Protecting Privilege in Cyberspace: The Age of COVID-19 and Beyond
The COVID-19 pandemic has accelerated companies’ reliance on outside consultants to secure their virtual workspaces and has ushered in a new reliance on a different set of consultants to secure their physical workspaces from the virus and other threats. Unfortunately, even the most diligent organizations may still encounter a breach of those defenses, and litigation will surely follow. Counsel for plaintiffs in those lawsuits will almost certainly seek discovery of any analysis or reports performed by outside counsel in advance of, or following, such incidents. When that litigation reaches the discovery phase, a critical question will arise – are the reports prepared by those outside consultants, either before or after the precipitating event, discoverable? Or, are they instead protected by attorney-client privilege or the work-product doctrine? This article seeks to answer that question through an examination of relevant case law and a discussion of recommended best practices for the engagement of outside technical consultants in both the cyber and health spheres.
It is often said that it is not a question of if, but rather a question of when, an individual or entity will be the victim of a cyber-intrusion, and unfortunately, that same maxim may hold true when it comes to populations that remain unvaccinated against COVID-19. As to their electronic systems, organizations should conduct routine pre-breach assessments of their hardware and software systems, organizational systems, policies and governance in order to maintain resilience and minimize the risk or severity of cyberattacks (while maximizing the speed and extent of post-incident recovery). These investigations produce documents and communications containing valuable information regarding a company’s cybersecurity posture. Likewise, with respect to physical spaces, outside consultants are guiding organizations on how to reshape their environments and processes so as to limit the spread of not only COVID-19 but other contagions as well. These pre-incident recommendations take written form, as will post-incident analyses developed following an outbreak, cyber-incident or other type of adverse event.
Unfortunately, these proactive analyses can be a double-edged sword. On the one hand, companies that fail to conduct pre-breach assessments can be accused of failing to engage in a bare minimum of cybersecurity vigilance. On the other hand, companies that routinely conduct pre-breach assessments run the risk of having their assessments exposed in court if litigation following a breach ensues. While there is no bright-line nationally accepted rule on whether privileges may attach to these reports, case law does provide insight as to how companies can maximize the chances that their assessments will remain shielded by the work-product doctrine and/or the attorney-client privilege (sometimes referred to by technology professionals as “legal shield”). These principles are applicable in the physical realm as well, such as when companies engage health care or environmental experts to advise how to protect workers and others returning to physical spaces.
Relevant Case Law and Key Takeaways
The Development of Work-Product Doctrine and Attorney-Client Privilege Principles
Courts confronting work-product doctrine questions often begin their analysis with United States v. Adlman. There, the Internal Revenue Service sought production of a document that had been ordered by Adlman, Sequa Corporation’s attorney and vice president of taxes. Specifically, Adlman had directed an outside accountant and lawyer to evaluate the tax implications and potential for litigation concerning a possible restructuring. The documents in question analyzed legal challenges the IRS would likely bring against the reorganization and resulting tax refund claim. In considering the protection afforded to dual-purpose documents, meaning those serving both business and litigation purposes, the Second Circuit held that a document created because of anticipated litigation that revealed information regarding the potential litigation would not lose work-product protection simply because it was intended to assist business decision-making which depended upon the likely outcome of anticipated litigation. Importantly, the Second Circuit held that application of a “because of” test is the appropriate standard for determining whether a document should be shielded from production. Specifically, “[w]here a document was created because of anticipated litigation, and would not have been prepared in substantially similar form but for the prospect of that litigation, it falls within Rule 26(b)(3)” meaning it is protected by the work-product doctrine. On the other hand, documents prepared in the ordinary course of business, or those that would have been prepared in a substantially similar form, regardless of the potential for litigation, are not protected by the work-product doctrine.
In addition to work product, reports by retained consultants or experts may also be entitled to protection as an attorney-client communication. In the seminal case on attorney-client privilege, Upjohn Co. v. United States, the Supreme Court held that the privilege applies to communications between counsel and retained experts assisting counsel in providing legal advice to their clients. The Court noted that “the privilege exists to protect not only the giving of professional advice to those who can act on it but also the giving of information to the lawyer to enable him to give sound and informed advice.” Upjohn built upon the ruling of an earlier case, United States v. Kovel. In Kovel, the Second Circuit held that the privilege could be extended to an accountant hired by an attorney to assist the attorney in understanding their client’s complex tax story; the attorney subsequently relied upon the accountant when providing legal advice to the client. The Second Circuit concluded that “the presence of the accountant is necessary, or at least highly useful, for the effective consultation between the client and the lawyer which the privilege was designed to permit.” Therefore, the attorney-client privilege is not waived by disclosure to a third party – if transmission to the third party facilitates an attorney’s ability to provide legal advice to his or her client.
These principles were seen again in United States v. Schwimmer and In re Grand Jury Subpoenas. In Schwimmer, the Second Circuit noted that the attorney-client privilege may cover “communications made to certain agents of an attorney . . . hired to assist in the rendition of legal services,” such as the communications at issue between a client and an accountant retained by counsel to assist in rendering legal services to a pair of co-defendants. In In re Grand Jury Subpoenas, the defendant’s counsel hired a public relations firm to garner favorable publicity for the client in the hopes of prosecutorial leniency. The court determined that retaining the firm was necessary for lawyers “to perform some of their most fundamental client functions,” notably seeking to narrow charges brought against their client. Ultimately, the court held that communications between the lawyer and the retained consultants were protected by the attorney-client privilege because the public relations role was necessary to achieve a legitimate litigation goal and the attorneys’ ability to advocate for their client would have been undermined if the attorneys could not engage in candid conversations with their consultant-agents. Thus, in order for the consultant’s and lawyer’s communications to be privileged, the consultant’s role must be to assist the lawyer in providing informed client advice or achieving a litigation goal.
Work-Product Doctrine and the Attorney-Client Privilege in the Context of Cybersecurity
In the cybersecurity context, while there is not as yet a bright-line rule on when the work of retained technical consultants is protected from disclosure in litigation, a recent string of cases has provided guidance. First, in In re Premera Blue Cross Customer Data Sec. Litigation, the court considered whether a document prepared by Premera’s retained consultant, Mandiant, would have been created in substantially similar form “but for” the prospect of litigation. Mandiant had already been working for Premera when it discovered malware in Premera’s system. Premera subsequently hired outside counsel, which entered into a new agreement under which Mandiant’s work would be supervised by that outside counsel. The court applied the “because of” test and held that the documents were discoverable because the amended statement of work did not otherwise change the scope of Mandiant’s work from what was described in the original pre-malware discovery services agreement between Mandiant and Premera. As in non-cybersecurity cases, courts will assess the totality of circumstances to decide whether the document in question was prepared because of the anticipated litigation and would not have been created in a substantially similar form but for the prospect of litigation.
Mandiant’s pre-breach activities and services were also at issue in In re Dominion Dental Servs. USA, Inc. Data Breach Litigation. There, Dominion Dental had retained Mandiant before a cyber-incident which led to litigation. Following discovery of the intrusion, outside counsel entered into a new statement of work with Mandiant, which included essentially the same deliverables and duties as the pre-breach statement of work. The court held that the defendants failed to demonstrate that the Mandiant report would not have been produced in substantially the same form but for the prospect of the present litigation. The key factor in this outcome was that the new, post-breach statement of work was nearly identical to the original, pre-incident statement of work.
As in Premera, the third-party expert’s analyses were not protected from discovery because of the lack of distinction between the consultant’s pre- and post-incident work. This distinction between pre- and post-incident work is critical and was further highlighted by Genesco, Inc. v. Visa U.S.A., Inc., where the defendants prevailed in keeping documents created by a consultant following an incident protected from discovery. The court denied Visa’s discovery requests for the analyses, reports and communications between Genesco and the cybersecurity firms it retained following a data breach. There, Genesco’s outside counsel retained a forensic firm to assist with an investigation into how a cyber attack occurred. The court held that the report in question was protected as work-product because it was prepared by the outside consultant at the direction of the breached company’s outside counsel and also constituted attorney-client communications because it was prepared to assist the company’s counsel in providing legal advice – comparable to the protections afforded to communications with accounting consultants helping attorneys translate complex topics for their clients and enabling them to provide their clients with informed advice. As a result, the communications and documents served a primarily legal purpose.
Similarly, in In re Experian Data Breach Litigation, documents created by a consultant following a breach were protected from disclosure. As in other cases, the court began its analysis with the “because of” test, paying particular attention to “factors such as the timing of the retention of the non-testifying expert in relation to the litigation at issue and the existence of evidence including . . . engagement letters.” While the consultant, Mandiant, had been retained prior to the breach, the court noted that the consultant’s pre-breach work for the defendant was distinct from the post-breach work it was performing for Experian’s outside counsel following the breach. Furthermore, the retention of outside counsel immediately followed discovery of the breach, further supporting a determination that this retention was in anticipation of post-breach litigation. Importantly, the consultant’s report was used by the party’s in-house and outside counsel to develop its litigation strategy. This highlights the value in drawing a distinction between the use of a consultant’s reports for legal, as opposed to routine, business purposes.
A widely reported and different outcome was seen recently in In re Capital One Consumer Data Security Breach Litigation. In July 2019, Capital One learned that a hacker stole sensitive information from its cloud platform, impacting about 100 million customers. Following the incident, Capital One hired outside counsel to help prepare for an expected onslaught of litigation. As part of its litigation plan, Capital One’s outside counsel hired Mandiant, a firm the reader will now be familiar with. However, Capital One (like Premera and Dominion Dental before it) had already retained Mandiant, in the normal course of its business, prior to the breach. Following the breach, outside counsel and Mandiant entered into a new services agreement, whereby Mandiant would investigate the breach and issue a report detailing the specifics of the breach. Mandiant conducted its investigation and sent a report to outside counsel, which then sent the report to Capital One’s legal team and its Board of Directors.
During discovery, the plaintiffs moved to compel production of the Mandiant report, arguing that Mandiant had been retained for business purposes and, therefore, the report was not shielded from production. The district court judge affirmed the magistrate judge’s ruling that the report must be disclosed to the plaintiffs. The district court judge emphasized that the post-breach engagement letter between Capital One’s outside counsel and Mandiant did not require Mandiant to perform work that was substantially different from the work it had already undertaken as part of its ongoing business relationship with Capital One, which dated back to 2015. The court noted that Capital One would likely have asked for such a report to be prepared, even if it was not anticipating litigation, thus failing the “because of” test. Additionally, the retention of outside counsel was not, by itself, enough to turn a document into work product. In addition, the plaintiffs were also seeking a root cause analysis (RCA) conducted by PwC following the breach. Capital One argued that this RCA was protected as work product, because it was prepared to assist Capital One in responding to the onslaught of litigation stemming from the breach. Capital One also argued that plaintiffs did not demonstrate a “substantial need” for the RCA, especially considering the voluminous productions already made by Capital One – which included their own internal RCAs. Ultimately, the court denied the plaintiffs’ request for the RCA, finding that the primary purpose of commissioning the RCA was to provide legal advice to Capital One’s executives in the context of litigation. Other courts have since taken consistent positions. In Wengui v. Clark Hill, PLC, currently pending before Judge Boasberg in the District of Columbia, the plaintiff is suing his former law firm for failing to take sufficient precautions to protect his data. The plaintiff moved to compel production of “‘all reports of its forensic investigation into the cyberattack’ that led to the public dissemination of Mr. Guo’s confidential information.” Judge Boasberg determined that the defendant law firm had failed to meet its “burden to demonstrate that a substantially similar document [to the report at issue] would not have been produced in the absence of litigation” and thus denied work-product protection for the document sought by the plaintiff. Relatedly, the court determined that because the defendant’s goal in having the report produced was gleaning the technical consultant’s “expertise in cybersecurity” as opposed to legal advice from its lawyers, it was also not entitled to protection by the attorney-client privilege.
Implications Beyond the Cybersecurity Context
While some may view the Capital One decision concerning Mandiant as a watershed moment and inconsistent with prior decisions regarding post-breach analysis, further review demonstrates consistency with prior decisions such as the line of cases discussed above. The decisive factor in Capital One was the “because of” test, as the court concluded that the Mandiant report would have been generated even in the absence of litigation, which can be reconciled with the court’s later decision to not allow access to the RCA prepared by PwC. This highlights the need for organizations to consciously and explicitly segregate their ongoing cyber vigilance (and COVID-19 vigilance) from their post-incident response. That segregation between pre- and post-incident work may include, if necessary, retention of different consultants for each task even though one of the benefits of utilizing an existing consultant is their built-in familiarity with the company’s systems and processes. Thus, for organizations that are large enough, they might consider having two sets of consultants – one for ongoing work and one on standby for post-incident response (but which has already familiarized itself with the organization ahead of time so as to be able to “hit the ground running” once the alarm is sounded). If that is not possible, at minimum, outside counsel should retain its usual consultant under a new statement of work in which the consultant’s duties are clearly and substantially distinct from the consultant’s pre-incident services for the company, although, as the cases make clear, simply having the attorney serve as a conduit for retention does not suffice to invoke the work-product or attorney-client protections.
As discussed, the foregoing considerations are not necessarily limited to cyberspace, as the COVID-19 pandemic has highlighted another important role for outside consultants advising on the mitigation of virus spread in the physical realm. While the litigation trajectory for COVID-19-related claims is in its infancy, it is not premature to begin to consider potential discovery issues by examining analogous cases. For example, the pandemic has already given rise to workplace safety litigation, with allegations of employers failing to adequately protect their employees from on-the-job coronavirus transmission. Large employers such as Walmart and Trader Joe’s have already experienced outbreaks of COVID-19 among their employees. There are also pending putative class actions in which plaintiffs seek injunctions requiring employers to adopt and enforce specific safety protocols before expecting employees to return to work, and the advice provided to companies by outside consultants regarding these issues can certainly impact the outcome of those litigations.
Recommendations and Conclusion
In sum, practitioners should give careful consideration to the discoverability of reports and analyses created by their clients’ outside consultants, both before and after an incident has occurred. While such consultants can play vital roles, such as in dealing with the cybersecurity and health issues discussed herein, their work can become critical evidence against the very organization they were intended to help, should litigation arise following a negative incident. Despite some “conventional wisdom” to the contrary, simply copying counsel on correspondence is far from sufficient to ensure availability of some type of privilege or “legal shield.” At minimum, regardless of whether the work is proactive or reactive, consultants should be retained through outside counsel (not just in-house counsel) and their work parameters should be clearly defined. Where possible, the proactive work should be part of counsel’s effort to provide the organization with legal advice on compliance with legal obligations (such as regulations or contractual covenants). Should a negative incident (such as a cyber intrusion or a COVID-19 outbreak) occur, and reactive work becomes necessary, a new and distinct engagement agreement should be created if the incident may give rise to litigation. Most important, the services under the engagement should be as closely geared toward the anticipated litigation as possible, and not simply be an analysis that the organization would have undertaken if it did not contemplate litigation.
Melanie L. Cyganowski is the chair of the bankruptcy department of Otterbourg P.C. and is the former chief U.S. bankruptcy judge for the Eastern District of New York. Erik B. Weinick is a co-founder of the privacy and cybersecurity practice at Otterbourg P.C., where he is also a member of the bankruptcy and litigation practices. Aisha Khan served as a summer associate at Otterbourg P.C. in 2019 and 2020 and will join the firm following her anticipated graduation from the JD/MPH dual-degree program at Northeastern University School of Law and Tufts University School of Medicine in February 2021.
 As part of economic stimulus legislation, Congress was considering so-called COVID liability shields for businesses, but the provision for such protections was excluded from the measures passed at the end of 2020.
 For purposes of this article, a cyber-intrusion or cyber-incident shall be considered any unauthorized access to an organization’s electronic systems or information.
 Gurpreet Dhillon, What To Do Before and After a Cybersecurity Breach?, American University (2015), https://www.american. edu/kogod/research/cybergov/upload/what-to-do.pdf.
 Commentary on Application of Attorney-Client Privilege and Work-Product Protection to Documents and Communications Generated in the Cybersecurity Context, 21 Sedona Conf. J. 1 (forthcoming 2020).
 United States v. Adlman, 134 F.3d 1194 (2d Cir. 1998).
 Id. at 1195.
 Id. at 1202.
 Id. at 1195.
 Id. at 1202.
 Upjohn Co. v. United States, 449 U.S. 383 (1981).
 Id. at 390.
 United States v. Kovel, 296 F.2d 918 (2d Cir. 1961).
 Id. at 922.
 United States v. Schwimmer, 892 F.2d 237, 243 (2d Cir. 1989).
 In re Grand Jury Subpoenas Dated Mar. 24, 2003, 265 F. Supp. 2d 321 (S.D.N.Y. 2003).
 Id. at 330.
 In re Premera Blue Cross Customer Data Sec. Litig., 296 F. Supp. 3d 1230 (D. Or. 2017).
 Id. at 1245.
 Id. at 1246.
 In re Dominion Dental Servs. USA, Inc. Data Breach Litig., 429 F. Supp. 3d 190 (E.D. Va. 2019).
 Id. at 191.
 Id. at 192; Courts Caution That Not All Data Breach Investigation Reports Are Privileged, Bass, Berry & Sims (July 6, 2020), https://www.bassberry.com/news/not-all-data-breach-investigation-reports-are-privileged.
 Genesco, Inc. v. Visa U.S.A., Inc., 302 F.R.D. 168 (M.D. Tenn. 2015).
 Id. at 190.
 In re Experian Data Breach Litig., 2017 WL 4325583, at *2 (C.D. Cal. May 18, 2017).
 In re Capital One Consumer Data Sec. Breach Litig., No. 1:19MD2915 (AJT/JFA), 2020 WL 2731238, at *1 (E.D. Va. May 26, 2020), aff’d, No. 1:19MD2915 (AJT/JFA), 2020 WL 3470261 (E.D. Va. June 25, 2020).
 Id. at 2.
 In re Capital One Consumer Data Sec. Breach Litig., No. 1:19MD2915 (AJT/JFA), 2020 WL 3470261 (E.D. Va. June 25, 2020).
 2020 WL 3470261 at *6.
 2020 WL 2731238, at *5.
 Ben Kochman, Capital One says PwC Data Breach Report Should Stay Private, Law360, August 17, 2020, https://www.law360.com/articles/1301846/capital-one-says-pwc-data-breach-report-should-stay-private.
 Khorri Atkinson, Capital One Need Not Turn Over PwC Data Breach Report, Law360, August 21, 2020, https://www.law360.com/banking/articles/1303479/capital-one-need-not-turn-over-pwc-data-breach-report.
 Wengui v. Clark Hill, PLC, No. 19-3195 (JEB), 2021 WL 106417 (D.D.C. Jan. 12, 2021).
 Id. at 1.
 Id. at 10.
 Id. at 11.
 Jeffrey Horton Thomas, Trends in COVID-Related Employment Actions, JD Supra (July 10, 2020), https://www.jdsupra.com/ legalnews/trends-in-covid-related-employment-39948.
 Shawn Goggins, Coronavirus Outbreak at Wenatchee Walmart Forces Shutdown of Store until Saturday (July 23, 2020), http://www.ifiberone.com/columbia_basin/ coronavirus-outbreak-at-wenatchee-walmart-forces- shutdown-of-store-until-saturday/article_ebe2b2e2-cd2d- 11ea-b814-5fa828514646.html; Fiona Kelliher, San Jose Trader Joe’s Coronavirus Outbreak Grows to Eight Cases (July 23, 2020), https://www.mercurynews.com/2020/07/23/san-jose-trader-joes-coronavirus-outbreak-grows-to-8-cases.