An organization that has suffered a data breach likely does not want to have to disclose potentially embarrassing or harmful information, especially in a lawsuit resulting from the breach. Simply involving an attorney in communications and forensic reports, however, will not necessarily prevent that information from being subject to scrutiny by opposing parties in litigation. Instead, the best approach is to proactively assume that any reports may be subject to discovery, and to ensure incident reports only include necessary facts.
Information shared with attorneys can be protected from discovery.
When people think about communicating with attorneys, including regarding data breaches, they often think that much of what is said is protected from being disclosed. Attorney-client privilege and work-product doctrine are powerful legal mechanisms which can shield information from discovery during litigation. In fact, the Supreme Court has noted that “The attorney-client privilege is the oldest of the privileges for confidential communications known to the common law.” Similarly, the work-product doctrine typically keeps information prepared for litigation out of discovery, unless it is otherwise unavailable. When dealing with a data breach, however, courts take a very narrow view of the scope of attorney-client privilege and work-product doctrine.
Courts take a narrow view of these protections in data breach reports.
In a recent federal case in Washington (Leonard v. McMenamins, Inc.), the defendant, which had suffered a data breach, argued that its report was protected from discovery by attorney-client privilege and the work-product doctrine. In a holding very similar to the District of DC’s decision in another case (Guo Wengui v. Clark Hill, PLC), the court disagreed.
The court noted that the report, while prepared by a law firm, was used for business purposes as well as legal purposes, and would have been created in the same manner whether or not litigation was anticipated. Thus, it could not be protected by work-product privilege. Additionally, the court noted that because the report was geared toward business use, it did not fall under attorney-client privilege.
The court also differentiated two cases where data breach reports were protected from discovery. In one case, the organization that suffered the data breach commissioned two reports: one, non-privileged report for business purposes and a second report intended for their attorney’s use. In the other case, the report in question had been prepared for the organization’s attorneys and was not even available to the organization’s incident response team. Unlike the case before the Washington court, the reports were exclusively for the provision of legal advice.
Considerations for reports.
Despite the risks of disclosure, most organizations experiencing a data breach will want or need a report that can serve a dual purpose – both assisting with remediation and assisting legal counsel in its analysis.
In asking for and crafting these reports, organizations should be mindful that, if a lawsuit ensues, they likely will need to disclose these reports in discovery. This consideration should inform what organizations choose to include in a report. Reports should stick to stating the facts of the incident and avoid unnecessary statements. Because involving counsel in an incident report is unlikely, on its own, to protect the report, organizations should be proactive in setting the scope of the incident report. Knowing that these reports may become public may be the safest way for organizations that have suffered a data breach to prevent additional problems down the road.
We’re here to help.
If you have any questions about how these principles may impact your company, please reach out to Nate Steed, Kelly Hollingsworth, Sam Poortenga or your Warner attorney.