Tech Transactions & Data Privacy 2022 Report

The discoverability of forensic expert incident reports is often a hotly contested issue in lawsuits. Regulators, such as the Office of Health and Human Services, often demand that they receive copies of forensic reports and companies generally comply. But if the reports are disclosed to a third-party regulator outside the attorney-client relationship, can they nevertheless be protected?

1. A. Overview of Attorney-Client Privilege and Work Product Doctrine

1. Attorney-Client Privilege

The attorney-client privilege protects confidential communications between attorneys and their clients that relate to the request for, or the rendering of, legal advice. The U.S. Supreme Court in Upjohn Co. v. United States recognized that the attorney-client privilege applies to communications between corporate counsel and a corporation’s employees when:

• Employees communicate with counsel at the direction of their corporate superiors.

• Employees communicate with counsel to secure legal advice for the corporation; or provide facts that the lawyer needs to give the corporation legal advice.

• Employees are sufficiently aware that counsel or their agent is questioning them so that the corporation may obtain legal advice.

• The communication concerns matters within the scope of the employees’ corporate duties.

• The communication is confidential.

449 U.S. 383, 390-97 (1981). Courts have held that the privilege also extends to communications between corporate counsel and former employees if the discussion relates to the former employee’s conduct and knowledge gained during employment and counsel’s communications with agents and consultants whom counsel retain to help provide legal advice to the client.

2. Work Product Doctrine

The work product doctrine protects from disclosure to third parties documents and tangible things prepared for or by an attorney in anticipation of litigation or trial by or for another party or its representative. Fed. R. Civ. P. 26(b)(3)(A). When determining whether the work product doctrine applies, courts generally interpret “anticipation of litigation” to mean that a document was created because of anticipated litigation and would not have been created in substantially similar form but for the prospect of that litigation. “At its core, the work-product doctrine shelters the mental processes of the attorney, providing a privileged area within which he can analyze and prepare his client’s case. But the doctrine is an intensely practical one, grounded in the realities of litigation in our adversary system. One of those realities is that attorneys often must rely on the assistance of investigators and other agents in the compilation of materials in preparation for trial. It is, therefore, necessary that the doctrine protect material prepared by agents for the attorney as well as those prepared by the attorney himself.” United States v. Nobles, 422 U.S. 225, 238–39 (1975) (footnote omitted).

2. Submission of Confidential Expert Materials to Regulators

3. Attorney-client privilege and waiver

Generally, voluntary disclosure of a privileged communication to a third party will destroy the attorney-client privilege. See, e.g., Emmanouil v. Roggio, 499 F. App’x 195, 199 (3d Cir. 2012); In re Columbia/HCA Healthcare Corp. Billing Pracs. Litig., 293 F.3d 289, 294 (6th Cir. 2002); U.S. v. Bergonzi et al., 403 F.3d 1048, 1049 (9th Cir. 2005). However, the Eighth Circuit has adopted the theory of “selective waiver” related to voluntary disclosure of otherwise privileged material to government agencies. In Diversified Industries v. Meredith, 572 F. 2d 596 (8th Cir. 1978 [en banc]), the court found that a corporation may selectively waive the privilege to an agency such as the SEC without impliedly effecting a broader waiver. No other circuit has explicitly adopted this view. See also Jo Ann Howard & Assoc., P.C. v. Cassity,No. 4:09CV01252, 2012 WL 2396423, at *2 (E.D. Mo. June 25, 2012); City of Pontiac Gen. Employees’ Ret. Sys. v. Wal-Mart, Inc., No. 5:12-CV-5162, 2018 WL 1558572, at *5 (W.D. Ark. Mar. 29, 2018).

4. Work product protection and waiver

Work product protection does not protect the confidential relationship between an attorney and client but instead furthers the adversary system by safeguarding the fruits of an attorney’s trial preparation from the discovery attempts of an opponent. “[D]isclosure of work-product to a third-party does not necessarily waive the protection; only disclosing material in a way inconsistent with keeping it from an adversary waives work-product protection.” Blattman v. Scaramellino, 891 F.3d 1, 5 (1st Cir. 2018).

3. Application of Cases

Courts faced with deciding whether forensic expert incident reports submitted to regulatory authorities lose protections from discovery have reached differing results, often based upon the unique facts presented. The cases discussed below reflect these varying decisions. This discoverability issue will likely continue to be seriously litigated.

5. Successful Invocation of Privilege in Incident Response

In a number of cases, courts have found that materials created by a forensic expert were not discoverable. Factors supporting this conclusion include cases where outside counsel engaged and instructed the consultant, the expert retained was not one generally used, i.e., the expert was specially engaged for the assignment, the consultant was not given a scope of work pursuant to an existing Master Services Agreement, and the work product of the expert was prepared in anticipation of litigation and not widely distributed. Maldondo, et al. v. Solara Medical Supplies, LLC, et al.,No. 1:20-CV-12198-LTS, Doc. 36 (D. Mass. June 2, 2021); In re Experian Data Breach Litig.,2017 WL 4325583 (C.D. Cal., May 18, 2017); In re Arby’s Restaurant Group, Inc. Data Sec. Litig., No. 1:17-mi-55555-WMR, Doc. 453 (N.D. Ga. March 25, 2019); In re Target Corporation Customer Data Sec. Breach Litig., 2015 WL 6777384 (D. Minn. Oct. 23, 2015); Genesco v. Visa, 302 F.R.D. 168 (M.D. Tenn. 2014).

6. Unsuccessful Invocation of Privilege in Incident Response

On the other hand, a number of courts have reached the opposite result and held that forensic reports are discoverable and must be produced in litigation. Key factors in these cases were whether the reports were generated in anticipation of litigation or merely in the ordinary course, whether the primary motivating factor to engage the consultant and create the report were the prospect of litigation, the scope of work and services provided were essentially the same before and after the breach, the stated purpose of the engagement set forth in the engagement agreement, whether the report would have been generated regardless whether a suit was filed, whether the report was created to assist legal counsel, i.e.,offered guidance for providing legal advice, the timing of the engagement, whether the expert was already under a contract for services, whether the payment for the vendor’s services was reflected as a business or legal expense, how widely distributed the work product was made, and whether the report was used for non-litigation purposes, In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382, Doc. 95 (E.D. Pa. July 22, 2021); In re Capital One Consumer Data Sec. Breach Litig., 2020 WL 3470261 (E.D. Va. June 25, 2020); ¹ Guo Wengui v. Clark Hill, PLC, 2021 WL 106417 (D.D.C. January 12, 2021); In re Premera Blue Cross Customer Data Sec. Litig., 296 F. Supp. 3d 1230 (D. Or. 2017); In re Dominion Dental Servs. USA, Inc. Data Breach Litig., 429 F. Supp. 3d 190 (E.D. Va. 2019); Fero v. Excellus Health Plan, Inc., et al., No. 6:15-cv-06569-EAW-JJM, Doc. 304 (W.D.N.Y. 2019).

4. Considerations for Maintaining Privilege of Expert Incident Reports

7. Consider Employing a Dual-Track Investigation

Consider setting up a dual-track investigation with separate teams to (1) conduct an ordinary course of business, non-privileged investigation, and (2) provide the organization with legal advice and protect the organization’s interests in litigation. Two separate reports, one reflecting a post-breach mitigation investigation and one reflecting a post-breach analysis in preparation for litigation could be created. The non-privileged mitigation investigation report should not include analysis or interpretation. This report should reflect facts and technical information only. Conversations of next steps, effects of the breach, and characterizations of the attack that may occur during the investigation should be done orally until findings are solidified, at which point such findings should be presented either within the legal investigation report or within a privileged attorney letter.

8. Structure Consultant Engagement Agreements Carefully

Hire an outside cybersecurity firm to investigate the breach and, if possible, a different cybersecurity firm than the company previously hired to conduct any prior review of the company’s data management systems. If it is impossible or impractical for the company to retain a new firm, the company and the cybersecurity firm should use a separate team of experts dedicated exclusively to investigating the breach and dealing with any litigation that may arise.

Persist operating under one Master Services Agreement with subsequent SOWs referencing the original MSA, citing Capital One as justification. The organization, outside legal counsel, and forensic investigator should jointly create an accurate evidentiary record in the agreement that clearly demonstrates that the investigation report is prepared primarily for legal privilege purposes, and not for ordinary business purposes. The forensic investigator’s engagement should be limited to work relevant to assisting outside legal counsel to provide legal advice and prepare for litigation. Creating a SOW that differs from broader SOWs or retainers and is perhaps more limited and directed toward work that is legal (as opposed to business) will be beneficial.

9. Counsel Involvement and Direction

The forensic investigator should be hired by outside legal counsel expressly retained to advise the organization regarding the incident and related litigation, and the payment should come out of the company’s legal budget. The forensic investigator should deliver its report to, and communicate with, outside legal counsel only. The forensic investigator should not communicate directly with the organization’s in-house legal counsel or the incident response team. The investigation report should be based on an analysis of documents and data (e.g. server images) that are preserved for subsequent disclosure in litigation.

10. Restrict Communications and Report Access

Avoid sharing the legal investigation report as much as possible. The investigative report should only be shared on a “need to know” basis and should not be shared with regulators. For others outside of the legal investigation, such as vendors, regulators, or auditors, they should only be provided the non-privileged report. Sharing only the non-privileged report in this manner will help demonstrate that the investigative report was created for purposes of litigation and not for regulatory or business purposes.

Because communications between consultants and businesses are also potentially discoverable, organizations should also take care to limit such communications (especially written communications) to only what is necessary and consider the following techniques:

• Include counsel on all communications concerning the data breach (although that does not guarantee that a court will deem the communication privileged).

• Document investigation-related business matters separately from legal matters.

• Date documents to assist in any later claim of privilege or work-product protection.

• Mark documents as “Protected by the Attorney-Client Privilege,” “Prepared at the Direction of a Lawyer,” or “Prepared in Anticipation of Litigation” when appropriate.

• Prepare a separate, non-privileged report or multiple iterations so only a limited audience receives the full report.E. ConclusionPreservation of attorney-client confidences and work product is important in any circumstance but, given the prospect of litigation and class action lawsuits arising from a data compromise, it is even more critical to protect communications, strategies, and analyses as much as possible. Because government regulators often demand forensic reports, structuring and documenting the relationships and work product appropriately may help maintain the privileged nature of documents created. Nevertheless, we expect to see these issues remain hotly contested in 2022 and beyond. 

FOOTNOTE

1 In a separate decision, the District Court held that Capital One’s general counsel engagement of PricewaterhouseCoopers was significant in finding that report was not discoverable. The PWC report was created to assist with fiduciary and legal duties in anticipation of litigation. See In re Capital One Consumer Sec. Breach Litig., 2020 WL 5016930 (E.D. Va. Aug. 26, 2020).