chevron-down Created with Sketch Beta.
May 03, 2024 Feature

Attorney-Client Privilege and Work Product Considerations Following Cyber Incidents

Michael Razeeq

The cybersecurity and privacy landscape has become increasingly complex regarding risks, regulations, and related disputes. Lawyers and their clients must understand and take appropriate measures to maintain attorney-client privilege and work product protections, particularly following a cybersecurity incident or data breach. Communications and other materials that are not privileged or protected work products may be used as evidence in depositions or at trial and may become public. That could include sensitive information about an organization’s information systems, information security controls, or key personnel.

With some exceptions, attorney-client privilege generally protects from disclosure in legal proceedings confidential communications between an attorney (or the attorney’s agent) and an existing or prospective client made to obtain or provide legal assistance. Attorney-client privilege generally does not extend to communications that relate solely to non-legal, personal, or business matters that are not primarily legal in nature. Several courts have addressed situations where attorney-client privilege does or does not apply following cybersecurity incidents. Attorney-client privilege is generally absolute, but it can be waived. However, there are limited circumstances in the cybersecurity context attorneys should be mindful of where disclosure would not waive attorney-client privilege, for example, under the information sharing provisions of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).

Disputes following cybersecurity incidents have become increasingly common, so work product protections are crucial for attorneys and their clients to consider. The work product doctrine generally protects material, such as documents and tangible things, prepared by or at the direction of party’s counsel in anticipation of litigation from discovery by an adverse party. Work product protections can also extend to third parties, such as consultants, insurers, employees, or agents who prepare material to assist a party’s counsel with preparation for litigation. Work product protections do not extend to documents prepared in the ordinary course of business or for non-litigation purposes. Attorney work product protections are not absolute and, like attorney-client privilege, can be waived.

Attorneys have obligations to understand and to take appropriate measures to maintain privilege and work product protections in the context of cybersecurity incidents and related disputes. ABA Rule of Professional Conduct 1.6 (adopted by state bodies governing the legal profession in some fashion) requires attorneys to maintain the confidentiality of information relating to the representation of a client. “[C]lient-lawyer confidentiality is given effect by . . . the attorney-client privilege, the work product doctrine and the rule of confidentiality established in professional ethics.” Model R. Pro. Conduct r. 1.6, Cmt. 13 (Am. Bar Ass’n).

Most questions relating to attorney-client privilege and work product protections in the context of a cybersecurity incident stem from disputes following the cybersecurity incident. Examples of activities following a cybersecurity incident that can give rise to privilege and work product issues include: (1) the retention of any material produced by third-party service providers to assist with incident response and ancillary matters; (2) communications with stakeholders and regulators; (3) post-incident reviews and assessments; and (4) information shared with third parties other than service providers.

With that in mind, attorneys can take various measures to maintain attorney-client privilege and work product protections in the wake of cybersecurity incidents. First, attorneys can proactively address attorney-client privilege and work product with clients before a cybersecurity incident occurs. That could mean discussing those issues, addressing them in cybersecurity incident response plans or playbooks, or providing training to clients.

Second, when engaging third parties for incident response services, it is important for impacted organizations or their attorneys to enter into an agreement specific to the incident response services with a clearly defined purpose and scope of work, especially where the organization has a pre-existing relationship with the third-party service provider. If the work product from the third-party service provider is subject to attorney-client privilege or work product protections, then to the extent possible, it should not be used for other non-legal, business purposes or disseminated beyond those who reasonably need it for legal purposes. In certain cases, that could even mean establishing a two-track investigation to help delineate protected and non-protected material produced by third-party service providers. However, conducting separate investigations in many cases might be impractical or cost-prohibitive.

Third, it is essential to establish a plan to effectively manage communications relating to a cybersecurity incident with various stakeholders, including employees, shareholders, customers, business partners, and law enforcement. Establishing the purpose of communications at the outset will help to determine whether they may be privileged or protected work product. Further, attorneys should explain to recipients whether documents are privileged or protected work product and what, if any, restrictions the recipients should adhere to when handling the documents. Where communications or other materials are privileged or protected work products, labeling them as such will also help to identify that information more quickly in the event of a dispute.

Fourth, once the cybersecurity incident has been contained and its root cause eradicated, impacted clients will begin post-incident activities, like conducting “lessons learned” assessments, updating incident response plans and playbooks, information sharing, and other activities. During this phase, it is important to distinguish which post-incident response activities are to render legal advice or are in anticipation of litigation and which aren’t but are still necessary for the organization to recover and to improve its security posture. Special consideration should also be given to decisions to disclose material to third parties, since information sharing is a common practice in the cybersecurity industry to assist other companies to avoid similar incidents. If a third party is not involved in the same dispute (or the same cybersecurity incident), communications with the third party are not protected by attorney-client privilege or the work product doctrine. At a minimum, a common interest agreement can be advisable where common interest is the theory relied on to share information with an unrelated third party. In other situations where an organization may want to share information to help mitigate the risk of a threat impacting other organizations, taking appropriate steps to comply with relevant laws allowing cybersecurity information sharing can mean that certain information disclosed will remain protected by privilege or the work product doctrine.

Lastly, while not determinative on whether material is subject to privilege or work product protections, retaining external counsel can help establish and carry out a plan to preserve privilege and work product protections. That is particularly true when a cybersecurity incident involves the laws of other countries where rules regarding attorney-client privilege and work product protections can vary. Unless and until a cybersecurity privilege or broader business privilege is established, attorneys and their clients must carefully consider how attorney-client privilege and work product protections apply in the context of cybersecurity incidents and related disputes and should not wait until those events occur to do so.

The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

Michael Razeeq

The New York Times Company

Michael Razeeq is in-house counsel at The New York Times Company based in the New York area. His practice areas include privacy, cybersecurity, and consumer compliance. Michael is a 2024 New America #SharetheMicinCyber fellow. He is licensed in New York and Texas and holds CISM, CIPP/US, and GIAC-GLEG certifications.