Are You Properly Engaged?

 Posted by Michael StockhamWill your data breach report be used against you? A recent article in the Spring 2018 Litigation News—published by the Section of Litigation of the American Bar Association—revisited what many consider best practices to preserve attorney-client privilege and work-product protection for materials related to internal investigations, including a company’s investigation of a data breach.1 Who investigates the data breach, and when they begin investigating it, can be key factors weighed by any court when considering later discovery motions related to whether a company must produce materials from a data breach investigation. For example, a report detailing the strengths and weaknesses of the company’s cyber efforts may likely be discoverable in follow-on litigation if the company’s internal information technology group prepared that report but not under the direction of attorneys.  In contrast, the same report prepared by the internal information technology group at the direction of an attorney would likely be considered privileged because the report is attorney-work product created by an attorney agent for the specific reason of rendering legal advice.This blind spot in privilege exists because the work should be connected to attorney analysis and legal advice to protect privilege. That is, work conducted solely by business personnel (e.g., chief information officers or information technology staff) may have little or no nexus to attorney analysis or work product and, therefore, may not be protected by privilege. Specifically, unless all work performed by company personnel is directed by legal counsel, not only will it be difficult to defend claims of privilege or work-product protection, but privilege on conversations with counsel that might otherwise be protected may also lose privilege because the internal company employees (those not in management) might be considered third parties for privilege waiver analysis.This may also be true for work performed by outside, non-attorney consultants. The company may accidentally waive privilege if, in an effort to cloak the consultants’ work with privilege, the company engages consultants directly but then includes them in the investigative process with attorneys. In that scenario, a court could also hold that the presence of an outside third party eliminated confidentiality and negated claims of privilege. Moreover, the privilege analysis is the most complicated when in-house attorneys are involved.  Their dual business and legal role can make privilege analysis murky as courts struggle to ascertain if the communication from the in-house lawyer is legal advice or business advice.There is a cleaner way to deal with policing privilege and work-product protections during a data breach and the ensuing investigation and report. Courts generally recognize attorney-client privilege and work-product protection when the attorney directly engages the consultant or directs the specific activity of internal personnel. In that case, courts are likely to see the consultant as an attorney agent working to help the attorney render legal advice. Said another way, so long as consultants, IT professionals and others who may help investigate a data breach are first engaged by, or report directly to, the attorneys hired by the company to investigate the data breach, then the consultants or personnel should fall within the parameters of the attorney-client privilege and work-product doctrine. This allows a company greater control of the information, so it can form a legal strategy while also limiting the potential that the information will be discoverable in subsequent litigation. As a result, having outside counsel involved from the very moment the company discovers a data breach, and then working closely with that counsel to engage consultants, provides the greatest protection and flexibility of the company, and would be considered a best practice in this area. 1 Kelso L. Anderson, “Data Breach Ruling Potentially Narrows Scope of Privilege and Work-Product Assertions,” Litigation News, Spring 2018 at 14-15.