Preserving the Confidentiality of Cybersecurity Reports

Your company’s computer network has been breached and confidential customer data stolen. Not surprisingly, this results in a lawsuit filed against you by down-the-line victims; read, customers whose personal information found its way into the wrong hands.

In response to the breach, you did all the right things, including hiring experts to investigate and provide a forensic report. But to your dismay, that report—which includes some rather sensitive and potentially damaging information—has become subject of discovery in the litigation. What are you to do?

Forensic Reports Can Be Fair Game

Several cases have been decided that have compelled defendants to hand over forensic reports to plaintiffs.

Most recently, in Guo Wengui v. Clark Hill, PLC, the U.S. District Court for the District of Columbia ordered Clark Hill, PLC, a Detroit-based international law firm, to deliver to the plaintiff a forensic report prepared by a vendor at the direction of legal counsel. In so doing, after viewing the report in camera and learning of its wide distribution both internally and externally, the court determined that the report would likely have been written in response to the data breach at issue, whether or not litigation was filed. Consequently, its findings were not deemed to be confidential or otherwise protected by the work-product doctrine.

The decision in Guo Wengui was consistent with a previous opinion in a 2019 case heard in the U.S. District Court for the Eastern District of Virginia. That matter involved the well-publicized Capital One data breach, in which an unauthorized individual gained access to the personal information of more than 100 million Capital One credit card customers and individuals who had applied for the company’s credit card products.

In Capital One’s case, it was decided that the financial giant failed to distinguish a post-breach forensic report from one that would have been prepared for business purposes, regardless of the multi-district litigation that had been filed. Remarkably, production of the Capital One forensic report was compelled even though the report in question was distributed primarily to legal staff, paid for out of the company’s legal budget, and Capital One’s lawyers signed the engagement letter with the relevant cybersecurity vendor.

Of note, the court in the Capital One case found that circumstances surrounding the creation of the forensic report suggested that it was the byproduct of an operational investigation, as opposed to one prompted by litigation. Likewise, the court seized upon other factors that seemed to run contrary to the application of the attorney-client privilege or work-product doctrine.

Preserving Confidentiality

Given this legal precedent, companies subject to data breach lawsuits must be mindful to do all they can to preserve the confidentiality of forensic reports by way of the attorney-client privilege or the work-product doctrine. But how?

First and foremost, it is critical for organizations to hire lawyers experienced in cybersecurity law. This is true even in the absence of active litigation. Retaining trusted legal counsel, as opposed to a consulting firm, to manage pre-breach assessments, audits and regulatory compliance sets the table for the continued veil of confidentiality. Leaving it to lawyers to handle cyber incidents becomes even more critical when it comes to post-breach investigations, not to mention, of course, regulatory litigation from AGs, the SEC or FTC and third-party lawsuits, including class actions, filed by private individuals.

What is important for stakeholders to understand is that they themselves do not hold the legal privileges, nor do consultants. Likewise, the days of executives keeping in-house counsel in the loop in an effort to preserve confidentiality are long gone. Hence the importance of having outside cybersecurity lawyers in the driver’s seat.

Also, companies might consider creating separate reports for mitigation and litigation. Toward that end, sensitive analysis—legal and otherwise—should be kept out of mitigation reports, which should be limited to facts and technical information only.

Finally, access to all forensic reports should be limited, particularly any privileged legal report—this in order to establish that the latter was created for litigation purposes alone.

This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.