The surprise decision, in effect, determined that [the bank] would need to provide the forensic details…about the hack to attorneys representing a group of customers suing the bank. It’s the kind of report that, if made public, could highlight technical and procedural failures that made it possible for a single suspect to allegedly collect gigabytes of data about 100 million people from a bank with $28 billion in revenue.

Typically, hacked organizations are able to keep incident response reports private and avoid costly suits by shielding the details under attorney-client privilege. Not under this decision.

• The Court found the determinative issue was “whether the [incident response firm’s] report would have been prepared in substantially similar form but for the prospect of that litigation.” (Order at 7.) “[T]he fact that the investigation was done at the direction of outside counsel and the results were initially provided to outside counsel,” did not satisfy the “but for” formulation. (Order at 7.)


• The bank failed to present “sufficient evidence to show that the incident response services would not have been done in substantially similar form even if there was no prospect of litigation.” (Order at 7.)


• The bank had a long-standing relationship with the incident response firm and had a pre-existing SOW with the firm to perform essentially the same services that were performed in preparing the subject report - “incident responses services in the event such services were necessary.” (Order at 2.)


• The retainer paid to the incident response firm was considered a “business-critical expense” and not a legal expense at the time it was paid. (Order at 8.)


• While the fact that the incident response report was provided to four different regulators and to the bank’s accountant may not necessarily constitute a waiver, it does show that the results of an independent investigation into the cause and the extent of the data breach was significant for regulatory and business reasons.


• The only significant evidence the bank presented was that the work was performed “at the direction of outside counsel and that the final report was initially delivered to outside counsel.” (Order at 8.)


• The Court noted significant differences between the facts in this case and the 2017 Experian case, in which the incident response report was afforded the work product privilege.
  
  
  • In Experian, the full report was not given to the incident response team; however, the bank provided its report to several members of its business and used it for various business and regulatory purposes.
  
  
  • In Experian, the incident response firm was hired by outside counsel, whereas the bank effectively transferred an existing SOW and MSA to outside counsel.

1. Past work for a company that experiences a cybersecurity incident, including prior work relationships and contracts, should be reviewed carefully to make sure the post-incident engagement is substantially distinct from prior engagements and that the forensic report would not be prepared “but for the prospect of that litigation.”


2. It may be advisable for a company to hire two firms with distinct functions – one for business purposes (e.g., work necessary for containment, mitigation, and recovery) and one for legal purposes (e.g., forensics to determine potential legal obligations arising from the incident).


3. The affected company needs to carefully consider who will see the forensic report and the purpose(s) for which it is used. Disclosure should be limited to those on a “need to know” basis whose input will be necessary to the delivery of legal advice or who will be advised by outside counsel based on the report.


4. Companies should consult counsel immediately when a suspected incident occurs. Counsel should provide guidance on preservation requirements, how to maximize application of the attorney-client privilege and work-product doctrine (where appropriate), notification obligations that arise from the incident, and preserve rights via demand letters on third parties.