One of many difficult decisions that companies face following a cyber breach is whether to disclose it to law enforcement. There are several advantages to involving the FBI in a breach response: they may (1) have seen this kind of hack before; (2) know the malware or persons involved; (3) be able to provide helpful information on the motivation for the attack; (4) tell you what else to look for on your systems; and (5) help you to mitigate any vulnerability. To the extent that any money has been fraudulently obtained, involving law enforcement also increases the likelihood of being able to get it back. And in the case of ransomware attacks, law enforcement may have insights into whether there are ways to unlock the affected devices, whether the underlying data is likely intact, and whether the attacker is likely to do what they promise if you pay.
Nevertheless, companies are often reluctant to involve law enforcement, especially in the early days following a breach, for fear that they will waive attorney-client privilege over their investigation into what happened, and that whatever is shared with the FBI will be subject to discovery in a subsequent civil case or regulatory investigation.
Indeed, cyber investigations present unique challenges for lawyers attempting to preserve the privilege. Such investigations will have business, regulatory, and litigation components—each with distinct and sometimes conflicting goals, requiring input and direction from different stakeholders both in and outside the company. As new individuals or entities are informed of the results of the investigation, the risk of waiver increases. This is not to say that a cyber investigation necessarily leads to waiver, but rather that special attention should be paid to the purposes and circumstances of a prospective investigation—prior to its inception—in order to minimize that risk.
To assist companies in that regard, Congress passed the Cybersecurity Information Sharing Act of 2015 (“CISA”), 6 U.S.C. §§ 1501–1510, which enables companies to share information with the federal government concerning “cyber threat indicators” or “defensive measures” without waiving applicable privileges provided they first remove personal identifying information.
Although that is a positive development, recent cases on what constitutes privilege in cyber breach investigations demonstrate that CISA may not provide much protection if companies do not take proper steps to create and maintain privilege in the first place. In order words, CISA can protect privileged information, but it cannot create a privilege where it has already been waived or did not exist in the first place.
For example, in In re Premera Blue Cross Customer Data Security Breach Litigation, Case No. 3:15-md-2633-SI, 2017 WL 4857596 (D. Or. Oct. 27. 2017), the company used a third-party data security consultant to conduct a review of the company’s data management system, which resulted in the discovery of certain malware. Thereafter, the company retained outside counsel and entered into an amended statement of work with the consultant, stipulating that all future work be supervised by counsel. That revised SOW neglected to change the scope of the work, however. The court was not convinced that the remediation report and related documents prepared by the consultant were created “because of” anticipated litigation or would not have been created in substantially similar form but for the prospect of litigation, and because the burden is on the party asserting the privilege, the court concluded that the report could not be withheld.
By contrast, the court in In re Experian Data Breach Litigation, Case No. 8:15-cv-01592 (C.D. Cal. May 18, 2017), denied a motion to compel production of documents related to an investigation performed by a third-party data security consultant where, in the wake of the breach, Experian’s outside counsel retained the consultant to conduct an expert report analysis to assist counsel in providing legal advice to Experian. Although Experian had previously worked with the third-party data consultant, that fact was irrelevant to the court’s determination because the work previously performed by the consultant was “separate” from the work performed after the breach, which had been done at the direction of counsel.
Another way to address these risks is to have two entirely separate investigations. For example, the company in In re Target Corp. Customer Data Security Breach Litigation, MDL No. 14-2522 (PAM/JJK), 2015 WL 6777384 (D. Minn. Oct. 23, 2015), had two parallel investigations—an internal breach investigation, the results of which were not privileged, and an external breach investigation, overseen by counsel and involving a third-party expert retained through counsel, the results of which were privileged since the latter was developed for the express purpose of facilitating counsel’s legal advice. Upon in camera review, the court recognized the privilege and denied the motion to compel production of documents related to Target’s second investigation.
In light of these kinds of cases, companies wishing to avail themselves of CISA’s non-waiver protections are being careful to keep legal and business functions separate in cyber investigations, and are ensuring that work performed by third parties and other non-attorneys is done in support of a legal investigation and at the direction of counsel.
These companies are also trying to reduce the risk of waiver when dealing with privileged materials by limiting the distribution of work product and by providing law enforcement with oral briefings—to the extent possible.
The listed lawyers gratefully acknowledge the assistance of law clerk Molly O’Malley Clarke in preparing this post.