Culhane Meadows’ New York partner Caroline A. Morgan recently co-authored an article for DARKReading about preserving legal privilege after a cybersecurity incident.
Here is the article:
When an organization faces a cybersecurity incident, taking appropriate steps to preserve the attorney-client privilege and work-product protection is critical, particularly given that government investigations or litigation can follow. Courts are applying the privilege more narrowly and may require a company to disclose documents in litigation that the business believed were confidential, including details on how a company was compromised and how many of its clients were affected by the attack.
Earlier this year in Wengui v. Clark Hill, a federal court declined to apply the privilege to a consultant’s investigative report of a cyber breach despite being retained by counsel. The court found that the defendant company relied on the report solely for its root cause analysis, which would have occurred in the ordinary course of business.
Generally, to protect communications and work product, organizations must demonstrate that their purpose was for legal advice or made in anticipation of litigation, not ordinary business reasons. Here are eight key actions organizations should take to preserve privilege during a cybersecurity incident.
Involve Counsel at the Outset
Counsel should lead and supervise every aspect of a breach investigation. If a cyber incident has occurred or is suspected, in-house counsel should be promptly notified. But because they often provide business and legal advice, it is prudent to retain outside counsel as well, since investigations in some countries only apply the privilege with external counsel.
Counsel Should Retain Third Parties
Counsel should retain third parties, such as forensic teams, with a retainer agreement stating the third party is being retained to assist counsel in providing legal advice in anticipation of litigation. If a company retains them directly, a court may be more likely to find it was prepared in the ordinary course of business.
Have a Separate Vendor Agreement for Breach Response
Organizations retain vendors to perform a variety of routine work from penetration testing to audits. If an organization retains the same vendor in response to a cyber incident, breach counsel should retain them under a separate agreement and clearly define the incident-specific scope of work as distinct from the pre-existing business relationship. Communications and work product are more likely to remain confidential if a distinct statement of work is used for breach response rather than a master services agreement.
Treat Legal Fees as a Legal Expense
Characterizing legal fees as a business, IT, or cybersecurity expense may be convenient for budgets, but it can make a legal investigation look like a business one. To avoid disclosure, an organization should pay legal fees out of its legal budget.
Separate Business from Legal Communications
Organizations should avoid mixing protected information with communications reflecting ordinary business purposes. Employees should label documents “Privileged and Confidential,” “Prepared at the Direction of Counsel,” or “Prepared in Anticipation of Litigation” when it relates to legal advice or anticipated litigation. Where feasible, organizations should have a dual-track investigation where one team conducts an investigation in the ordinary course of business and a separate team provides the organization with legal advice.
Consider Whether a Report Is Necessary
If so, include in writing it is being prepared for the purpose of anticipated litigation or legal advice.
When there is a cyber incident, counsel relies on a forensic team to understand what happened and as a factor to formulate the legal strategy. Such analysis is often memorialized in a report, which unsurprisingly is sought after discovery in litigation or a regulatory proceeding. An organization should consider whether it needs the report in the first place, and if so, the report should avoid business matters and include counsel’s mental impressions, conclusions, and legal opinions.
Limit Distribution of Protected Information
Organizations should avoid sharing the forensics report or other protected communications with third parties and even employees beyond those who need to know. This includes not using the report for business purposes, like public relations or responding to shareholder inquiries. Distribution should be tracked to demonstrate limited distribution. If information must be shared more widely, provide it in a way that will not compromise the privilege or work product protection.
For example, provide a separate nonprivileged summary report to a board of directors, public relations consultant, auditor, or regulator. If an organization must disclose the full report, for example, to comply with regulatory requirements, the organization should expressly state that it does not intend to waive privilege through disclosure.
Continue to Guard Against Risk of Disclosure, Even if Information Is Protected
Though privilege can prevent disclosure, organizations should assume protected information could be disclosed. Therefore, in protected communications and work product, avoid speculating, discussing matters that are outside the scope of a cyber incident, and including damaging business information that is peripheral to the investigation.
The law around what is attorney-client privileged or work product is constantly evolving. Nevertheless, best practices can make disclosure less likely. Upon discovering an incident, retaining counsel who then retains third parties with agreements specific to incident response is key.
Similarly, bifurcating business from legal analysis in investigations is critical, including providing reports on a need-to-know basis and paying legal expenses from legal budgets. Finally, and importantly, by assuming disclosure can happen, organizations can limit the amount of information that is subject to disclosure in the first place.
Melissa Parisi is Senior Director of Worldwide Privacy, Herbalife Nutrition.
Caroline A. Morgan is a partner at Culhane Meadows.
For the original article, click HERE.
About Culhane Meadows – Big Law for the New Economy®
The largest woman-owned national full-service business law firm in the U.S., Culhane Meadows fields over 70 partners in ten major markets across the country. Uniquely structured, the firm’s Disruptive Law® business model gives attorneys greater work-life flexibility while delivering outstanding, partner-level legal services to major corporations and emerging companies across industry sectors more efficiently and cost-effectively than conventional law firms. Clients enjoy exceptional and highly-efficient legal services provided exclusively by partner-level attorneys with significant experience and training from large law firms or in-house legal departments of respected corporations. U.S. News & World Report has named Culhane Meadows among the country’s “Best Law Firms” in its 2014 through 2020 rankings and many of the firm’s partners are regularly recognized in Chambers, Super Lawyers, Best Lawyers and Martindale-Hubbell Peer Reviews.
The foregoing content is for informational purposes only and should not be relied upon as legal advice. Federal, state, and local laws can change rapidly and, therefore, this content may become obsolete or outdated. Please consult with an attorney of your choice to ensure you obtain the most current and accurate counsel about your particular situation.