Notices of large scale data breaches are increasingly found in today's headline news. In November 2017, Uber's client data was hacked, impacting 57 million of its customers and drivers. In September 2017, Equifax reported that 143 million consumers were impacted by a hacking incident that exposed its customer data. In September 2016, Yahoo announced a data breach involved 500 million accounts that were stolen in 2014. By December 2016, it further revealed that a 2013 data breach impacted an estimated 3 billion accounts – the largest data breach in U.S. history to date.
We are now living in an era of massive hacking incidents. When a data breach occurs both regulators and litigants may seek a broad range of documents that include internal business communications, forensic reports and analyses. Legal counsel walking an organization through the data breach landmines must have a thorough understanding of how to protect documents and communications using the attorney-client privilege and the work product doctrine. A misstep can waive or destroy these protections.
Attorney-Client Privilege and Work Product Doctrine Basics
Attorney-client privilege involves confidential communications between lawyers and their clients when those communications relate to the request for, or rendering of, legal advice. Communications that meet this standard include:
- Request for legal advice by a client.
- Communication of facts by the client to an attorney that is needed to provide legal advice.
- Request of facts by the attorney that is needed to provide legal advice.
- Legal advice provided by an attorney.
Work product doctrine protects documents and tangible things made in preparation or anticipation of litigation or trial by or for another party or its representative. (Federal Rule of Civil Procedure (FRCP) 26(b)(3)(A)). Courts have interpreted “anticipation of litigation” to mean that a document was created because anticipated litigation and would not have been created in substantially similar form but for the prospect of that litigation.
There are two types of work product recognized: fact work product and opinion work product. An example of a fact work product includes a lawyer's billing records. Examples of an opinion work product includes documents that contain a lawyer's or other party representative's opinions, legal theories, mental impressions or conclusions. Parties may overcome fact work product claims by showing a substantial need for the material and that a substantial equivalent of the material cannot be obtained by any other means without undue hardship.
Attorney-client privilege and work product doctrine protections can be easily waived when protected information is shared with third parties who do not need to be provided legal advice. It will also be waived when protected legal communication is combined with ordinary business advice communication. Waiver of privileges can also occur when third parties such as forensic analysts are not properly retained, trained and supervised.
Notably, in-house counsel often functions to provide clients with both legal and business advice. This can cloud arguments for protections. Organizations should consider hiring outside counsel as soon as possible in a data breach investigation. This specifically supports a work product argument when an organization only retains outside counsel when it anticipates litigation.
Additionally, deploying dual-track investigations – both a regulatory or litigation-based investigation and an internal data-breach investigation – is another strategy to consider to broaden privilege protections. (See In re Target, 2015 WL 6777384).
Counsel should supervise every aspect of a regulatory investigation or an investigation in anticipation of litigation regarding a data breach. Below are some pointers in supervising investigations:
- Develop a Cyber Incident Response Plan (IRP) for the organization that includes the actions needed by each individual involved in the data breach investigation.
- Limit access to the affected system.
- Determine whether other systems are at risk of future security threats.
- Ensure updated patches are installed to resolve known security vulnerabilities.
- Review system logs for unauthorized access evidence.
- Collect details about the compromised data affected and disclosed.
- Consider system-wide password changes across the organization's various accounts.
- Train all employees working on the data breach investigation on how to preserve attorney-client privilege and work product protection.
- Provide written requests to all non-lawyers performing internal interviews about the data breach that makes clear that the request is subject to attorney-client privilege.
- Mark relevant protected documents with “Protected by the Attorney-Client Privilege” or “Prepared in Anticipation of Litigation”.