Organizations that have suffered a data breach will not want to disclose potentially embarrassing or harmful information, especially in a lawsuit resulting from the breach. However, simply involving an attorney in communications and forensic reports does not necessarily prevent that information from being subject to scrutiny by the other party in the case. Instead, the best approach is to proactively assume that any report may be subject to discovery and ensure that incident reports contain only the necessary facts.
Information shared with your attorney will be protected from disclosure.
When thinking about communications with attorneys, including data breaches, people often assume that much of what is said is protected from public disclosure. The attorney-client privilege and work product doctrine are powerful legal mechanisms that can prevent disclosure during litigation. In fact, the Supreme Court has stated that “the attorney-client privilege is the oldest confidential communications privilege known at common law.” Similarly, the work product doctrine typically ensures that information prepared for litigation is not disclosed unless it is not otherwise available. However, when dealing with data breaches, courts take a very narrow view of the scope of attorney-client privilege and the work product doctrine.
Courts have taken a narrow view of these protections in data breach reporting.
In a recent federal lawsuit in Washington (Leonard v. McMenamins, Inc.), defendants who suffered a data breach argued that their reports were protected from disclosure by the attorney-client privilege and the work product doctrine. A decision very similar to that of the District of Columbia in another case (Guo Wengui vs. Clark Hill, PLC), the court disagreed.
The court held that although the report was prepared by a law firm, it was used for business purposes as well as legal, and would have been prepared in the same manner regardless of whether litigation was anticipated. He pointed out that he was deaf. Therefore, it could not be protected by work privilege. Additionally, the court noted that the report was not subject to attorney-client privilege because it was intended for business use.
The court also distinguished between two cases in which data breach reports were protected from disclosure. In one case, an organization that suffered a data breach requested two of her reports. One was a non-privileged report for business purposes and the other was intended for use by attorneys. In another case, the problem report was prepared for the organization’s lawyers and was not available to the organization’s incident response team. Unlike the litigation in Washington courts, the report was solely intended to provide legal advice.
Reporting considerations.
Despite the risks of disclosure, most organizations that experience a data breach need a report that can serve the dual purpose of assisting with remediation and assisting lawyers with analysis.
When requesting and producing these reports, organizations should keep in mind that they may need to be disclosed as discovery in the event of litigation. This consideration should inform which organizations choose to include in the report. Reports should focus on stating the facts of the incident and avoid unnecessary descriptions. Organizations should be proactive in scoping incident reports, as involving a lawyer in an incident report is unlikely to protect the report in itself. For organizations that have suffered a data breach, knowing that these reports can be made public may be the safest way to prevent further problems from occurring in the future.
