Cyberattacks can cause debilitating damage to an organization and can paralyze a business almost instantaneously. Cyberattacks breed chaos; effective incident response (IR) seeks to restore order with completing emphases on assessing whether the threat is persistent (and, if so, neutralizing it) and resuming safe, normal business operations as quickly as possible. As an organization moves to DEFCON 5 in the wake of a cyberattack, it is imperative that the IR team —including the organization’s leadership—take appropriate steps to protect potentially damaging information gleaned from the IR investigation under the attorney-client privilege and work-product doctrine.
There was a time when one could reliably predict the assertion of privilege over an IR report so long as the IR process was overseen by outside counsel. However, as the frequency and severity of cyberattacks has increased, courts have made it increasingly more difficult to support the assertion of privilege over IR activities (including any reports generated). The seminal decision relevant to this jurisprudence in the United States was issued in 2020 by a federal district court in the Eastern District of Virginia.
In Capital One Consumer Data Security Breach Litigation, 2020 US Dist. LEXIS 91736 (E.D. Va. May 26, 2020), the court rejected arguments that a forensic incident report commissioned through outside counsel constituted protectable work product. While outside counsel was heavily involved in Capital One’s IR process, the court observed that the agreement with its IR vendor predated the breach by four years and that Capital One viewed and paid for these services as “business” expenses rather than “legal” expenses. Moreover, once the report was finalized by the vendor, it was shared with outside counsel, who in turn shared it with Capital One’s inhouse legal team as well as the bank’s board of directors, fifty (50) of the company’s non-lawyer employees, four regulators, and the bank’s accounting firm. Capital One failed to justify the legal basis for sharing the report as widely as it did and did not impose restrictions on the use/disclosure of the final report.
While the court acknowledged that the report was prepared with the understanding that litigation likely would follow the breach, it rejected the argument that the final report would have been prepared differently (and included different content) but for the prospect of litigation. After analyzing the evidence, the court concluded that the report was designed to facilitate business continuity as much as facilitating defenses to be asserted in litigation.
The Capital One decision, and others that have followed, offer guidance for organizations seeking to maximize the odds of protecting incident reports as privileged. Here are some actions to consider:
- Engage outside counsel to lead the IR investigation.
- Have outside counsel newly retain a third party to conduct the forensic investigation and direct that vendor’s actions (and not rely on vendor agreements that predate the breach).
- Where practical (and economical), implement a dual-track investigation—one that would be focused on business continuity and the other focused on matters likely to be relevant to anticipated litigation.
Navigating the effective assertion of privilege in US data breaches is a complicated endeavor. You should be sure to line up experienced counsel to help guide your organization through this chaotic process.
Article provided by INPLP member: Jason Kravitz (Nixon Peabody, U.S.)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)