Alerts
Responding to a Data Breach: How to Preserve the Attorney-Client Privilege
Apr 22 2026
Contributors
This client alert is based on a longer article Patrick Emerson McCormick wrote for the Conference on Consumer Finance Law Quarterly Report. Click here to read the full article (subscription required).
A data breach raises a multitude of issues in an instant, many of them with substantial legal implications. When a compromised company turns to its lawyers for guidance, it hopes to keep those communications confidential. Significant data breaches have increased in recent years, leading to more class actions and investigations and, with them, discovery fights. This surge has been accompanied by more aggressive efforts from plaintiffs and regulators to obtain incident response materials—e.g., forensic reports and legal communications—resulting in courts scrutinizing privilege claims closely in light of how reports are commissioned, used, and shared.
The Foundation for Privilege
Attorney-client privilege protects confidential communications made for the purpose of seeking or providing legal advice. The Supreme Court rejected a rigid control-group test and held that employee questionnaires and interview notes directed by corporate counsel were privileged—though the privilege protects communications, not underlying facts. The privilege may extend to third-party agents whose participation is necessary to enable counsel to render legal advice. Privilege attaches only to communications seeking or providing legal advice; business, technical, or operational advice does not qualify, even when attorneys are involved.
Attorney work product is a related but distinct protection for documents prepared in anticipation of litigation. One critical distinction: privilege can be waived by disclosure to any third party, while work product is typically waived only by disclosure to adverse parties.
Application in Data Breaches
In the event of a data breach, a company typically requires the legal advice of counsel to navigate its obligations and potential liabilities. This frequently requires the assistance of a digital forensic investigator or other technical consultant. Whether the resulting work product and communications are protected from production is a fact-specific inquiry.
Synthesizing recent case law, courts regularly consider seven factors: (1) when the client hired outside counsel; (2) whether the client or counsel hired the consultant; (3) whether there was a pre-existing relationship with the consultant; (4) the content of the work product; (5) whether there was a parallel, non-privileged investigation; (6) to whom the work product was distributed; and (7) how the client utilized the work product. Each factor warrants careful attention.
Factor 1: Timing of outside counsel retention. Courts weigh heavily whether outside counsel was promptly retained to advise on legal exposure; retention before or immediately after discovery of the breach supports a finding that subsequent work was litigation-driven. Courts do not treat the mere retention of counsel as dispositive, however. Rather, they tend to protect litigation-focused objectives and outputs while compelling production of routine incident response, even when given the veneer of legal supervision.
Factor 2: Who hired the consultant. Whether the consultant was hired by the client or by outside counsel is probative but not outcome-determinative. Courts scrutinize the substance of the engagement to distinguish litigation support from ordinary business investigation. Engagements initiated by counsel under a separate statement of work for the express purpose of supporting legal advice are more likely to be protected.
Factor 3: Pre-existing consultant relationship. A pre-existing, operational relationship with a consultant—such as a standing MSA or SOW that contemplates incident response in the ordinary course—is a strong indicator of a business purpose and weighs against protection. Where an incident response vendor was already retained for business-critical services, a later pivot to counsel supervision does not convert the engagement into litigation work product absent concrete changes in scope, deliverables, or audience.
Factor 4: Content of the work product. Courts differentiate between factual incident analyses and materials reflecting attorneys’ mental impressions or legal strategy. Technical root-cause analyses and forensic timelines frequently must be produced, while documents containing counsel’s case assessments, litigation strategies, or legal conclusions receive stronger protection.
Factor 5: Parallel investigations. A well-documented “two-track” model strongly supports protection of the legal-centric track: one ordinary-course, business-oriented investigation whose products are disclosed; and a separate counsel-directed track reserved for litigation. Companies that maintain a single investigation with blended purposes face a heightened risk that the entire file will be deemed discoverable.
Factor 6: Distribution of work product. Broad dissemination to business personnel, boards, auditors, and regulators is probative of non-litigation purposes and may result in loss of work-product and privilege protections. Limiting access to those with a need to know—and documenting that limitation—supports an assertion that the material was created for litigation.
Factor 7: Use of the work product. How the client ultimately uses the work product matters. If a forensic report is shared with regulators to satisfy compliance obligations, used in public filings, or relied upon for business remediation decisions, courts are more likely to conclude it was created for business rather than litigation purposes—even if counsel commissioned it.
Recent Decisions Shaping the Landscape
The Sixth Circuit’s decision in In re FirstEnergy Corp. offers a forceful reaffirmation of Upjohn’s corporate privilege framework.
After a DOJ criminal complaint implicated FirstEnergy, the company faced civil suits and regulatory actions. The board retained separate counsel to investigate and advise. The Sixth Circuit held that both privilege and work product “plainly” applied. On privilege, the court emphasized that what matters is whether the company sought legal advice in the first place, not “what it later does with that advice.” On work product, the court applied the “because of” test and concluded that the timeline of legal threats left “no question as to ‘the driving force behind’ the investigations.”
The court also rejected broad waiver theories, finding no subject-matter waiver from disclosures in a deferred-prosecution agreement and noting that work product is not “automatically waived by the disclosure to a third party,” but turns on disclosure to an adversary.
Other recent federal court decisions spotlight the overuse of privilege labels to shield business deliberations and compliance planning, a recurring pattern that courts are policing. Similarly, federal courts recently have reinforced that over-designation and concealment invite discovery sanctions and erode credibility.
Practical Guidance
Despite the varied and evolving landscape, companies responding to a data breach can take steps that significantly increase the likelihood that their communications and counsel’s work product remain protected.
Maintain separate tracks. Maintain separate counsel and consultants for the legal response and business response to a data breach. Courts favor parallel tracks and segregation of counsel and consultants providing legal advice from the business considerations.
Have outside counsel hire the technical consultants. That consultant is there strictly to assist the attorney in the attorney’s work; having counsel hire the consultant keeps that distinction clear.
Restrict access to work product. Limit access to only those who need to see it. The broader the dissemination, the more likely a court will determine either (a) the privilege has been waived; or (b) the work product and communications were for business purposes, not legal. Restricting access also reduces the likelihood that the work product will be used for business purposes outside of legal advice.
Maintain a defensible communications policy. Labeling every communication as attorney-client privileged or cc’ing counsel in an attempt to preserve privilege will not only fail to create privilege but could result in a waiver of privileged records or even sanctions.
If you have any questions about the issues raised in this alert, please contact Patrick Emerson McCormick or the Womble Bond Dickinson attorney with whom you normally work.
