By Carole J. Buckner
When a data breach occurs, legal counsel may be called on to advise the company on a wide range of issues from media relations to customer notification, remediation and regulatory requirements. Because class action litigation and regulatory scrutiny can follow a data breach, it is critical to understand and properly address attorney-client privilege and attorney work product during the course of an incident response. Planning for the myriad issues beforehand is an important part of executing a competent incident response.
Outside Counsel
Hiring outside counsel at the inception of a data breach incident response can preserve the attorney-client privilege. Business advice from in-house counsel may not be privileged. Aetna Cas. & Sur. Co. v. Sup. Ct., 153 Cal. App. 3d 467 (1984) (dominant purpose test). Some foreign countries do not extend privilege protection to communications between companies and their in-house attorneys.Akzo Nobel Chem. Ltd. v. European Comm’n, Case C-550/07 P, 26 Law. Man. Prof. Conduct 584 (Euro. Ct. Justice, Sept. 14, 2010).
Dual Investigations & Forensic Reports
Running dual investigations can also help preserve privilege. In Target’s payment card data breach, one incident response team worked on the business response, focusing on operational concerns, while a second team directed by Target’s legal counsel directed a separate response task force. In re Target Corp. Customer Data Security Breach Litig., 2015 WL 6777384 (D. Minn. Oct. 23, 2015). The plaintiffs argued that communications between the Target task force and the forensic consultant were not privileged because Target would have had to address the data breach regardless of any litigation. Target asserted that the forensic consultant had been engaged to educate the task force run by Target’s in-house and outside legal counsel about aspects of the breach to enable counsel to provide informed legal advice, in part to defend against multiple class action lawsuits filed against Target. One set of documents in question involved email updates from the CEO to the Target board of directors in the aftermath of the data breach. The court ordered such communications produced because they did not involve any confidential attorney-client communications or contain requests for legal advice nor provide legal advice. Id. at 3. As to documents related to the work of the task force focused on informing Target’s in-house and outside counsel about the breach for the purpose of obtaining legal advice and preparing to defend the class-action litigation, the court found Target met its burden of demonstrating these documents were protected. Id. at 3-4.
Disputes can develop over discovery of forensic consultant’s reports. In In re Premera Blue Cross Customer Data Sec. Breach Litig., 296 F. Supp. 3d 1230 (D. Or. 2017) (Premera I), the consultant hired by the company produced a remediation and intrusion report. After discovery of a breach, the statement of work was amended to provide for supervision by outside counsel. Premera argued that the subsequent report was privileged and protected as work product. However, the court found that report was discoverable because the consultant was hired by Premera, not by outside counsel, and the scope of work did not change after the consultant was directed to report to outside counsel and label the reports privilege. Premera I, at 1245.
In In re Experian Data Breach Litig., 2017 U.S. Dist. LEXIS 162891 (C.D. Cal. 2017), a class-action followed the company’s data breach announcement. The company hired outside legal counsel who in turn hired the forensic consultant to provide information to legal counsel to allow legal counsel to advise the company. The consultant provided a report to outside counsel only, who then shared the report with in-house counsel, all designed to facilitate legal advice by outside counsel. The full report was not shared with the company’s incident response team. When the class-action plaintiffs sought discovery of the report, the court found that it was prepared in anticipation of litigation and thus protected by the work product doctrine. The court rejected the argument that the hardship exception to the work product doctrine applied to allow plaintiff’s discovery of the report, because plaintiffs had the exact same access to mirrored images of the servers as the consultant had.
Public Relations
A public relations consultant is a key member of the data breach incident response team. In California, there is no public relations privilege. Behunin v. Sup. Ct., 9 Cal. App. 5th 833 (2017). Thus privilege may turn on whether a public relations consultant was the “functional equivalent of an employee of the client.” U.S. v. Chen, 99 F.3d 1495, 1500 (9th Cir. 1996). Communications seeking legal advice about how a particular article may impact the company or litigation, or how, from a legal perspective, the company should respond, are privileged. In re Premera Blus Cross Customer Data Sec. Breach Litigation, 2019 U.S. Dist. LEXIS 20279 *11 (D. Or. 2019) (Premera II). If, however, the communication involves merely the facts of the article, or how others are responding to the article, without a request for or provision of legal advice, merely including attorneys on the email does not render the email privileged. Id.
Communications with a public relations consultant during a data breach investigation, even those incorporating advice of counsel, may not be protected by the attorney client privilege. Premera I, 296 F. Supp. 3d at 1241-42. Documents prepared by employees and third-party vendors, even at the request of counsel, are not privileged if not prepared because of litigation. Id. at 1242. The court looks at whether the primary purpose is to address the data breach, a business function or to obtain legal advice. Id. at 1243. However, communications sent to and from legal counsel seeking or providing actual legal advice or the possible legal consequences of a proposed text are privileged. Id.
Handling communications appropriately during a data breach incident response can preserve privilege in later litigation.
Carole J. Buckner is Partner and General Counsel at Procopio, Cory, Hargreaves & Savitch LLP.