What does the recent Eastern District of Virginia decision mean for your company when you need incident response services?
What would have been a fairly straightforward question changed on May 26, 2020, with a court order issued in the Eastern District of Virginia?
The Interpretation of Attorney-Client Privilege in Cybersecurity Is Changing
In response to a March 2019 data breach, the breached company, which had an existing IR retainer with an incident response firm, decided to hire outside counsel. Outside counsel then executed a contract with the same IR vendor to conduct incident response services.
This had been standard practice for years. Until this ruling, in working with outside counsel, the report and all other work product would have been protected by the attorney-client privilege. However, the court ruled that the report must be disclosed. Prior to this decision, this was unheard of.
IR Reports Must Be Prepared in Response to Litigation for Privilege to Apply
From the ruling, the deciding issue was “whether the [IR company’s] report would have been prepared in substantially similar form but for the prospect of that litigation.” The court clarified its reasoning, stating that in order to receive protection under the work product doctrine, “the material must be prepared because of the prospect of litigation.”
While this was clearly the case, the court took the unusual position that this particular work would have been done in the ordinary course of business regardless of the prospect of litigation and was therefore not covered.
Existing Incident Response Engagements May Prohibit Attorney-Client Privilege
The published opinion indicates that the court weighed a number of factors in making that determination. Chief among these was an existing Master Service Agreement (MSA) the company had with the same IR vendor. The existing MSA dated back to 2015 and was supplemented with ongoing statements of work for similar services performed.
Pending appeal of this decision, this leaves companies who need incident response services in an awkward position.
Many Companies Have Long-Standing Incident Response Contracts
Companies that use incident response services often develop long-standing relationships with one or more IR firms. In some cases, cyber breach insurance companies demand it.
There is also an economic incentive for this kind of relationship as the IR firm learns the details of the company and can provide better service since it is familiar with the company’s environment. This decision, if upheld, would stand those established relationships on end.
It would also create a perverse incentive for the company to hire a separate IR firm through outside counsel to react to the most critical breaches where time is of the essence.
How Should You Adapt Your Incident Response Strategy?
So what can you do to limit the impact of the decision until the appeal is resolved? Below are some key items to ensure you work into your strategy.
Engage Outside Firms
In the event of a cyberattack or data breach, engage with outside counsel or forensic investigators, even when there is an existing relationship between your company and the forensics firm(s).
Clearly Delineate Separate IR Engagements
Make it clear internally that outside counsel is directing the incident response engagement and that such investigations are being conducted separately from any pre-existing cyber consulting activities with the forensic firm(s).
Ensure that it is clear in the Statement of Work for the specific engagement that the report is being prepared with the prospect of litigation in mind.
Employ the Principle of Least Privilege
The more widely the forensic report is distributed, the more likely it becomes that the court will not provide attorney work-product protection. The principle of least privilege (PoLP) can help safeguard against this.
The forensic firm should only share the report with those for whom access is necessary. In most cases, this means outside counsel. Outside counsel can then share the report with your company at their discretion.
Review the Contracts of Any Existing Relationships
If there is one overarching MSA, consider rewriting the MSA into separate agreements for consulting services and incident response services.
Ensure agreements covering the provision of such services make explicit that incident response services will be covered by an independent, unrelated agreement.
As part of this, ensure that the billing for the work is expressly billed as a legal expense.
Rely on Facts, Not Opinions
Ensure that the forensic firm writes a fact-based – not opinion-based – report for distribution from counsel to the company.
While it may well be necessary for the forensics firm to provide opinions, speculation, background, and technical explanation to provide the best advice to the company, those opinions should not be in the final report.
Create an attorney report separate from the client report to make clear that this work was done with the intent to prepare for litigation.