Third Party Cyber Forensics Team and Client Privilege

Most of us love to eat junk food. Whether it be fast food, cookies, cakes, hot dogs, cheese burgers, pizza, what have you, everyone has their vice.  Theses foods are usually inexpensive and convenient.  So why don't we eat the cheap and easy foods every meal?  Why would we ever choose fruits and vegetables over pizza and ice cream?  Because junk food isn't good for us in the long run; if we want to survive, we have to think about our health.  The same concept applies when choosing between hiring a Third Party Cyber Forensics Team when your company has fallen victim to a cyber attack or sticking with your in-house IT department.  But instead of it impacting your health, you need to consider the impact on client privilege.

Petronella Technology group is NOT a law firm, and our goal isn't to bog you down with complicated legalese.  What you should understand is this: 

If you use an in-house IT department as your cyber forensics team?  You are essentially kissing your attorney/client privilege good bye. 

To understand why that is, just think about when an attorney hires a consultant or expert; here in the US, any communication/work-product produced between the legal team and their experts is considered "privileged."  This protection extends to cyber forensics specialists.   As long as the communication or work-product was created for the purpose of legal advice and/or in anticipation of potential litigation, then it is protected.

HOWEVER, if that same communication and/or work-product is deemed to have been generated in the course of "regular business," then it's not protected.

And there's not really anything that screams "regular business" than having your own IT Department conduct an investigation.

Case Studies

Cyber forensics is a relatively new  area in the legal world, but there have been some note-worthy cases, all of which resulted in the same key take-away:

Outside counsel should hire an outside forensic firm to preserve attorney-client privilege.

Genesco, Inc v. Visa USA, Inc

In the Genesco case, attorney–client privilege and work-product doctrine were upheld because the following showed that counsel engaged Stroz Friedberg (Gensco's third-party forensics investigator) for the explicit purpose of receiving legal advice in anticipation of potential litigation: 

  • Retainer agreement
  • An affidavit stating Storz Freidberg was only retained after:
  1. Genesco had identified evidence of an intrusion,
  2. Friedberg had conversations with external counsel regarding the legal ramifications of the intrusion (including the likelihood of
    litigation), 
  3. it was determined that he should conduct an investigation into the incident ‘separate and apart from the investigation
    already being conducted, an
  4.  Counsel identified the need to retain a computer security consultant to assist in the investigation
  • Other corroborating documents

Target Data Security Breach 

In this case, Target used two teams from the same company (Verizon); a "data breach task force" advice team and a Professional Forensics Investigations (PFI) team.

With the two teams clearly defined and delineated, Target only asserted attorney-client privilege over the PFI tea, whose express purpose was provide legal advice and counsel, in anticipation of not only litigation, but "regulatory inquiries," as well.  

The plaintiffs tired to argue that communications and documents from Verizon weren't actually privileged because Target still needed to remediate breach issues, but because there were tow distinct and separate teams, the court ruled in Target's favor.

Experian Data Breach 

In this case, the plaintiffs attempted to strip Experian of attorney-client privilege in regards to a specific report created by the outside cyber forensic company, Mandiant.  Luckily for Experian, their outside counsel very clearly retained the help of Mandiant for the sole purpose of providing legal advice.

Not only was it clearly documented, but the report, which was completed AFTER Experian's public announcement of the breach, and AFTER the first claims were filed against them, but the report was given to Experian not by Mandiant, but by their attorneys, who received it from Mandiant; in other words, Mandiant didn't give the report directly to Experian, which created an even more defined separation of "legal advice" and "normal business."

Premera Blue Cross Data Breach 

Like Experian, Premera sought the outside assistance of Mandiant.  In this case, however, the court ruled against Premera's attorney-client privilege, but that's because Premera didn't actually do enough to separate the eDiscovery team from "normal business" team. 

You see, in this instance, the breach was actually found while the outside cyber security company, Mandiant, was conducting an assessment.  Mandiant was also the company to conduct the cyber forensics investigation, which is perfectly fine, except that there a clear separation of roles/scope was not documented.  So while certain communications and work-product were protected, a lot of it was not.

What Can You Learn From This?

Though it may be tempting to cut costs by using your in-house IT department rather than a Third-Party Cyber Forensics Team after a breach, you will end up losing out in the long run.  Being the victim of a data breach is already bad enough, you don't want to make it worse by losing client privilege.  

If you have a been victimized by a data breach, stop what you are doing and call us now at 919-422-2607, or schedule a free consultation with Craig, online, by clicking here.