Legal counsel’s role in cybersecurity has evolved significantly over the past ten to fifteen years. While lawyers traditionally were called in to reactively handle lawsuits and regulatory actions, they now contribute to shaping proactive cyber planning, assessment, and resiliency efforts, including incident response.
Apart from their legal knowledge, lawyers have always provided clients a safe place for hard debate and even harder decision-making. The American Bar Association explains that the “underlying purpose” of the attorney-client privilege is “to encourage persons to seek legal advice freely and to communicate candidly during consultations with their attorneys without fear that the information will be revealed to others.”1 It is also well established that disclosures of information to experts/consultants—who are necessary for a lawyer to render legal advice to a client—do not waive the privilege.
In the cyber context, too, the case law strongly supports privilege (and attorney work-product) protections over consultants engaged by counsel in the aftermath of a data breach. For example, in early 2015, the District Court for the Middle District of Tennessee denied Visa’s discovery requests relating to materials produced by two security firms that Genesco’s counsel engaged to, respectively,
- investigate alleged past violations of PCI DSS, and
- assist in efforts to comply with PCI DSS. The court ruled that both sets of materials were protected, holding that “attorneys’ factual investigations fall comfortably within the protection of the attorney-client privilege,” and privilege “extends to [third-party forensic consultants] that assisted counsel in its investigation.”2 Similarly, in late 2015, the U.S. District Court for the District of Minnesota rejected class plaintiffs’ move to obtain core investigative materials and communications from an internal “Data Breach Task Force” and third-party consultant Verizon—both of which were engaged and directed by Target’s lawyers following the retailer’s high-profile breach in 2013.3 The court upheld Target’s privilege and work-product assertions for all materials related to its “dual-track” investigation, except for a few documents that reflected CEO updates to Target’s board of directors.4
With respect to proactive (non-breach) cyber risk assessments, a recent February 2019 decision from the Premera Blue Cross breach litigation5 provides critical insights into how courts are likely to address privilege assertions. The Premera case stems from a data breach disclosed in 2015. Class actions were filed and discovery battles ensued. The court considered a broad range of document categories set forth in Premera’s privilege log; the highlights included analyses of privilege assertions over security audits and assessments. In this regard, the court noted as follows:
Regarding Premera’s audits and investigations of their information technology and security, Premera’s general information technology and training . . . the Court is not persuaded that these were primarily done with legal purpose and not business purpose.6
Observing that “[a]s a business, Premera needs periodically to audit its information technology and security and training,” the court stated that the audits “would have happened regardless of any pending litigation or regulatory investigations.”7 The court was particularly skeptical of two audits that occurred years before Premera’s breach, referring to such audits as simply “normal business functions,” and while Premera claimed that its counsel was involved in the audits, the court flatly remarked that “Premera cannot shield them from discovery by delegating their supervision to counsel.”8
The fact that case law is now developing on the issue of cyber-related privilege makes clear that lawyers are increasingly playing a meaningful role in this space. However, there are some key lessons learned that are food for thought for both in-house and outside lawyers:
- Non-Breach Cybersecurity Audits or Assessments
Counsel should carefully manage client expectations and differentiate between audits or assessments that are routine “normal business functions” versus those that are truly directed by counsel for purposes of rendering legal advice. Proactive (pre-breach) work always involves trade-offs between remediation and resources (i.e., tough choices are made about what to do now versus put off until later). Debates like these can generate prejudicial documents. Counsel should seek to shield them from potential discovery to the extent they are properly subject to the privilege.
- Deploy Privilege Through “Drafts”
Even if a cyber audit or assessment might not qualify for attorney-client privilege or work-product protections, there are strategies to shield the debate and decision-making from disclosure. For example, emails to counsel that discuss the pros and cons of an audit, items to investigate or focus on, trade-offs and compromises, priorities, and key risks are legitimately privileged. In addition, as the Premera court recognized, “[a] draft report sent to counsel seeking legal advice and input on the draft also would be privileged.”9 Another practice is to conduct oral read-outs before things are reduced to writing.
- Engaging Public Relations (PR) Firms
The typical incident response playbook contemplates PR/crisis communications teams being engaged through counsel for privilege purposes. However, there is mixed case law on this point. For example, some courts have distinguished between “standard” public relations services aimed at preserving a public image or reputation and PR firm communications or work product that are directly related to legal advice or litigation strategy.10
Read Tips from the Trenches: Make Your Company Less Attractive to Cyber Enforcement
This article has been published in PLI Current: The Journal of PLI Press, Vol. 3, No. 2 (Spring 2019), https://www.pli.edu/PLICurrent
A version of this article has been published in the Course Handbook for PLI’s Twentieth Annual Institute on Privacy and Data Security Law.
1 Am. Bar Ass’n, Task Force on the Attorney-Client Privilege, Task Force Report to the ABA House of Delegates 4 (2005), https://www.americanbar.org/content/dam/aba/directories/policy/2005_am_111.authcheckdam.pdf
2 Genesco, Inc. v. Visa USA, Inc., No. 3:13-cv-00202 (M.D. Tenn. Mar. 25, 2015).
3 In re Target Corp. Customer Data Sec. Breach Litig., No. 14-2522 (D. Minn. Oct. 23, 2015).
4 See also In re Experian Data Breach Litig., No. 15-01592 (C.D. Cal. May 18, 2017) (reports created by Mandiant consultants retained by outside counsel deemed to be attorney work product).
5 In re Premera Blue Cross Customer Data Sec. Breach Litig., 2019 WL 464963 (D. Or. Feb. 6, 2019).
6 Id. at *7 (emphasis added).
9 Id. at *8.
10 Compare McNamee v. Clemens, 2013 WL 6572899 (E.D.N.Y. Jan. 30, 2013) (no privilege; PR firm only provided standard services not necessary in order to provide legal advice, and therefore disclosing documents to firm resulted in waiver), with King Drug Co. v. Cephalon, Inc., 2013 WL 4836752 (E.D. Pa. Sept. 11, 2013) (privilege applied; consultants preparing business and marketing plans were the client’s “functional equivalent”).