Understanding applicability in cybersecurity cases.
By Shawn E. Tuma and Jeremy D. Rucker
Businesses are beginning to understand that cybersecurity is an overall business risk and not just a technical issue. Some are even beginning to see that there is a role for attorneys. But what is that role? If you listen to many in the cybersecurity, business, or legal communities, you will hear the same reason: because attorneys’ privileges keep everything confidential.
Protecting information from disclosure is an important objective in the cyber world. There is no such thing as being “secure.” There are always vulnerabilities that could have been found or remediated. There are always more things that a business could have done to protect its networks and secure its data—and the data of its customers, clients, patients, and consumers—if only it would have devoted more time, money, and resources to cybersecurity. The problem is, because it is impossible to be completely secure and be operational, businesses could devote all their resources to cybersecurity and, theoretically, still be insecure.
Businesses must treat cyber risk like they do other risks and use business judgment to determine what is reasonable cybersecurity for their unique circumstances. Such decisions, however, require them to use probability analysis and cost-benefit analysis to determine that some risks must be accepted as a part of doing business. This is a normal process for how businesses manage risk. It is also a Monday morning quarterback’s dream after a business has had an incident or data breach that has impacted others. A great example of how plaintiffs can use such information comes from Grimshaw v. Ford Motor Co.,1 the landmark case in which the “Ford Pinto Memo” was used to show that Ford knew the Pinto would explode under certain circumstances but, because it would cost $11 per vehicle to redesign, chose to accept the risk because it would cost less to defend against wrongful death lawsuits stemming from such explosions.
This scenario is what businesses are hoping to avoid by protecting from disclosure information that is developed and used during their pre-incident cyber-risk management process. Once an incident has occurred, they also want to protect the information they discover through their investigations.
While “privileges,” whether attorney-client or the work-product doctrine, are certainly great selling points to these businesses to help protect such information, the real question is, are they really the magic wand for secrecy that many seem to believe?
The Attorney-Client Privilege and Work-Product
The attorney-client privilege is designed to foster client confidence and unrestrained communication between a client and the client’s attorney. The attorney-client privilege provides that a client has a privilege to refuse to disclose and to prevent any other person from disclosing confidential communications made to facilitate the rendition of professional legal services to the client, or certain representatives of the client, and the client’s lawyer, or certain representatives of the lawyer.2
The work-product doctrine is designed to protect the attorney’s thoughts, conclusions, legal theories, and mental impressions. The work-product doctrine allows an attorney to explore both the favorable and unfavorable aspects of a case without the concern that opposing counsel will benefit from the attorney’s efforts. Under Texas law, “work product” comprises: “(1) material prepared or mental impressions developed in anticipation of litigation or for trial by or for a party or a party’s representatives;” or (2) a communication made in anticipation of litigation or for trial between or among a party and the party’s representatives.3
The key takeaway for cybersecurity-related situations is that the attorney-client privilege protects only confidential communications between an attorney (or the attorney’s representatives) and the client (or the client’s representative and the client’s lawyer or the lawyer’s representative) that were not intended to be disclosed. The work-product doctrine is similarly limited in that it only protects communications, information, and materials made or developed in anticipation of litigation or trial. Because of these limitations, one can see that, while these privileges are powerful when they apply, they can also be quite fragile and uncertain.
Courts have undertaken complex and fact-specific inquiries to determine if the attorney-client privilege or the work-product doctrine apply in data-breach litigation cases. The leading cases demonstrate just how precarious it can be to rely too heavily on privileges while also providing examples of effective strategies that may improve the chances of protecting certain information.
Use two separate outside teams for investigating in the ordinary course of business and in anticipation of litigation. The court in In re Target Corp.4 found that where Target’s counsel retained an outside cybersecurity firm to investigate the incident using two separate teams with different objectives, Target’s counsel could protect certain information from disclosure. One team’s objective was to assist Target’s outside legal counsel in anticipation of litigation; the other was to conduct an ordinary course of business investigation that was also required by the credit card brands. Target did not assert attorney-client privilege or work-product doctrine for the information obtained by the second team. Target did for the information obtained by the first team. The court denied the plaintiffs’ motion to compel, finding that the items were protected by the attorney-client privilege and the work-product doctrine because Target demonstrated that the work on the privileged-track team was focused on informing Target’s outside legal counsel and in-house counsel team about the breach so that counsel could provide legal advice and prepare to defend the company in litigation.
Outside counsel’s role in the investigation should be active and substantive, not perfunctory. The court in In re Premera Blue Cross Customer Data Sec. Breach Litig.5 found that the attorney-client privilege and work-product doctrine did not protect information where, though outside legal counsel was given the perfunctory role of “supervising” the investigation, that label alone was meaningless without true substantive involvement by legal counsel. Premera Blue Cross was sued following a data breach and hired a cybersecurity firm to assess the security of its network. After the firm discovered malicious software on Premera’s network, Premera retained outside legal counsel and amended the statement of work with the cybersecurity firm to state that outside counsel was supervising the investigation. When the plaintiffs sought certain information prepared by the cybersecurity firm, the court found such information was not protected by the attorney-client privilege or the work-product doctrine because the investigation did not materially change after outside legal counsel began supervising the investigation.
Obtain outside counsel first, have counsel retain the investigators, limit dissemination of information. In In re Experian Data Breach Litigation,6 the court found that even though Experian had an independent business duty to investigate an incident, by retaining outside legal counsel, who then retained a cybersecurity firm to conduct the investigation and prepare a report to assist counsel in providing legal advice in anticipation of litigation, such report (and related information) was protected under the work-product doctrine (without addressing the attorney-client privilege claim). The court explained that, in situations such as this, courts look at surrounding circumstances to determine if the information was really prepared “because of” litigation. In this case, dissemination of the report was extremely limited and the law firm only provided it to Experian’s in-house legal department, not to its incident response team or those working on remediation of the systems, and when shared with Experian’s client, it was pursuant to a joint defense agreement and redacted.
The applicability of privileges in the cybersecurity context is a developing area of the law but there are some best practices that can be gleaned, though they too will likely evolve as the law develops:
1) Remember that the attorney-client privilege applies to communications and does not shield facts and the work-product doctrine only applies in anticipation of litigation.
2) Because of the precarious nature of privileges, the best course of action is to prepare by doing everything possible to ensure applicability of privileges but carry out the work as though there will be no privilege. There may not be.
3) Explain this uncertainty and strategy to your clients and discuss communications protocols with appropriate members of the workforce so they understand what types of things should and should not be put into writing. And, make sure they understand that “writing” includes everything from traditional memos to emails, text messages, Slack, Jabber, and every other form of electronic communication.
4) You do not have to produce what doesn’t exist. If you do not have to have something in writing, do not put it in writing.
5) When something must be put into writing, because there are no guarantees that drafts will be protected, forego having multiple “drafts.”
6) Understand that simply copying an attorney on a communication may not be sufficient to establish the protections of the attorney-client privilege or the work-product doctrine. The attorney must truly direct the communications.
7) Label documents and email subject lines to show that the communication is attorney-client privileged, that the information is requested by counsel, and copy counsel on such communications.
8) For communications between clients and counsel, segregate those regarding legal advice from those that are not legal in nature but pertain to purely business issues.
9) For pre-incident risk management engagements, some ways to help with the applicability of privilege is to hire the attorney first for the purpose of providing the client with legal advice on the legal and regulatory implications of its cyber-risk posture. Then, the attorney should retain those consultants that are needed to determine what the client’s cyber-risk posture is and how it can be improved, which should be clearly stated in the engagement agreement. The attorney should direct the work of those consultants and maintain a prominent role in the process so the consultant’s report to the attorney who is then using the consultants’ work to render legal advice that is only shared in a controlled manner within the organization. In other words, the attorney’s role in this process should be legitimate, not perfunctory.
10) For incident response situations, the client should retain legal counsel first. Counsel should then determine whether parallel investigative tracks are desirable. Counsel should then retain the appropriate consultants and ensure the engagement agreement clearly states the consultant’s role vis-à-vis counsel as well as the objective of the investigation. Then, counsel should actively and substantively lead the investigation and use the consultants’ work to render legal advice that is only shared in a controlled manner within the organization.
Because the “privilege wand” may not be quite so magical, how can attorneys add real value for businesses with cyber-risk management? Attorneys who are experienced in dealing with cyber risk are able to help businesses understand how to assess and manage their unique cyber risk, including potential legal and regulatory liability. Those who regularly serve as a “breach guide” or “breach quarterback” will have experienced numerous cyber incidents and data breaches, experience that is invaluable for helping them develop an effective strategy for prioritizing their resources based upon their real-world risks and business needs. Finally, and perhaps most importantly, when a business has an incident, experienced counsel can help them understand when the incident is—and is not—a true data breach. While often a fine point, for some this can be a “bet the company” distinction.TBJ
is an attorney widely recognized in cybersecurity and data privacy law, areas in which he has practiced for nearly two decades. He is a partner in and co-chair of the Cybersecurity & Data Privacy Practice Group at Spencer Fane and works in its Dallas and Collin County offices.
is an associate attorney of Spencer Fane, where he focuses on cybersecurity, data privacy, and corporate transactions. His practice extends to advising clients on data security and compliance, privacy, and breach response.