Read time: 8 minutes
In the realm of managed care, safeguarding privilege during a data breach investigation is paramount. Establishing and deploying best practices is essential to ensure your company’s breach response investigation will be protected from disclosure. Authors: David V. Goodsir Caitie O. Young Vanessa A. Perumal A body of case law has emerged concerning the privilege of communications and materials related to data breach investigations. Courts are more likely to require adherence to these practices in future disputes.
By integrating these best practices into your breach response strategy, you can better position your company to protect sensitive information during a data breach investigation.
Breach response best practices
Two-track investigation. As a result of the case law that has developed in this area, it is best practice to conduct a two-track investigation in the event of a data breach – an ordinary business track and a legal track.
Courts have protected data breach investigative materials and communications under the attorney-client privilege and/or work product doctrine where there were two investigative tracks of a company’s data breach response. Maldonado v. Solara Med. Supplies, LLC, 2021 U.S. Dist. LEXIS 258382, at *12-13 (D. Mass. June 2, 2021) (Work product and attorney-client privilege protections upheld for data breach investigation materials, in part due to the company conducting a two-track investigation.)
Separate work streams for each track. One investigative track should handle the ordinary course of business investigation, which includes whether unauthorized activity within the systems environment occurred; whether it resulted in the compromise of sensitive data; the scope of such compromise; and remediation of the breach. See Leonard v. McMenamins Inc., 2023 U.S. Dist. LEXIS 217502, at *9-10 (W.D. Wash. Dec. 6, 2023). The ordinary course of business track investigation should be limited to documenting technical information that likely is not protectable to determine what happened, culminating in a non-privileged report that can be used to help direct the response by IT and Privacy, remediate the data breach and comply with the law.
On the other hand, the legal track investigation should occur under the direction of outside counsel for the purpose of educating counsel about the data breach in order to provide the company with legal advice and prepare to defend the company against anticipated litigation/government actions, culminating in a separate privileged/protected report. To further preserve attorney-client privilege and/or work product protections, the tracks should not communicate with each other about the substance of the legal track investigation. Id., at *9-11. Retention of consultants by outside counsel. Courts are more likely to uphold attorney-client privilege and work product protections for investigative materials produced by consultants retained directly by outside legal counsel. For example, in re Marriott Int’l Inc., Customer Data Sec. Breach Litig., 2021 U.S. Dist. LEXIS 124874, at *60-65 (D. Md. June 29, 2021) the court found investigative materials were not discoverable where the company entered into a three-party statement of work with its outside counsel and consultant, specifying that outside counsel engaged the consultant on behalf of the company to assist it in providing legal advice to the company.
Ideally, if possible, the company may use different consultants for each track. However, if the same consultant is retained by the company to conduct the investigations for both tracks, steps should be taken to ensure that a wall between the two tracks exists in order to maintain privilege and work product protections as to the legal track.
Specific statement of work for the legal track data breach investigation, separate and distinct from fact-based, ordinary course investigation or consultant’s regular work for company. There must be a specific retention agreement for the legal track investigation of the data breach. The legal track investigation should be separated and be distinct from any other work that the company’s regular network consultant may have previously agreed to conduct by entering a separate “statement of work” (SOW). The SOW should specifically state that the purpose of the investigation is to prepare for and obtain legal advice for anticipated litigation. In addition, the SOW should distinguish the scope of work to be performed to reflect that the legal track investigation is different from the ordinary business investigative work. Further, the consultant’s fees and expenses for the legal track should be designated and characterized as “legal” rather than “business” expenses.
These best practices are made clear by the developed body of case law on the protection of privilege. In re Experian Data Breach Litig., 2017 U.S. Dist. LEXIS 162891, at *23 (C.D. Cal. May 18, 2017), the court found that an investigative report prepared by Mandiant in response to a data breach was protected work product over plaintiffs’ objection. The court reasoned that Mandiant’s previous work for Experian was separate from the work regarding this particular data breach.
Conversely, in re Rutter’s Data Sec. Breach Litig., 2021 U.S. Dist. LEXIS 136220, at *6-7 (M.D. Pa. July 22, 2021), the court concluded that a consultant’s investigative report was not protected work product. The court reasoned that the SOW provided for ordinary business activities “to determine whether unauthorized activity within the Rutter’s systems environment resulted in the compromise of sensitive data, and to determine the scope of such a compromise if it occurred.”
Legal track investigative communications and distribution of materials must be limited appropriately. The fact-based, non-privileged report will be developed alongside and shared with the company’s IT, security and privacy teams, as well as outside regulators, and to the extent you are providing updates to your Board of Directors regarding business, as opposed to legal, interests in response to the cyber incident. In contrast, the legal track investigative information, report and communications must be limited appropriately. Courts are more likely to uphold work product protections where a company limits access to legal track investigative materials to in-house and outside counsel and others who need to know for purposes of providing legal advice.
For instance, in Experian, 2017 U.S. Dist. LEXIS 162891, at *25, the court upheld work product protections for a report created by an outside consultant where the company limited the number of individuals to which it provided the report, which was not given to Experian’s Incident Response Team or personnel working on remediation of the systems involved in the attack. In contrast, in Wengui v. Clark Hill, PLC, 338 F.R.D. 7, 12 (D.D.C. 2021), the court distinguished Experian noting that the consultant shared the investigative report “not just with outside and in-house counsel,” but also with select members of the company’s leadership and IT team, as well as the FBI.
Finally, the need to impose strict limitations is particularly critical in the event that applicable law applies the “control group” test to evaluate claims of attorney-client privilege in subsequent litigation regarding the data breach. In Midwesco-Paschen Joint Venture for the Viking Projects v. Imo Indus., 638 N.E.2d 322, 329 (Ill. Ct. App. 1st Dist. 1994), the court noted that “distribution of otherwise privileged material to individuals outside of the control group destroys the privilege.”
Ensure that non-privileged, fact-based forensic records are maintained. Courts have upheld work product protections when alternative avenues exist to evaluate factual information concerning the data breach, such as from the ordinary business investigative track. For example, in Experian, the court found that the plaintiffs, through discovery, could get the same information as produced in the outside consultant’s report in discovery through their own expert. 2017 U.S. Dist. LEXIS 162891 at *24-25.
By adhering to these best practices, managed care organizations can maximize the protection of the communications and work product generated by the legal track from disclosure under the attorney-client privilege and/or work product doctrine, particularly in the context of subsequent data breach litigation or governmental actions.