This is our Global Data Breach Response Team’s client alert regarding defending the work-product status and attorney-client privilege of forensic reports. For information about how the Global Data Breach Response Team responds to, handles and assists clients in addressing cyber incidents, please visit our website. You can also subscribe to Privacy World, your one-stop shop for fast-breaking news and views on the high-speed developments surrounding data privacy, security and innovation, brought to you by lawyers who practice in this space every day.
The Forensic Report
When a company experiences a cybersecurity incident, standard practice is to hire an independent cybersecurity firm to assist with investigating, and assessing the nature and scope of the cybersecurity incident. A forensic report is typically provided at the conclusion of the cybersecurity firm’s investigation, which records details pertaining to the response efforts and investigation findings, including:
The identity of the (suspected) threat actor group that perpetrated the cyberattack
The attack vector, the initial access point and the vulnerabilities the threat actor exploited to gain access to the target’s IT environment
The date the threat actor gained access to the target’s IT environment (date of intrusion) and the date the threat actor deployed the cyberattack (date of compromise)
The systems that were impacted by the cybersecurity incident and the threat actor’s activities within those systems (i.e., lateral movement, access and exfiltration), and the categories of personal information affected
Legal Counsel and the Forensic Report
As a best practice, key regulators, including the US Federal Trade Commission, recommend first hiring outside legal counsel with privacy and cybersecurity expertise when responding to a cybersecurity incident. Legal counsel with cybersecurity and breach experience can advise businesses on legal obligations necessary for cybersecurity incident response, as well as data breach notification obligations across jurisdictions. Counsel will typically retain a cybersecurity firm to gather information about the incident. The cybersecurity firm will prepare a forensic report that includes a technical assessment of the incident, its likely causes and potential impacts. Counsel will use this information to determine legal obligations across jurisdictions and develop an incident response and legal strategy to mitigate risks associated with the incident. Counsel will also rely on the forensic report to anticipate and defend the business against potential future claims.
Where counsel commissions the forensic report for the express purpose of informing the legal advice they provide to the affected business, forensic reports have historically been treated as attorney work-product, and therefore privileged and not discoverable in litigation. Further, the attorney-client privilege can attach to reports of other third-parties made at the request of the lawyer or the client, where the primary purpose of the report was to put in usable form information obtained from the client.
Protecting the Forensic Report from Litigation Discovery
The discoverability of a forensic report in litigation is a significant issue, as the forensic report generally details the critical vulnerabilities in a company’s information technology environment that enabled the cyberattack. The report often identifies areas in which a company’s IT defense fell short or was noncompliant with best practices and regulatory or industry standards. Accordingly, the forensic report contains information that could be potential evidence of the company’s negligence or recklessness in safeguarding the privacy and security of its consumers’ personal information.
In data breach litigation, plaintiffs will typically plead a variety of statutory and common claims in pursuit of liquidated statutory damages or file class actions and seek to negotiate a settlement relying upon the defendant’s insurance coverage. Plaintiffs typically also seek to discover any forensic reports as evidence to substantiate their claims.
