Cyber Incident Response: Courts Further Outline the Requirements for a Two-Track Investigation to Preserve the Work-Product Privilege
Earlier this month companies gained further insights into the necessary processes required by the courts to preserve the attorney-client privilege associated with cybersecurity incident response reports.
The line of cases defining this issue arose in 2015 with In re Target Corp. Customer Data Sec. Breach Litig.following a data breach of credit card data.[1] Following the data breach, Target performed two actions. First, Target requested assistance from Verizon in determining the source of the breach and appropriate remediation techniques. Second, at the request of Target’s counsel, the company established a Data Breach Task Force to advise attorneys on the potential legal impacts.[2] Upon initiation of litigation discovery, Target disclosed reports from Verizon, relating to the technology aspects, while claiming the attorney-client privilege for reports generated by the taskforce.[3] In analysis the court applied FRCP 26 and FRE 502, governing attorney-privilege, which requires the materials in question to be prepared in anticipation of litigation.[4] The court found Target’s use of a “two-track” investigation sufficiently bifurcated the remediation reports from Verizon, which would have occurred regardless of litigation, and the task force’s reports commissioned by counsel.[5] As such, the court provided work-product protections to those reports generated by the task force.[6] Specifically, in the court’s order it stated “the work of the Data Breach Task Force was focused not on remediation of the breach, as Plaintiffs contend, but on informing Target's in-house and outside counsel about the breach so that Target's attorneys could provide the company with legal advice and prepare to defend the company in litigation that was already pending and was reasonably expected to follow.”[7]
In comparison, the court in In Re: Capital One Consumer Data Security Breach Litigation considered whether a single-track investigation initiated and managed by outside counsel was sufficient to establish the work product privilege for the resulting incident report.[8] Here, Capitol One made the determination to use a single-track investigation process.[9] When the data breach occurred, Capitol One engaged a law firm, who in turn engaged cybersecurity response services from the company’s existing services provider.[10] Similar to the court in Target, the court applied the “because of” test analyzing whether the document had been "prepared because of the prospect of litigation," and not in the "ordinary course of business."[11] The court found a company would investigate and fix the data breach regardless of any litigation, to appease its customers and ensure continued sales, discover its vulnerabilities, and protect itself against future breaches.[12]
Most recently, the D.C. Circuit provided emphasis on the two tracks, legal and technical, needing to be truly separate, in Wengui v. Clark Hill.[13] Clark Hill in an attempt to follow the standard set forth in Targetestablished relationships with two service provides to conduct investigations.[14] The record established multiple potential missteps that could merge the two tracks, eliminating work-product protections.[15] First, the record failed to show evidence of a report generated solely for the business conduct separate from the one for legal counsel.[16] Second, the “protected report” was shared with “select members of Clark Hill's leadership and IT team.”[17] A key factor in work-product protection is that the information is closely held. Distributing the report goes against that principle.[18] Finally, during depositions of Clark Hill executives they admitted the report was used to “assist[] [Clark Hill] in connection with managing any issues, including" — but notably not limited to — "potential litigation ... related to the ... cyber incident."[19] As a result, the court found no protections were warranted and the report must be discoverable.[20] This most recent case served as an example of potential mistakes and emphasized the burden of proving the “because of” standard lies with party asserting privilege.[21]
Once a “two-track” process is established, the next step that most occur is active communication with each of the vendors or service providers outlining what content and how in-depth that content should be outlined in a report. Specifically, the non-privileged report should be focused on the specific action necessary without elaborately expanding on potential future upgrades. A report that provides long list of potential upgrades can easily be misconstrued as a list of inactions by those without the necessary experience and knowledge.
In conclusion, companies should plan for and implement a “two-track” incident response plan. Many cybersecurity experts agree it is not a matter if an attack will occur, but when.[22] To ensure an effective “two-track system,” clear policies and procedures for a security should be implemented and followed. Within this plan, it is essential the legal report is not shared with and distributed to the technical teams, as seen in Capitol One.
Footnotes
[1] In re Target Corp. Customer Data Sec. Breach Litig., MDL No. 14-2522, 2015 WL 6777384, at *2-3 (D. Minn. Oct. 23. 2015).
[2] Id.
[3] Id.
[4] Fed R. Civ. P. 26(b)(3)(A).
[5] In re Target Corp. Customer Data Sec. Breach Litig., MDL No. 14-2522, 2015 WL 6777384, at *2-3 (D. Minn. Oct. 23. 2015).
[6] Id.
[7] Id.
[8] See In Re: Capital One Consumer Data Security Breach Litigation, MDL No. 1:19md2915 (AJT/JFA) (May 26, 2020).
[9] Id.
[10] Id.
[11] National Union Fire Ins. Co. v. Murray Sheet Metal Co., 961 F .2d 980 (4th Cir. 1992); United States v. Deloitte LLP, 610 F.3d 129, 137, 391 U.S. App. D.C. 318 (D.C. Cir. 2010); In re Target Corp. Customer Data Sec. Breach Litig., MDL No. 14-2522, 2015 WL 6777384, at *2-3 (D. Minn. Oct. 23. 2015).
[12] See In Re: Capital One Consumer Data Security Breach Litigation, MDL No. 1:19md2915 (AJT/JFA) (May 26, 2020).
[13] See Wengui v. Clark Hill, PLC, Civil Action No. 19-3195 (JEB), 2021 U.S. Dist. LEXIS 5395 (D.D.C. Jan. 12, 2021).
[14] Id.
[15] Id.
[16] Id.
[17] Id.
[18] See In Re: Capital One Consumer Data Security Breach Litigation, MDL No. 1:19md2915 (AJT/JFA) (May 26, 2020).
[19] See Wengui v. Clark Hill, PLC, Civil Action No. 19-3195 (JEB), 2021 U.S. Dist. LEXIS 5395 (D.D.C. Jan. 12, 2021).
[20] Id.
[21] Id.
[22] Ilia Kolochenko, Cybersecurity: is it really a question of when, not if? (Sept. 27, 2018), https://www.google.com/search?q=bluebook+september&oq=bluebook+september&aqs=chrome..69i57.3159j0j1&sourceid=chrome&ie=UTF-8