Some information generated by your company, even the results of comprehensive surveys, may be legally protected from exposure to people outside the company. While this seems like the holy grail for worried executives of nosy media, plaintiffs’ attorneys, or intrusive regulators uncovering the company’s dirty laundry, the protections are limited and can only be applied in specific situations. Recent lawsuits have shown that attempts to apply protections too broadly can lead to disaster.
US law provides privileges to protect work and legal advice. The first of these is the privilege granted to clients when they consult their lawyers. Since Antiquity, a lawyer cannot be forced to reveal to a third party what a client has told him, or the advice he has given him, except in very specific circumstances. Privilege exists where there is an attorney-client relationship for matters where the client seeks legal advice. The lawyer cannot voluntarily provide information about the privileged discussion against the will of the client and neither the client nor the lawyer can be compelled by a court to disclose the content of the discussion.
Of course, attorney-client privilege only applies to confidential discussions, so public statements don’t count. This privilege protects communications made while seeking legal advice; it does not protect the underlying information. An executive who has hacked into the company’s books can’t hide that fact by asking his defense attorney for advice on how to avoid jail time. Although neither the client nor the attorney can be compelled to describe their conversation, the fact of accounting fraud is not otherwise protected and may be investigated.
The limits of this fundamental attorney-client privilege are under attack in recent Justice Department filings against Alphabet, Google’s parent company. According to Ars Technica, the DOJ and fourteen state attorneys general recently asked a federal judge to sanction Google for abusing attorney-client privilege to hide emails from the other party in litigation. The filing alleges that “in a program called ‘Communicating with Care,’ Google trains and instructs employees to add an attorney, privilege tag, and a generic ‘request’ for attorney notice to protect sensitive business communications, whether legal advice is actually needed or sought. Often, knowing the game, the in-house attorney included in these Communicate-with-Care emails does not respond at all.” The filing alleges that these communications “are not genuine requests for legal advice, but rather an effort to hide potential evidence.”
Obscuring basic facts almost never helps an affected company, and a third-party report lends credibility.
The specific actions of Google at issue in the DOJ case involve accusations of anticompetitive activities and exclusionary practices unlawfully maintaining Google’s monopoly for search services and search text advertising. Google’s privileges program includes more than 80,000 documents, including the revenue-sharing agreements the government says are at the heart of its case. The government showed Google training slides that instructed employees to add an attorney to emails, mark the email as “attorney/preferred client,” and “ask the attorney a question” in the email. ‘E-mail. The DOJ claims that this program attempts to manufacture a defense of privilege where none should exist. Google vehemently denies the allegations and is fighting to keep the documents protected by privilege.
Many companies train their employees to bring lawyers into their conversations, asking for legal advice. If the legal claim is legitimate, privilege protection should be granted to these emails. However, if the request is simply a cover for claiming privilege over standard business email, protection is likely to be denied. The privilege only applies when “the primary purpose of a communication is to obtain or provide legal assistance”. The court in the Google case will have to decide not only whether Google employees were actually seeking legal advice with each email copied to the lawyer, but whether Google used a comprehensive program designed to improperly conceal its anticompetitive intentions. A company could lose privilege for otherwise covered documents where it goes too far and tries to apply solicitor-client privilege everywhere.
The other protection rule that is often relevant in technology and data cases is called the work product doctrine. Under federal rules of civil procedure, attorneys may withhold from the opposing party documents prepared in anticipation of litigation. This privilege may apply to specialized agents employed by lawyers to assist in the preparation of the trial. The ability to activate this privilege is why some technical or forensic experts are hired by a company’s board following data exposure issues that could lead to litigation. However, this privilege does not always apply when the company wants it.
For example, a well-known case involving Capital One revealed that its supplier’s forensic investigation was not privileged and should be shared in litigation. The court attempted to determine the driving force behind the preparation of the seller’s report to see if the lien applied. The court asked (1) whether the document in question was created when litigation was a real probability and not when it was only a possibility (it was simply a possibility in this case); and (2) whether the document would have been created in substantially the same form had there been no litigation (the court thought so).
Like the attorney-client consultation privilege, the work product doctrine does not protect the underlying facts, only the work—investigation and reporting—prepared for litigation. Thus, a company cannot successfully cover up a massive data breach by having the incident investigated under the guise of an attorney’s work product. Certain aspects of the investigation and/or final report prepared for counsel may be privileged, but the breach itself likely needs to be investigated so that the company involved can demonstrate what happened. passed to regulators or plaintiffs’ counsel. Privilege may be protective in a limited sense, but will not make the central problem go away.
In fact, decades of scrutiny of this privilege have led me to believe that the primary investigation of a breach should not be conducted under the privilege. Obscuring basic facts almost never helps an affected company, and a third-party report lends credibility. Customers, regulators and interested parties will request the official report, and it is normally in the interest of the company concerned to provide it. However, investigations into a company’s security posture and the next steps needed to better secure corporate data assets should be conducted under privilege.
Opposing parties generally have a right to know what happened at the heart of a security breach, but may not have a right to the company’s own assessments of security breaches. But this investigation must truly be carried out for the preparation of litigation and not for the general knowledge of the management of the company. Every company has a “security queue” – a prioritized list of data security improvements to undertake when financial and human resources become available. The queue never ends. But plaintiff’s attorneys can abuse and misrepresent the meaning of your security queue. “So if you knew this task needed to be undertaken, why didn’t you spend the money to do it? If you had just fixed that one thing, the complainant’s data would have been saved.” There always has a “next thing” to fix.) Analyzing next steps in light of potential litigation can be a good idea. Trying to hide the degree of damage in an incident that has already happened is generally a bad idea , and it comes back to bite you.
Legal privilege can be useful to a business that is the victim of a data breach or ransomware attack, but the two main privileges are limited and must be applied carefully to provide value. And no legal theory can be used to cover the underlying facts. The sooner leaders understand this, the better their responses will be to protect all parties involved.
Copyright © 2022 Womble Bond Dickinson (US) LLP All rights reserved.National Law Review, Volume XII, Number 88