Cybersecurity: Protecting Privilege in Incident Response Investigations

This Debevoise blog discusses some of the challenges associated with protecting privilege for communications with incident response (IR) vendors in the course of cyber incident response investigations.  The blog says that there’s relatively little case law in this area, although there are some opinions supporting the application of the attorney-client and work product privileges.  However, as this excerpt explains, the ability to protect communications with IR vendors depends on the facts and circumstances:

The law in this area as it applies to IR vendors remains very much in flux, as there is a relative dearth of case law on this topic.  The case law that does exist is only at the district court level, without any circuit court squarely addressing this issue.  No cases to date have fundamentally disagreed with the application of these protections to IR work.

Because of their technical nature and because cybersecurity is a part of core business operations, records generated by an IR vendor under privilege or work-product protection may seem like ordinary business documents to an outsider without further context.  In determining whether a given IR document merits protections, courts investigate the document’s purpose, namely whether the IR vendor generated it while facilitating the provision of legal advice or helping prepare for the possibility of litigation.  This requires looking into whether and how counsel directed the IR vendor’s work, which in practice can become a multifactorial inquiry that probes all aspects of the relationships between the IR vendor, the company, and counsel.

The remainder of the blog drills down into some of the specific issues courts consider when evaluating privilege claims in this context and offers guidance on the questions companies should ask in considering the likelihood of success of efforts to protect communications with IR vendors during an incident response investigation.