attorney regarding any investigation of the data breach will be privileged.

Federal Rule of Civil Procedure 26(b)(3) protects work product from discovery. “Ordinarily, a party may not discover documents and tangible things that are prepared in anticipation of litigation or for trial by or for another party or its representative (including the other party’s attorney, consultant, surety, indemnitor, insurer, or agent).” Thus, the work-product doctrine can protect many aspects of a data breach investigation (and the documents created as a result). However, if challenged, the corporation must be able to show that these investigation documents were created in anticipation of litigation.

“Anticipation of litigation” has been interpreted to mean that the “document was created because of anticipated litigation, and would not have been created in substantially similar form but for the prospect of that litigation.” See, e.g.In re Grand Jury Subpoena, 357 F.3d 900, 908 (9th Cir. 2004). Other courts have interpreted “anticipation of litigation” to mean that “in light of the nature of the document and the factual situation in the particular case, the document can fairly be said to have been prepared or obtained because of the prospect of litigation.” United States v. Adlman, 134 F.3d 1194, 1202 (2d Cir. 1998) (internal quotations omitted) (log-in required). By hiring outside counsel to investigate and provide advice about potential claims stemming from the data breach, a corporation can establish that documents created during the investigation of the data breach were created in anticipation of litigation.

There are two specific types of work product: opinion work product and ordinary work product. Opinion work product consists of the opinions, mental impressions, or legal theories of an attorney or another party representative. Ordinary work product consists of factual information that does not contain opinions or impressions. Under Rule 26(b)(3), ordinary work product may be discoverable if the requesting party shows that it has “substantial need for the materials to prepare its case and cannot, without undue hardship, obtain their substantial equivalent by other means.”

Because the requesting party can often discover the underlying facts through depositions or other discovery methods, there typically is not a substantial need for even ordinary work product. But even if there is a substantial need, opinion work product will remain protected if prepared in anticipation of litigation. For those documents created during the course of an investigation, the work-product doctrine can be a valuable shield against discovery. However, it is important to note in the investigation context that the work-product doctrine protects only the documents themselves, not the underlying facts reflected in those documents.

A Lesser Degree of Privilege and Protection for In-House Counsel

Once notified of a data breach, management would be well advised to head straight to its general counsel’s office. However, solely relying on in-house counsel may not adequately preserve privilege and other protections over a corporation’s communications and documents. Privilege exists between in-house counsel and corporate employees, but there are significant limits to that privilege. In Upjohn, the Supreme Court addressed attorney-client privilege in a corporate setting. The Supreme Court adopted the subject-matter test, which focuses on whether the subject matter of a communication between in-house counsel and a corporate employee is within the employee’s duties.

The Court held that communications between in-house counsel and employees are protected when (1) the communications are made “at the direction of corporate superiors in order to secure legal advice from counsel”; (2) the information is “not available from upper-echelon management”; (3) “the communications concern[] matters within the scope of the employees’ corporate duties”; and (4) “the employees themselves [a]re sufficiently aware that they [a]re being questioned in order that the corporation could obtain legal advice.” When in-house counsel and corporate employees communicate, it is harder to claim attorney-client privilege for those communications because all of these criteria must be met.

It is often difficult to claim protection for communications with in-house counsel because in-house counsel often serve dual roles, providing both legal and business advice. Remember, to claim attorney-client privilege, the communications between the client and attorney must be for the purpose of obtaining legal advice. Oftentimes it is difficult to discern whether a communication between in-house counsel and the client is solely for legal advice versus business advice (or a combination of both). See, e.g.United States v. Chevron Texaco Corp., 241 F. Supp. 2d 1065, 1069 (N.D. Cal. 2002) (“Because the purported privileged communications involve attorneys who apparently performed the dual role of legal and business advisor, assessing whether a particular communication was made for the purpose of securing legal advice (as opposed to business advice) becomes a difficult task.”). Some courts require that the primary purpose of the communication must be to render or request legal advice. See, e.g.Phillips v. C.R. Bard, Inc., 290 F.R.D. 615, 628 (D. Nev. 2013). Thus, courts can be less inclined to find that communications with in-house counsel are privileged because the line between legal advice and business advice can be blurred.

When discussing the findings of a data breach investigation, a corporation wants to be certain it is not inadvertently giving away its attorney-client privilege. The best way to ensure that communications regarding the investigation will be protected by attorney-client privilege is to hire outside counsel. When a corporation hires outside counsel, the attorney-client privilege analysis is simply whether the communication between the client and attorney was confidential and for the purpose of obtaining legal advice. See, e.g.United States v. Chen, 99 F.3d 1495, 1501 (9th Cir. 1996), cert. denied, 520 U.S. 1167 (1997) (log-in required).

Hiring outside counsel at the outset of an investigation can also provide breached companies with greater work-product protection. Much like the issues considered in connection with the attorney-client privilege, relying on in-house counsel can blur the line between documents created in anticipation of litigation and documents created as part of routine business. If documents created as a result of a data breach investigation seem to be created as a by-product of a routine investigation, courts are less inclined to protect the documents under the work-product doctrine. See, e.g.Navigators Ins. Co. v. CalPortland Co., No. 2:10-CV-00665-MJP, 2011 U.S. Dist. LEXIS 9615 (W.D. Wash. Jan. 24, 2011).

Documents created by in-house counsel are more likely to face scrutiny as to whether they were prepared in anticipation of litigation or prepared as a routine matter of the business. By hiring outside counsel specifically to deal with potential claims resulting from a data breach, the investigation-related documents are more likely to fall in the work-product category. Indeed, when there is a question of work-product protection for certain documents, the involvement of outside counsel may be used to convince the court that the documents are protected—especially when it is the outside counsel overseeing the investigation.

Genesco, Inc. v. Visa U.S.A., Inc., 302 F.R.D. 168 (M.D. Tenn. Mar. 10, 2014), provides a prime example of how counsel can protect investigations conducted after a data breach. Genesco asserted state law claims against Visa after it imposed over $13 million in noncompliance fines and reimbursement assessments resulting from “a cyber attack involving credit and debit card purchases at Genesco’s retail establishments.” Genesco’s general counsel retained a firm to conduct a forensic investigation of the cyber attack. Genesco’s general counsel also hired an additional firm, Stroz Friedberg, to provide “consulting and technical services to assist [the general counsel] and outside counsel in rendering legal advice to Genesco” about the cyber attack and the forensic investigation report.

During discovery, Visa requested the general counsel’s “deposition and his records and communications during his investigation of the cyber attack and Visa’s assessments and fines.” The court denied the discovery requests, holding that attorneys’ factual investigations “fall comfortably within the protection of the attorney-client privilege.” The court explained that this privilege “extends to counsel’s communications with agents and experts who are retained by counsel for the purpose of providing legal advice.” Thus, the court held that attorney-client privilege applied to the communications between general counsel and the Stroz Friedberg firm. The court went on to state that “[t]he work product privilege also attaches to an agent’s work under counsel’s direction.”

Because the Stroz Friedberg firm was hired in contemplation of litigation—which was expressed in the retainer agreement—the work-product privilege applied to the Stroz Friedberg firm as well. However, the court did require Genesco to produce documents prepared in its ordinary business. This was reflected “by the Court’s ruling that remedial measures that Genesco took in response to [the forensic investigation] report must be produced because the [forensic investigation] report reflects that those measures were undertaken in the ordinary course of business, not for Genesco’s counsel.”

This case highlights how corporations may use in-house counsel to assert attorney-client and work-product privilege over certain communications and documents, but courts will not provide protection over those communications and documents created in the ordinary course of business. If in-house counsel hires a consultant or expert in connection with a data breach investigation, it is prudent to explicitly state that the consultant or expert was hired in anticipation or contemplation of litigation. Genesco provides broad privilege protections to in-house counsel communications and documents, as long as they are made in connection with legal advice. Still, because investigation-related documents created for business purposes are not protected, hiring outside counsel to advise and oversee investigations, further demonstrates that the investigation is tied to legal instruction and advice.

Additional Roles of Outside Counsel

As discussed above, outside counsel is instrumental in preserving both attorney-client privilege and work-product protection involving internal communications and documents. Outside counsel also has the capability to preserve the same privileges for communications with, and documents created by, parties hired to conduct investigations. Frequently, corporations will want to hire forensics or security experts to assist in the breach investigation. When outside counsel hires this forensic or security expert, the investigation typically falls under attorney-client privilege and the work-product doctrine. Conversely, if in-house counsel hires the forensics or security expert, privilege may not attach.

In light of these privilege issues, as well as the substantive need for legal services, corporations should hire outside counsel as soon as they learn of a data breach. Only by immediately hiring outside counsel will a corporation ensure it does not lose the available privileges applicable to its data breach investigation. To further secure the available privileges, where appropriate, organizations should identify in documents, as well as express to their employees, that each data breach investigation is meant to be legally privileged because the investigation is in anticipation of litigation and directed by counsel.

Keywords: litigation, business torts, data breach, investigation, attorney-client privilege, work product privilege

Leslie C. Thorne and Laurel D. Brewer – March 11, 2015