The Supreme Court’s surprise decision to drop a case on the contours of attorney-client privilege has left cybersecurity attorneys unsure about what communications about a cyber breach can be shielded.
The high court dismissed In re Grand Jury on Jan. 23 as “improvidently granted,” a designation the court uses when it wants to reverse its decision to hear a case. At issue was the legal test for determining when attorney-client privilege protects communications and materials with both legal and non-legal components from disclosure.
Such dual-purpose work can include material shared between lawyers and clients not solely related to legal advice—such as communications and reports following a cybersecurity incident. Circuit courts have outlined different standards for the legal test to apply when federal government officials or other actors seek the information, several attorneys who advise clients on cybersecurity matters said.
The justices didn’t say why they backed away, but several of them suggested during a Jan. 9 oral argument that they didn’t see enough ambiguity to weigh in. Still, cybersecurity attorneys say a handful of federal decisions haven’t resolved the issue, leaving them unsure how much of their work related to federal litigation or internal investigations can be kept under wraps.
“Regrettably, the important question of whether and when the attorney-client privilege applies to internal and external cyber intrusion response investigations, reports, and communications remains unsettled,” said Bradford Newman, a litigation partner at Baker & McKenzie LLP.
Several court decisions in recent years have rejected the argument that incident response reports and other cyberattack-related communications are privileged, but earlier cases indicated that they were. That’s why the criteria used to determine the question matters, attorneys said.
Even if the Supreme Court appears to believe a straightforward approach is already used for applying privilege, cybersecurity attorneys need clearer guidance, Newman said.
“As things currently stand, which test will be used, what the actual legal requirements are for each one, and how the facts can change the analysis, create a fog for companies and cyber practitioners,” he said.
The two arguments at issue in In re Grand Jury were the use of a “primary purpose” test versus a “significant purpose” test when determining whether a dual-purpose communication or document is protected by the privilege.
While the case considered by the high court pertained to a subpoena over international tax issues, the fundamental privilege question is also important in cybersecurity law, attorneys said.
Because the outcome of litigation over a cyberattack can hinge on how a company investigated and communicated about a breach, the test used to determine whether privilege applies carries high stakes.
Plaintiffs engaged in litigation following a cyberattack increasingly seek out internal communications and forensic incident report documents because they may support allegations that a company’s security procedures were insufficient to prevent a breach, said Reena Bajowala, a data security partner at Ice Miller LLP.
“From the body of case law, there’s a level of uncertainty with the circuit split,” Bajowala.
Courts using the primary purpose test—most recently cited in a Ninth Circuit case that then went before the Supreme Court—seek to determine whether communications between a client and their lawyers were mainly for business or legal purposes.
The significant purpose test, derived from a decision by the D.C. Circuit, is a more “privilege-friendly approach” because courts often grant disclosure protections if providing legal advice was at least one significant driver of the communication, said Travis Brennan, chair of the privacy and data security practice at Stradling Yocca Carlson & Rauth.
Then-D.C. Circuit Judge Brett Kavanaugh wrote the panel opinion favoring the significant-purpose approach, in which materials are privilege-protected if legal matters are a significant part of them.
Because of that distinction, the jurisdiction-dependent test used to determine the application of privileges for communication about a company cyber incident such as internal emails or a forensic incident report is important, Brennan said.
Talking About Labels
The justices appeared less convinced there was a difference between employing the primary or significant purpose test.
“I think we’re talking about labels rather than analysis,” Chief Justice John Roberts said during the oral argument.
Kristin Bryan, a privacy partner at Squire Patton Boggs LLP, also isn’t sure there is a difference between the two legal tests. Bryan said the high court’s dismissal didn’t dramatically alter the legal landscape for dual-purpose communications.
“The tea leaves were evident at oral arguments where the issue of internal investigations came up front and center two weeks ago before the Supreme Court,” Bryan said.
Justices were skeptical that the purported circuit split “was really an existent or meaningful split as a matter of practice,” Bryan said.
As a result, attorneys wrangling over the disclosure of information about cyber incident response will likely cherry-pick aspects of the Ninth and D.C. Circuit decisions, she said.
Disagreement over whether a circuit split even exists is the crux of the issue and makes it unclear where the significant purpose test ends and the primary purpose test begins, Newman said.
The justices’ decision to drop the case “leaves the status quo intact, which means there continues to be a fair amount of uncertainty as to whether and when materials relating to the investigation of cybersecurity incident are privileged,” Brennan said.
The US government was the only party to argue in favor of the more restrictive primary test. All other amicus briefs—including one by the American Bar Association and another jointly filed by the Association of Corporate Counsel and the US Chamber of Commerce—opposed the Ninth Circuit’s ruling.
The “legal landscape for dual purpose communications remains murky” after the high court’s move,” the ACC said in a statement.
“Because the circuit courts are split over which test should be used to determine privilege in these situations, in-house counsel are left wondering what test will apply when so many transactions are across state borders and many companies have operations in multiple states,” Susanna McDonald, the group’s chief legal officer, said.
Attorneys say companies should follow several practices in responding to and communicating about a cyber incident that best bolster the argument that information is privileged.
The first thing companies responding to a cyberattack should do is hire outside counsel, who can contract a cybersecurity forensics firm to investigate the attack, Brennan said.
That would bolster an argument later that communications were performed mainly for a legal purpose, such as anticipation of litigation, he said.
The contracted forensic investigator should also be separate from the company’s other cyber providers to drive home the argument that whatever material is produced should be privileged, Bajowala of Ice Miller said.
C-suite executives and other employees should avoid responding directly to any messages sent by a threat actor because communications during a negotiation can later become discoverable, Newman said.
Other internal communications immediately after a breach can often be panicked and question how an attack happened or who’s at fault, Newman said. Companies should keep in mind that those may also eventually become discoverable and temper their initial reactions to a breach, he said.
To contact the reporter on this story:
To contact the editors responsible for this story: