Certain information generated by your company, even the results of entire investigations, may be legally protected from exposure to people outside the company. While this seems like the holy grail to executives worried about nosey media, plaintiffs’ counsel or intrusive regulators finding the company’s dirty laundry, the protections are limited and can only be applied in particular situations. Recent lawsuits have shown that attempts to apply the protections too broadly may lead to disaster.
U.S. law provides privileges to protect legal work and advice. The first of these is the privilege accorded to clients when consulting with their lawyers. Since ancient times, an attorney cannot be forced to reveal to any third party what a client told that attorney, or the advice returned, except in very specific circumstances. The privilege exists where there is an attorney-client relationship for matters where the client is seeking legal advice. The attorney may not volunteer information about the privileged discussion against the client’s wishes and neither the client nor the attorney may be compelled by a court to divulge the contents of the discussion.
Of course, the attorney-client privilege only applies to discussions made in confidence, so public utterances don’t count. This privilege protects communications made when seeking legal advice; it does not protect the underlying information. An executive who cooked the company’s books cannot hide this fact by asking his criminal defense attorney for advice about how to avoid jail time. While neither client nor lawyer can be compelled to describe their conversation, the fact of the accounting fraud is not protected in any other way, and can be investigated.
The boundaries of this core attorney-client privilege are under attack in recent Department of Justice filings against Alphabet, the parent company of Google. According to Ars Technica, the DOJ and fourteen state attorneys general recently asked a federal judge to sanction Google for abusing the attorney-client privilege to hide emails from the other side in litigation. The filing alleges, "In a program called 'Communicate with Care,' Google trains and directs employees to add an attorney, a privilege label, and a generic 'request' for counsel's advice to shield sensitive business communications, regardless of whether any legal advice is actually needed or sought. Often, knowing the game, the in-house counsel included in these Communicate-with-Care emails does not respond at all." The filing alleges that these communications “are not genuine requests for legal advice but rather an effort to hide potential evidence.”
Obscuring the basic facts almost never helps an affected company, and a third-party’s report provides credibility.
The specific Google actions at issue in the DOJ case involve accusations of anticompetitive activity and exclusionary practices illegally maintaining Google’s monopoly for search services and search text advertising. The Google privilege program includes over 80,000 documents including the revenue-share agreements that the government claims are at the heart of its case. The government showed Google training slides that instructed employees to add a lawyer to emails, mark the email as “attorney/client privileged and to “ask the lawyer a question” in the email. The DOJ claims that this program is attempting to manufacture a privilege defense where one should not exist. Google vehemently denies the allegations and is fighting for the documents to remain protected under privilege.
Many companies train employees to bring lawyers into their conversations, asking for legal advice. If the legal request is legitimate, then privilege protection should be afforded to those emails. However, if the request is simply a cover to seek privilege on a standard business email, the protection is likely to be denied. Privilege only attaches where a “communication’s primary purpose is to gain or provide legal assistance.” The court in the Google case will need to decide not only if Google employees were truly seeking legal advice with each email copied to counsel, but whether Google employed an entire program designed to improperly hide its anticompetitive intentions. A company could lose privilege for otherwise covered documents where it overreaches and tries to apply attorney-client privilege everywhere.
The other protective rule that is often relevant in tech and data cases is called the work product doctrine. According to the Federal Rules of Civil Procedure, attorneys may withhold from the opposing party documents prepared in anticipation of litigation. This privilege can apply to specialist agents employed by counsel to assist in trial preparation. The possibility of activating this privilege is why certain technical or forensics experts are hired by a company’s counsel following data exposure issues likely to lead to litigation. However, this privilege doesn’t always attach when the company would like it to.
For example, a well-known case involving Capital One found that its vendor’s forensic investigation was not privileged and had to be shared in litigation. The court tried to determine the driving force behind the vendor’s report preparation to see if the privilege applied. The court asked (1) whether the document at issue was created when the litigation was a real likelihood and not when it was merely a possibility (it was merely a possibility in this case); and (2) whether the document would have been created in essentially the same form in the absence of litigation (the court thought so).
Like the attorney-client consulting privilege, the work product doctrine does not protect underlying facts, just the work – investigation and reports – prepared for litigation. So a company cannot successfully hide a huge data breach by having that incident investigated under the cover of attorney work product. Certain aspects of the investigation and/or final report prepared for counsel may be privileged, but the breach itself likely must be investigated so that the affected company can demonstrate what happened to regulators or plaintiffs’ counsel. The privilege can be protective in a limited sense, but will not make the core problem go away.
In fact, decades of addressing this privilege have led me to believe that the primary investigation of a breach should not be conducted under privilege. Obscuring the basic facts almost never helps an affected company, and a third-party’s report provides credibility. Customers, regulators and interested parties will ask for the formal report, and it is normally in the affected company’s best interests to provide it. However, investigations into the security posture of a business and the next steps needed to better secure the business data assets should be conducted under privilege.
Opposing litigants generally have a right to know about what happened at the heart of a security breach, but may not have the right to the company’s own evaluations of security shortcomings. But this investigation must be truly undertaken for litigation preparation and not for the general knowledge of company management. Every company has a “security queue” – a prioritized list of data security improvements to be undertaken when the money and people-power resources are available. The queue never ends. But plaintiff’s lawyers can misuse and warp the meaning of your security queue. (“So if you knew this task needed to be undertaken, why didn’t you spend the money to do it? If you had just fixed this one thing then the plaintiff’s data would have been saved.” There is always a “next thing” to fix.) Analyzing the next steps in light of potential litigation can be a good idea. Trying to hide the degree of damage in an incident that already happened is usually a bad idea, and it comes back to bite you.
Legal privilege can be helpful to a company that suffers a data hack or ransomware attack, but the two primary privileges are limited and must be applied carefully to provide value. And no legal theory can be used to cover the underlying facts. The sooner that executives understand this, the better their responses will be at protecting all affected parties.