Privilege Under Fire Protecting Forensic Reports in the Wake of a Data Breach Baker Donelson JDSupra

pppIn the chaos following a cyberattack forensic reports are often pulled together under intense pressure and can assist companies in responding to and remediating the incident However if youre not careful these reports might do more damage in the courtroom than the threat actor did to your network What many organizations dont realize until litigation begins is that these reports can quickly become prime targets for discovery Without careful planning to ensure forensic engagements and resulting reports are properly structured and shielded under the attorneyclient privilege andor work product doctrines they may end up in the hands of opposing counsel in data breach litigationppA recent decision from the Federal Court of Australia in McClure v  Medibank Private Limited 2025 FCA 167 underscores just how easily privilege can be lost While McClure was decided under Australian law the courts reasoning closely aligns with a series of US cases that have steadily narrowed protections for forensic reports in recent years The key takeaway from these decisions is clear privilege doesnt only depend on who commissioned the report it hinges on why it was created how it was used and who saw itppForensic reports often reveal detailed technical findings and expose security vulnerabilities that could significantly influence the outcome of litigation Protecting these reports under the attorneyclient privilege or the work product doctrine isnt just a best practice its a critical step in managing legal risk after a breach Left unprotected a forensic report can serve as a roadmap for plaintiffs outlining the very vulnerabilities and response gaps theyll use to build their claimsppThe case stems from a 2022 data breach that impacted millions of Medibank customers and prompted a class action lawsuit alleging failures in cybersecurity safeguards As part of discovery plaintiffs sought a range of materials prepared in response to the breach including forensic reports from Deloitte and other thirdparty vendors Medibank resisted production claiming that the reports were protected by privilege because they were created to support litigation strategy and enable legal adviceppThe court agreed in part upholding privilege over reports commissioned by counsel for threat actor negotiations and legal strategy However it ordered the production of three Deloitte reports finding that they were created for multiple purposes and that obtaining legal advice was not the dominant oneppThe courts analysis focused on several critical factsppUltimately the court concluded that while legal advice was a purpose of the reports it was not the dominant one required to sustain privilege An appeal of this decision is likelyppThe McClure decision echoes a growing trend in US courts forensic reports are losing privilege protection when their primary legal purpose isnt clearly established and thoroughly documentedppIn the US courts have taken similar approaches in highprofile breach litigationppThese cases all highlight the same cautionary tale when forensic reports serve dual purposes or appear primarily intended to support business operations rather than legal strategy claims of privilege stand on shaky ground Courts are increasingly scrutinizing the true purpose of these reports and superficial involvement of legal counsel is often insufficient Experienced data breach counsel can play a critical role in structuring the investigation from the outset to preserve privilege including by directing the engagement of forensic experts clearly documenting the legal purpose of the work and limiting the distribution of the report to those who need them for legal decisionmaking These steps among others can mean the difference between a report that supports your defense and one that becomes the plaintiffs roadmapppBased on the decisions in McClure Clark Hill Capital One and others here are steps companies can take to better protect forensic reportsppThe McClure decision is the latest reminder that form alone does not preserve privilege courts are looking for substance Even reports routed through legal channels may have to be produced if they are ultimately used for business governance or regulatory purposes Organizations that fail to distinguish between legal and operational workstreams risk having their most sensitive investigative materials used against them in courtppIn todays highstakes and rapidly evolving litigation landscape early and strategic planning isnt optional its essential Engaging experienced outside counsel from the outset can make all the difference in structuring your incident response and vendor relationships to preserve privilege and minimize litigation risk Baker Donelsons Cybersecurity Incident Response Team has guided clients through some of the most complex data breach responses across all industries Let us help you put the right legal protections in place before the subpoenas start flyingppSee more ppDISCLAIMER Because of the generality of this update the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations
Attorney Advertisingpp
Baker Donelson
var today new Date var yyyy todaygetFullYeardocumentwriteyyyy
ppRefine your interests ppBack to TopppExplore 2025 Readers Choice AwardsppCopyright var today new Date var yyyy todaygetFullYeardocumentwriteyyyy JD Supra LLCp