Requires More than Merely Adding Counsel's
Technical investigations conducted following cyber-incidents often have both legal and ordinary-course business purposes. In certain jurisdictions, reports generated as a result of such investigations can be protected from discovery by privilege and work product protections- despite certain non-legal use - under the "dual purpose" doctrine when "consider[ing] the totality of the circumstances . . . it can fairly be said that the document was created because of anticipated litigation and would not have been created in substantially similar form but for the prospect of litigation." California Earthquake Auth. v. Metro. West Sec. LLC. However, as a recent opinion illustrates, dual purpose-type privilege claims may not be upheld if challenged in the absence of proper precautions. In re: Capital One Customer Data Sec. Breach Litig., MDL No. 1:19-md-02915, D.I. 490, Slip. Op. (
In
Following the initial detection of the intrusion,
The cybersecurity consulted investigated the intrusion, prepared a forensic report regarding the Breach (the "Report"), and delivered it to outside counsel. Id. at 4. Outside counsel then provided the Report to
Subsequently, Plaintiffs,
As the party asserting privilege protection, the Court noted that it was
The Court found insufficient the fact that the Letter Agreement stated work was to be performed at the direction of outside counsel and the Report given first to outside counsel. Id. at 7 ("As in RLI, the fact that the investigation was done at the direction of outside counsel and the results were initially provided to outside counsel, does not satisfy the 'but for' formulation."). More specifically, the Court found significant that:
- The retainer paid to the cybersecurity consultant for assisting with investigating the Breach "was considered a business-critical expense and not a legal expense at the time it was paid." Id. at 8.
- The Report was "used internally for Sarbanes Oxley disclosures and was referenced in a draft FAQs prepared by a senior vice president for finance prior to the public announcement of the [Breach]." Id.
- The Report was disclosed to "at least several members of
Capital One's cyber technical, enterprise services, information security and cyber teams" and it was "used byCapital One for various business and regulatory purposes." Id. at 10. - Consider the Use of
Different Consultants /Vendors - Cases that considered this issue prior toCapital One have maintained privilege claims even when the work was performed by consultants that had previously done ordinary course work. See e.g., In re: Bard IVC Filters Prod. Liab. Litig. ("True, there are some similarities between the [earlier] HHEs and the Report, but the documents clearly serve different purposes and their substantial differences corroborateDr. Lehmann's testimony that the Report was a different undertaking than the work he did as acting medical director."). While such practices appear to remain permissible post-Capital One , given the burden of proof placed on the party asserting privilege, consideration should be given to whether it would be advantageous to retain a vendor that does not have a pre-existing relationship. While not essential, the use of an "unrelated" vendor might help further distinguish a privileged investigation from those conducted for purely business reasons. However, there may also be circumstances where, for example, prior familiarity with corporate systems is a critical advantage in a fast moving and high stakes investigation. Accordingly, the use of a vendor with such experience may still be justified post-Capital One . However, care should always be taken to differentiate the engagement to reduce the likelihood that a court would find that the investigation is of the same essential nature as those normally performed by the business. - Be Careful Distributing Privileged or Protected Materials - While reports generated as a result of dual purpose investigations can be used for certain business purposes without destroying privilege protections, this is not carte blanche to use and distribute the reports freely. Permissible business use generally relates to the areas where the business and legal purposes intersect. See e.g., California Earthquake Auth., 285 F.R.D. at 591 (finding that substantial evidence to support a claim of work product protection over documents generated by consultant despite having some business uses because "these corollary business purposes were 'profoundly interconnected' with the audit's litigation purposes"). The provision of the purportedly privileged reports in
Capital One to third party regulators and auditors is of particular concern, as it could give rise to a claim that the privilege claims were only selectively asserted. If a party does not treat their report as privileged, they cannot expect that the Court will treat the report differently.
Accordingly, the Court ordered the production of the report.
The
- Make Sure Counsel is Actively and Integrally Involved - In
How courts handle materials prepared in data breach investigations during discovery is a developing and fact-driven area of law. While these takeaways may help protect materials from dual-purpose investigations, courts will consider all the facts in determining whether a protection or privilege applies. If a party intends for a cyber-investigation to be protected by privilege, it must be properly structured at the very start of the investigation or there is a greater risk that, when challenged, the privilege protections will fail.
Maintaining Privilege And Work Product Protections In Dual Purpose (Legal And Business) Investigations
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Eleven
(
10036-8299
Tel: 2129693000
Fax: 2129692900
E-mail: gpolk@proskauer.com
URL: www.proskauer.com
© Mondaq Ltd, 2020 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source