Search for:
Cybersecurity

Protecting Privilege in Incident Response: Litigation Lessons

By: , , , , , and

Overview

Companies responding to data breaches are faced with the question of whether their incident response investigation is protected by attorney-client privilege or attorney work-product doctrine.  The issue primarily relates to whether reports generated by an incident response firm may be protected from discovery in U.S. litigation, but other communications may also be at risk in discovery if the work of the incident response firm is not part of a privileged investigation.

Courts have chipped away at the attorney-client privilege and work-product protections afforded to incident response (“IR”) reports and communications with IR firms.  Nevertheless, several opinions continue to support the proposition that incident response reports are protected.  Ultimate success is a fact-intensive inquiry that requires advance planning.  Courts have scrutinized when, how, and why companies engage IR vendors; which business function manages the engagement; how the vendor’s workflow is managed; the roles of other technology teams at the company in interacting with the vendor; the form of the report produced by the vendor; and to whom the report is distributed.  Investigating how the vendor was paid, some courts have even found that payment from the information technology budget rather than the legal budget is affirmative evidence that the IR vendor was hired to support business operations rather than the provision of legal advice.  This blog post explores the relevant factors that US courts consider in further depth and provides practical guidance on navigating the legal minefield around these issues to maximize the chances that companies can successfully assert their rights to preserve their protections over key records should litigation arise following an incident.

Broadly speaking, US litigants can shield documents and communications from discovery under two theories: attorney-client privilege or work-product doctrine.

  • Attorney-Client Privilege: In general, attorney-client privilege covers records that involve communications by a client to an attorney for the purposes of seeking legal advice.  Under the Kovel doctrine, communications between lawyers and third parties who are instrumental to providing legal advice, such as a translator, paralegal, or forensic accountant, may also be protected by attorney-client privilege.  See United States v. Kovel, 296 F.2d 918, 920-23 (2d Cir. 1961) (discussing the circumstances under which attorney-client privilege may extend to certain non-lawyers who support the lawyer in providing legal advice).  Here, the work of IR vendors may be protected by privilege in instances where the technical work done by the vendor is instrumental to a lawyer’s understanding of the legal ramifications of the incident.
  • Work-Product Protection: Attorney work-product protection may be available for records that are created in anticipation of litigation.  “Created in anticipation of litigation” means that the substance of the record must have been, in substantial part, influenced by ongoing or imminent litigation, though the precise tests for this standard vary by jurisdiction.  The antithesis of records created for the special purpose of aiding in litigation are records created solely in the ordinary course of business.  Nevertheless, work-product protection may be available for “dual-purpose” documents that serve both litigation and business purposes, depending on the jurisdiction.  In the IR context, work product is asserted over materials prepared by the IR vendor because those reports are critical for legal counsel to provide advice regarding the obligations of the company in responding to a data breach and the litigation that almost inevitably follows.  But courts scrutinize the vendors’ reports to determine whether they would have been created in the same way “but for” the litigation.  Where the court concludes that the pending or imminent litigation did not cause or otherwise impact the preparation of the factual report, work-product protection will not attach.

The law in this area as it applies to IR vendors remains very much in flux, as there is a relative dearth of case law on this topic.  The case law that does exist is only at the district court level, without any circuit court squarely addressing this issue.  No cases to date have fundamentally disagreed with the application of these protections to IR work.

Because of their technical nature and because cybersecurity is a part of core business operations, records generated by an IR vendor under privilege or work-product protection may seem like ordinary business documents to an outsider without further context.  In determining whether a given IR document merits protections, courts investigate the document’s purpose, namely whether the IR vendor generated it while facilitating the provision of legal advice or helping prepare for the possibility of litigation.  This requires looking into whether and how counsel directed the IR vendor’s work, which in practice can become a multifactorial inquiry that probes all aspects of the relationships between the IR vendor, the company, and counsel.  Below, we enumerate the factors courts look to as indicia of legal purpose in an attorney-client privilege or work product context and provide an overview of how some of the major cases apply them.

  • Relation to Vendor’s Ordinary Work: Does the IR vendor perform work under its engagement with counsel that meaningfully differs from the work it performs for the company in the ordinary course of business, if any?  Is the work purely for the investigation or does it include incident preparedness or remediation activities, for example?
  • Budget Source: Who is paying for the IR vendor’s services?  Is it the information security team or the legal team?
  • Dual Track Investigations: Is there only one investigation?  Is there a team outside of the privileged workstream that is performing an ordinary-course investigation?  Would there be a second IR report that is not privileged?
  • Scope of Distribution: Who is privy to the IR vendor’s communications and reports?  Is that group narrowly focused on providing legal advice or is it broader and focused on the business response?
Case Finding (Protected or Not) Factors Considered (Explanation)
In re Target Corporation Customer Data Security Breach Litigation (2015) Privileged and Protected by Work Product Primary Purpose: Legal

Factors Cited: Dual Track Investigation (separate, independent track clearly for legal advice purposes)
In re Experian Data Breach Litigation (2017) Protected by Work Product Primary Purpose: Legal

Factors Cited: Relation to Vendor’s Ordinary Work (different); Scope of Distribution (narrow)
In re Premera Blue Cross Customer Data Security Breach Litigation (2017) Not Protected by Work Product Primary Purpose: Not Legal/Business

Factors Cited: Relation to Vendor’s Ordinary Work (similar)
In re Dominion Dental Services USA, Inc. Data Breach Litigation (2019) Not Protected by Work Product Primary Purpose: Not Legal/Business

Factors Cited: Relation to Vendor’s Ordinary Work (similar)
In re Capital One Consumer Data Security Breach Litigation (2020) Not Protected by Work Product Primary Purpose: Not Legal/Business

Factors Cited: Relation to Vendor’s Ordinary Work (similar); Budget Source (business); Single Track Investigation (no substantive alternate track); Scope of Distribution (broad)
Guo Wengui v. Clark Hill, PLC (2021) Neither Privileged nor Protected by Work Product Primary Purpose: Not Legal/Business

Factors Cited:

Privilege:  Vendor’s purpose was not in support of obtaining legal advice

Work Product:  Relation to Vendor’s Ordinary Work (similar); Scope of Distribution (broad); Single Track Investigation (no substantive alternate track)
In re Samsung Customer Data Security Breach Litigation (2024) Neither Privileged nor Protected by Work Product Primary Purpose: Not Legal/Business

Factors Cited:

Privilege:  Single Track Investigation (no substantive alternate track); Scope of Distribution (broad); Relation to Vendor’s Ordinary Work (significant business purposes)

Work Product:  Similar reasons as above

Relation to Vendor’s Ordinary Work

Courts formerly deemed the direction of outside counsel as a primary factor in determining whether an IR vendor’s report merited protection.  For example, in In re Experian Data Breach Litigation, the court relied on the fact that the IR vendor’s report was initially delivered to outside counsel at outside counsel’s direction in finding that “but for the anticipated litigation, the report wouldn’t have been prepared in substantially the same form or with the same content.”  2017 WL 4325583, at *2-3 (C.D. Cal. May 18, 2017).  Courts increasingly scrutinize, however, whether the actual services the IR vendor has provided to lawyers can in fact be differentiated from the vendor’s day-to-day services.  Without substantive differences in the scope of work for the privileged workstream, there is a risk that a court may deny protections.  For example, in In re Capital One Consumer Data Security Breach Litigation, the district court upheld a magistrate judge’s finding that a vendor report was not protected because the “only significant evidence that Capital One has presented concerning the work Mandiant performed is that the work was at the direction of outside counsel and that the final report was initially delivered to outside counsel.”  2020 WL 3470261, at *5 (E.D. Va. June 25, 2020).

Beyond ensuring that counsel is directing IR vendors, companies must therefore make efforts to distinguish the actual work IR vendors do from the business-as-usual cybersecurity work many of these same vendors support.  Work-product protection may be inapplicable when a vendor’s prior scope of work does not substantively change after outside counsel becomes involved, as that tends to indicate that the IR vendor’s work was done in the ordinary course rather than as an aid to the attorneys and in anticipation of litigation.  See, e.g., In re Premera Blue Cross Customer Data Sec. Breach Litig., 296 F. Supp. 3d 1230, 1245 (D. Or. 2017) (“[Mandiant’s] scope of work did not change after outside counsel was retained.  The only thing that changed was that Mandiant was now directed to report directly to outside counsel and to label all of Mandiant’s communications as “privileged.”);  In re Dominion Dental Servs., 429 F. Supp. 3d 190, 194 (E.D. Va. 2019) (rejecting arguments that a Mandiant report was prepared “but for” the anticipation of litigation in part because “the actual description of services” in the putatively protected report “are almost identical to the services promised in the June 2018 statement of work, entered into by the defendants and Mandiant months before any threat of litigation.”).

If companies will be penalized from a privilege standpoint by using the same vendor before and after an incident, it puts them in a Catch-22.  From a preparedness standpoint, an IR vendor should have basic familiarity—in advance of an incident—with the systems, processes, and technologies that a company uses.  This enhances the speed and precision of incident response work.  For example, the IR firm can pre-deploy sensors, beacons, and other technologies as well as assist with risk assessments and testing that will let it rapidly gather the technical data needed to diagnose and contain an active breach.  But some courts have found that the pre-incident engagement of a vendor may be too similar to the vendor’s work during the incident, meaning that the vendor’s work product would not have been any different “but for” the litigation and therefore does not merit work-product protection.  See, e.g., In re Cap. One, 2020 WL 3470261, at *6 (rejecting work product claims and explaining that Capital One failed, like the companies in Premera and Dominion Dental, to establish “that the report Mandiant would have created for Capital One pursuant to its pre-data breach SOW would not have been substantially the same in substance or scope as the report Mandiant prepared for Debevoise” because “both contractual arrangements were virtually identical”).

Some companies seek to minimize this risk by clearly separating the work streams in separate contracts; for example, some have the IR engagement contract ready—but unsigned—prior to an incident, ensuring that the IR firm can be rapidly deployed while preserving all arguments that the vendor’s IR work was strictly confined to post-incident response work designed to aid legal counsel in rendering advice.  Others pay for a retainer specific to incident response.  Whatever the contractual arrangement, companies can strengthen their arguments for privilege or protection by ensuring that the IR-specific paperwork does not tie back to the same Master Services Agreement that governs the ordinary-course work performed by the vendor and by ensuring that the scopes of work materially differ between the privileged engagement and the work done in the ordinary course.

Budget Source

While it may seem natural to deduct expenses related to the IR vendor from a company’s cybersecurity or IT budget, some courts have found that payment from a business function other than the legal department weighs against a finding of privilege, as it tends to suggest the vendor operated in the ordinary course rather than in support of litigation or legal advice.  For example, in denying work-product protection, the court observed that “Capital One paid Mandiant for this work from a Capital One fund denominated ‘business critical’ expenses.”  See In re Cap. One, 2020 WL 3470261, at *1.

To the extent possible, IR vendor fees should be paid out of the legal budget.  This may require careful coordination between various functions at the time the IR vendor is engaged, particularly if that engagement occurs in the pre-incident context.

Dual Track Investigations

Courts have viewed dual track investigations favorably, where the company conducts separate investigations: one in the ordinary course of business and another in aid of counsel.  While this approach can be cumbersome and expensive, some companies have successfully divided the response tracks such that one track—typically the company’s usual vendor or internal team—focuses on business continuity and remediation, while the other track, retained by counsel, is for privileged legal purposes.  The second vendor, engaged by outside counsel, focuses its work on separately providing information to counsel that can be utilized to provide legal advice.  Of course, this requires either a mature in-house cyber team or a second funding stream to pay for a second IR vendor.

To preserve privilege, however, the tracks must actually be separate from one another and the advice rendered must be independent.  For example, in In re Target Corporation Customer Data Security Breach Litigation, the court found that one investigation was focused “on informing Target’s in-house and outside counsel about the breach so that Target’s attorneys could provide the company with legal advice,” while it conducted a parallel ordinary-course investigation with a separate team.  2015 WL 6777384, at *2-3 (D. Minn. Oct. 23, 2015).  Some courts may extend this to the fact-gathering by the IR vendor as well as any technical advice given to counsel on cybersecurity issues.  See, e.g., In re Samsung, 2024 WL 3861330, at *8 (noting that “Target claimed that any information gathered by the latter task force is protected by the attorney client privilege and the work-product doctrine” in successfully establishing a dual track investigation).  Conversely, in Guo Wengui, a dual track investigation was insufficient to shield a vendor report from disclosure where one vendor retained by counsel did the majority of incident response work, and there was no evidence that the other vendor, supposedly retained for business continuity purposes, did any work at all on the incident.  338 F.R.D. at 11-12.  Courts may therefore be less likely to protect reports if they find that the true purpose of a dual track approach appears “designed to help shield material from disclosure” without other indicators that it was for legal advice.  Id. at 13.

Courts sometimes point to the presence of recommendations for cybersecurity improvements in a report as indicating the report was not created to assist counsel.  Cyber remediation, the courts argue, is not why counsel is engaged.  Note, however, that the converse is not necessarily true, and courts have found that the absence of recommendations from an IR report does not necessarily prove that the report was made for providing legal advice.  See, e.g., In re Samsung, 2024 WL 3861330, at *14 (“[T]he fact that Stroz did not provide any remediation services does not diminish the business purpose of the investigation it conducted.”); In re Cap. One, 2020 WL 3470261, at *4-5 (rejecting defendant’s argument that Mandiant’s work “Mandiant’s investigation would have focused on remediation” if it was for a business purpose).  The takeaway is that companies pursuing a dual track strategy must take pains to make sure that each track operates as an independent whole, that the non-privileged track actually produces factual findings, and that the privileged portion excludes recommendations.

Scope of Distribution

Even where privilege or work product may attach, courts also consider whether the IR vendor report was shared widely to nonlegal employees or otherwise disclosed to third parties, such as the FBI.  See, e.g., In re Samsung, 2024 WL 3861330, at *14 (“The breadth of Samsung’s involvement or participation in Stroz’s process and wide dissemination of the Stroz Analysis undermine[s] Samsung’s assertion that Stroz was only retained to provide technical interpretation for the benefit of [outside counsel].”);  Guo Wengui, 338 F.R.D. at 13 (explaining that a report was unprotected because “Defendant also shared the report with the FBI” and opining, “The Report was probably shared this widely, as Plaintiffs persuasively argue, because it ‘was the one place where [Defendant] recorded the facts’ of what had transpired.”).  Courts may also consider broad dissemination to be more consistent with a business purpose than with litigation.  For example, in upholding a magistrate’s order stripping work-product protection from a vendor report, the court in In re Capital One Consumer Data Security Breach Litigation explained that “the Magistrate Judge referenced [] distribution simply to underscore Capital One’s business needs for a Mandiant produced report” that was provided to “approximately 50 employees,” the company’s Board of Directors, regulators, and an accountant.  2020 WL 3470261, at *6 n.6.  Broad distribution of the report can also create waiver issues if, for example, an attorney-client privileged document is shared with a third party to whom the privilege does not extend, such as an insurer.

Once again, companies are in a bind.  In the wake of an incident, there is often intense pressure from many different stakeholders to provide access to the IR vendor’s findings.  Navigating this may require a multifaceted approach.  Prior to an incident, meetings can be held with relevant stakeholders to explain the risks inherent in sharing the IR vendor’s work product broadly within the organization.  And during an incident, prudent messaging may assuage some stakeholders’ needs to know every gory detail.  “Tear sheets” or executive summaries of the IR report may also be created, which allow the sharing, for example, of go-forward recommendations while preserving the underlying analysis of the IR vendor on issues of root cause, potential data exposure, and other findings core to the legal advice.  Together, these alternatives may relieve some of the pressure stakeholders might put on obtaining the vendor report itself.

Takeaways

The way that post-incident cyber investigations are structured and managed can have critical downstream consequences for privilege and work product disputes in litigation.  While courts have increasingly chipped away at protections over vendor reports, companies can still take precautions to attempt to preserve them.  In considering how to handle post-incident IR work, consider the following:

  • Who retained the vendor and for what purpose? Retention by legal counsel—particularly outside counsel—rather than the technology function is more likely to result in a finding of privilege.
  • What was the scope of the vendor’s services? IR services that differ meaningfully from services a cybersecurity vendor would provide in the ordinary course are more likely to merit protections.  Ensure the documented scope is focused on work necessary for counsel to assess legal obligations and respond to litigation.  Remediation should not be part of that scope.
  • When was the vendor retained? Pre-incident retention for ordinary-course work may cut against a finding of privilege.  If you decide to use the same vendor for proactive work as well as IR work, use separate agreements with different scopes of services.
  • To whom was the report distributed? Broader distribution, especially to business and technical teams, tends to weigh against a finding that a report merits protections.
  • Who paid the vendor? Payment by legal rather than the technology function is more likely to result in a finding that protections are merited.
  • Was there a parallel investigation for business continuity? Multitrack investigations – one by legal and one by the business/technology function – can be an effective path toward protecting the report created by the privileged track.
  • What were the contents of the report, and did it include go-forward remediation recommendations? The presence of remediation recommendations weighs against finding a report protected, but the absence of such recommendations is not necessarily sufficient to prove a report does merit protections.
  • Was the report in a different form than it otherwise would have been if litigation was not anticipated and/or pending? In general, the closer a report adheres to legal concerns, especially those informed by actual or imminent litigation, the stronger any claim for protections will be.

To subscribe to the Data Blog, please click here.

The cover art used in this blog post was generated by ChatGPT-4o.

Author

Luke Dembosky is a Debevoise litigation partner based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Data Strategy & Security practice and a member of the White Collar & Regulatory Defense Group. His practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation and regulatory defense, as well as national security issues. He can be reached at ldembosky@debevoise.com.

Author

Daniel M. Gitner is a partner in the White Collar & Regulatory Defense Group in the firm’s New York office. Mr. Gitner focuses his practice on advising corporations and institutions on a broad range of white collar matters, especially those involving complex, large-scale crises and government investigations. He is a Fellow of the American College of Trial Lawyers. He can be reached at dmgitner@debevoise.com.

Author

Erez is a litigation partner and a member of the Debevoise Data Strategy & Security Group. His practice focuses on advising major businesses on a wide range of complex, high-impact cyber-incident response matters and on data-related regulatory requirements. Erez can be reached at eliebermann@debevoise.com

Author

Jim Pastore is a Debevoise litigation partner and a member of the firm’s Data Strategy & Security practice and Intellectual Property Litigation Group. He can be reached at jjpastore@debevoise.com.

Author

H Jacqueline Brehmer is a Debevoise litigation associate and a member of the Data Strategy & Security Practice Group. She can be reached at hjbrehmer@debevoise.com.

Author

Gabriel Kohan is a litigation associate at Debevoise and can be reached at gakohan@debevoise.com.

Author

Amer Mneimneh is an associate in the Litigation Department. He can be reached at amneimneh@debevoise.com.

Related Posts