Attorneys play an important role in the incident response process. A skilled and experienced attorney can help organizations effectively respond to a security incident in a way that complies with obligations, protects key relationships, and prevents or mitigates financial consequences. Unfortunately, some have sold the value of involving an attorney in the incident response process as the ability to cloak an investigation in privilege and work product. So there have been surprised reactions to recent decisions finding that work product did not apply to a report written by a forensic investigation firm that had been engaged by a law firm on behalf of the organization. There are legitimate grounds for criticizing the analysis used to reach those decisions based on the facts of each case. But the decisions reveal a path for steering through the process. And for organizations that have taken thoughtful measures to prepare to respond to security incidents, such as working with external counsel and building a relationship with a forensic firm, it does not mean they need to abandon their plans and start over. There is not an approach that works in all incidents. That is where the value of experienced counsel is most evident – in the ability to provide advice that generates an incident-specific response plan to help an organization meet its legal obligations and operational needs.

The Basics. Attorney-client privilege generally protects a communication between an attorney and client made for the predominant purpose of obtaining legal advice. Privilege does not operate as a cloak over an entire relationship or engagement. It does not prevent disclosure of underlying facts that are independently discoverable. Work product is a separate evidentiary protection that applies to documents prepared in anticipation of litigation or adverse regulatory proceedings. Where there could be multiple reasons why a document was prepared, the predominant purpose test is used to determine whether the document would have been prepared in the same way but for the prospect of litigation and is not work that would have been done anyway because of other operational needs. This means the analysis of whether work product applies depends on the facts of the specific incident. One principle cited in decisions in this area that stands out is that courts generally disfavor blanket assertions of evidentiary privileges because they shield evidence from the truth-seeking process.

The Challenges. The incident response process can be chaotic. Lots of people want to help. In the course of helping, they produce all kinds of communications and documents. Forensic firms always offer to write reports. There can be many needs for the results of an investigation – from internal security and IT teams to clients, external auditors, management and boards, and regulators. And there is legal risk associated with most of the operational needs. Where a report is written and someone later learns it exists and demands a copy, if the organization gives a copy of the report to that person, should that after-the-fact decision be used as evidence to determine why the report was originally requested?

The Undercurrent. An undercurrent behind decisions finding that privilege or work product did not apply to forensic reports may be a sentiment that courts want to know the underlying facts. The decisions contain citations to precedent that evidentiary privileges are disfavored because they shield evidence from the truth-seeking. In many of the cases in which the court agreed that the application of privilege or work product to a forensic firm’s written report was established, there was a separate non-privileged report that had already been produced from a firm engaged to conduct a payment card industry forensic investigation (PFI) due to contractual obligations.

The Path Forward. We still believe there is a sound basis for the application of privilege and work product to work done by a forensic firm engaged by a law firm to assist the law firm in providing advice related to legal and contractual notification obligations and in anticipation of adverse regulatory and litigation proceedings. Attorneys need forensic firms to obtain and interpret technical data from an organization’s network. But it is important to remember the purpose and limits of privilege and work product. Considerations to address include:

  • Focus on specific communications and documents (not relationships) when evaluating the likelihood of establishing the application of privilege or work product.
  • Take the right steps to establish the foundation for the application of privilege and work product (where desired). Avoid using default language in a statement of work from a forensic firm or a general retainer agreement – create appropriate incident-specific engagement documentation.
  • At the outset of the investigation, define the protocol for communication with the forensic firm, response team and legal counsel, and what, if any, written work product is requested. Carefully define who will receive written work product and why. Take steps to maintain consistency about the purpose of the investigation and clarify instances of misunderstanding about the ability to use communications and reports for other purposes.
  • Continually assess what present or potential future needs for written work product might exist. Identify the third parties that may need information related to the investigation, and address how that information can be provided in a way that does not run contrary to the application of privilege and work product.
  • Consider requesting a summary of nonprivileged factual findings that is not intended to be a privileged or work product protected document.

Having an existing relationship with a forensic firm should not negate the properly established and preserved application of attorney-client privilege or work product. It may be riskier for a company to attempt to identify and engage a new forensic firm that a company has never worked with before for each new incident just to negate one fact that has been identified as a partial reason for determining that a forensic firm was engaged primarily for a business reason. Identifying and building a relationship with a forensic firm before an incident occurs is a key part of effectively preparing to respond to a potential security incident. This is especially true where organizations are leveraging a forensic firm’s advanced endpoint protection tools as part of their cybersecurity program, because those tools provide a forensic firm with the important ability to quickly obtain visibility to a network and to look for indicators of compromise.