Historically, attorney-client privilege was used to protect conversations between attorneys and their client as they were preparing their defense.
While that is still the case, there is a lot of information that companies that were breached might not want to get out to the folks suing them. If it is not done right, it is highly unlikely that the information will be protected.
Some of examples of doing it wrong.
After a data breach occurred, Capital One retained a law firm that later entered into an agreement with Mandiant for various cyber-related services (including incident remediation), which required that Mandiant provide deliverables to the firm, rather than to Capitol One. Plaintiffs sought release of the report created by Mandiant (regarding the factors leading to the breach), arguing that it was prepared for business and regulatory purposes and therefore was not privileged, while Capital One argued that the report was privileged because it was prepared in anticipation of litigation. Capital One lost and they had to turn over the report.
Plaintiffs filed a motion to compel Dominion Dental Services to produce a report created by Mandiant, a cybersecurity firm. Dominion claimed that the report was created to inform legal counsel and create a litigation strategy, and thus was privileged and protected by the attorney work-product doctrine. The court stated that Dominion had not met its burden of demonstrating that the materials were protected work-product and held that the materials were not privileged because (1) Mandiant had a relationship with Dominion prior to the breach, and which anticipated services in the event of a breach occurring; and (2) Dominion used the materials for non-litigation purposes.
There are more of these. The wall for attorney-client privilege is filled with holes.
This means that you need prepare for how you are going to respond in case of a breach.
BEFORE the breach.
Some things to figure out:
- Failure to distinguish the parameters of retaining an outside consultant for the creation of a breach report can increase the risk of this report not being covered within the work-product doctrine. THIS MEANS THAT YOU NEED TO COMPARTMENTALIZE WHAT YOU ARE DOING. Likely one project/vendor for incident cleanup and a different one for legal prep.
- Retainers for vendors used in preparing a breach report should be categorized as a legal expense. BREACHED COMPANIES WHO HAD ENGAGED MANDIANT BEFORE THE BREACH AND CLASSIFIED THE EXPENSE AS AN IT EXPENSE HAVE A HARD TIME CHANGING THEIR MIND LATER. BUT CLASSIFING IT AS A LEGAL EXPENSE DURING NORMAL TIMES AND HAVING THEM REPORT TO “IT” IS ALSO A PROBLEM.
- Only share the data breach report for legal purposes, and share the report with as few individuals in the organization as possible. SEE COMPARTMENTALIZE ABOVE. IF YOUR LAW FIRM DOES NOT UNDERSTAND THIS, THEY ARE THE WRONG LAW FIRM TO HANDLE THE TASK.
- Proceed with caution when using a data breach report outside of litigation purposes.
Now is the time to figure things out. Before you need to use it. Credit: ADCG