Court Decision Provides Guidance on Preserving Privilege in Cyber Incident Response

The U.S. Court of Appeals for the Sixth Circuit’s (Sixth Circuit) decision in In re FirstEnergy Corporation provides important guidance on how companies can preserve attorney–client privilege and the attorney work product doctrine during internal investigations – guidance that translates directly to cybersecurity incident response investigations.  The Sixth Circuit confirmed that internal investigations led by outside counsel, where legal advice is rendered and such investigation is undertaken because of real or reasonably anticipated legal exposure, remain protected under attorney-client privilege and attorney work product doctrine, as applicable, even when the findings later inform business or operational decisions.

For companies facing increasingly frequent and complex cyber incidents with subsequent class action lawsuits, the Sixth Circuit decision offers a clear message: engage outside counsel early, ensure such counsel leads any cybersecurity investigation in partnership with forensic and technical experts, and carefully manage information sharing in consultation with outside counsel.  Companies that plan for these issues before an incident occurs are better positioned to respond to class action lawsuits stemming from a cybersecurity incident – both technically and legally.

FirstEnergy Investigation and Resulting Litigation

In July 2020, the U.S. Department of Justice (DOJ) filed a criminal complaint against Larry Householder, then Speaker of the Ohio House of Representatives, alleging a bribery scheme involving FirstEnergy Corp. (“FirstEnergy”), a U.S. electric utility, to secure favorable legislation.  DOJ subpoenas followed, the complaint became public, and FirstEnergy’s stock price declined sharply.  Anticipating substantial legal exposure from the alleged bribery scheme, FirstEnergy enlisted outside counsel for its board and the company itself to conduct an independent investigation, respond to subpoenas, and advise on potential legal liability.

The DOJ investigation then triggered shareholder securities litigation against FirstEnergy.  In one such case, plaintiffs sought production of documents related to the internal investigations by outside counsel.  A special master and the district court ordered production, concluding that the internal investigations were not privileged or protected work product because they allegedly served business purposes, and their findings were shared in part with third parties.  FirstEnergy sought and was granted mandamus relief of the district court’s decision by the Sixth Circuit.

Sixth Circuit’s Decision

The Sixth Circuit held that FirstEnergy’s internal investigation materials were protected by both the attorney–client privilege and the attorney work product doctrine.  The court reaffirmed that the communications during the investigations, including outside counsels’ analyses about what acts occurred, whether those acts were illegal, and what criminal and civil consequences might ensue, all pertained to legal advice and are thus clearly attorney-client communications.  The Sixth Circuit determined that the relevant inquiry is why the investigation was undertaken – namely, to assess legal exposure and obtain legal advice – not whether the resulting advice later informed business decisions.  The court emphasized that companies routinely seek legal advice precisely so they can decide how to act as a business, and that dual use does not destroy attorney-client privilege.

Additionally, the court held that the materials created via the investigation were protected attorney work product because they were created as a result of actual or reasonably anticipated litigation and/or regulatory action.  The court added that even where documents serve both legal and business purposes, they qualify under the attorney work product doctrine if the prospect of litigation or regulatory action is a driving force behind their creation.

The Sixth Circuit determined that FirstEnergy’s limited disclosures to third parties, such as auditors, did not waive the attorney-client privilege or attorney work product doctrine.  The majority of the information disclosed in the case was non-privileged information, which never waives the privilege.  As to the privileged information disclosed, such information was more about the conclusions of the investigation rather than the substance of the attorney’s advice, and thus the privilege was not waived according to the Sixth Circuit.  As to the attorney work product protection, such protection is waived only by disclosure to an adversary of the company or someone likely to become one.  In this case, the court noted that the auditor was forbidden by its ethical rules from disclosing any confidential client information without specific consent of the client and thus could never be an adversary of FirstEnergy.

Key Lessons for Cybersecurity Incident Response Investigations

The FirstEnergy decision reinforces several critical best practices for engaging with outside counsel during cybersecurity incident investigations.

Engage Outside Counsel Immediately – and Ideally Before an Incident Occurs

The timing of outside counsel’s engagement was central to the Sixth Circuit’s analysis.  FirstEnergy retained outside counsel as soon as the DOJ complaint was unsealed and subpoenas were issued, signaling that the company viewed the matter as a legal event requiring legal expertise.  Serious cybersecurity incidents often present comparable legal exposure from the outset, particularly where customer data, network integrity, or critical services are affected.  Companies should engage outside counsel immediately upon identifying a significant cyber event – and, ideally, establish those relationships well in advance.  Early engagement helps ensure that investigative materials and cybersecurity related reports procured prior to the incident (e.g., vulnerability assessments, penetration tests, tabletop exercises, etc.) are created in a legally protected framework and are defensible if disclosure is later sought during litigation.

Counsel Must Meaningfully Direct the Investigation

The FirstEnergy decision makes clear that attorney-client privilege is not preserved by nominal or passive legal involvement.  Outside counsel in that case did not simply receive reports; they defined the investigative scope, examined records, met regularly with leadership, assessed potential liability, and provided legal advice based on investigative findings.  In the cybersecurity context, this means outside counsel should engage outside forensic and technical advisors and work in partnership with them to direct a cybersecurity incident investigation.  Outside counsel should help define investigative questions, oversee the forensic firm’s work, review reports and underlying data, and translate technical findings into legal analysis regarding notification obligations, regulatory exposure, contractual risk, and litigation strategy.

If the incident investigation is run independently by IT or security teams and/or external experts and, for example, outside counsel is brought in only to review a completed forensic report, a court may conclude the investigation was business-led rather than legally driven—significantly weakening the validity of attorney-client privilege and attorney work product doctrine claims.

Be Cautious When Sharing Information with Third Parties Who May Later Become Adversaries

The Sixth Circuit’s treatment of disclosures to auditors is particularly instructive for cybersecurity incidents, which often involve communications with insurers, vendors, customers, partners, and regulators.

FirstEnergy confirms that sharing factual summaries or high-level conclusions with third parties does not automatically waive attorney-client privilege or attorney work product protection.  However, the risk calculus changes when information is shared with parties who could later become adverse.  Customers, vendors, insurers, or commercial partners may ultimately assert claims against the company arising from the same incident.  Companies should therefore be deliberate in what they share, focusing on factual descriptions rather than counsel’s legal analysis or strategic assessments.  In any event, outside counsel should play a critical role in determining what can be disclosed, to whom, and in what form, to preserve attorney-client privilege and the attorney work product doctrine to the greatest extent possible.

Womble Bond Dickinson’s Communications, Technology, and Media team helps companies comply with regulatory obligations and decrease their cybersecurity risks while preserving attorney-client privilege and the attorney work product protection.  If you have any questions regarding these privileges and protections or otherwise seek cybersecurity guidance, please contact one of the authors.