Over the past few years, I’ve seen more and more references to the idea that if breached entities have their legal counsel arrange for a forensics or breach investigation, the breach investigation would be considered privileged communications or attorney-client work. Needless to say, I am not happy at any end-run around transparency involving breach investigations. While there may well be information in those reports that should be protected lest attackers learn of significant security features or vulnerabilities that could put the entity at future risk, in many cases, companies just want to shield these reports for fear that customers or the public will be appalled at any security lapses or poor practices – or that they will use these reports in litigation against the entity.
Scott Koller of InformationLawGroup addresses the privilege issue and a ruling in U.S. ex rel Barko v Halliburton Co., and then offers some advice for counsel as to how to increase their chances of being able to claim privilege. Read his comments and suggestions on InfoLawGroup.