Supreme Court Backs Away from Deciding Scope of Attorney-Client Privilege
The Supreme Court has declined, for now, to decide when attorney-client privilege will apply to communications viewed by courts as made for both legal and other purposes. In October 2022, the Court granted certiorari in In re Grand Jury, No. 21-1397, and heard argument on January 9, 2023. In a surprise decision on January 23, 2023, however, it dismissed the appeal, holding that review of the lower court’s decision was “improvidently granted.”
When clients discuss their business with lawyers, especially their in-house counsel, they may do so for multiple reasons. In addition to seeking legal advice, they might want strategic input, to be apprised of legal or compliance risks, or generally to keep their lawyers looped into the client’s business. In the context of data breaches, an investigation that follows a cyberattack may be concerned as much with remediation efforts in response to the attack as it will be with obtaining advice on the legal implications and potential litigation exposure. That exposure requires victim businesses to act with care to ensure that communications with and activities conducted at the direction of counsel are protected by privilege and from subsequent disclosure. Nonetheless, even with substantial planning and careful execution, victims of cyberattacks have had mixed success convincing courts that the forensic work done in response to the incident is protected by either the attorney-client privilege or attorney work-product doctrine.
Whether attorney-client privilege protects these communications and reports from disclosure has proven a thorny issue. The Ninth Circuit has left open whether a communication must have had the “primary purpose” of obtaining or providing legal advice. In contrast, the D.C. Circuit looks only to whether the provision of legal advice is a “significant purpose” of the communication. The grant of certiorari in In re Grand Jury had been intended to resolve this seeming split.
The Supreme Court, by instead dismissing the case, has therefore left open the test for when attorney-client privilege protects communications that courts view as motivated by both legal and non-legal purposes. Lower courts have been reluctant to extend the scope of privilege too far, as when executives discuss business matters but keep their in-house counsel copied on emails. Courts therefore use tests such as the primary-purpose standard to distinguish communications sufficiently concerned with the provision of legal advice from communications that do not warrant privilege. However, such tests are an awkward fit for the cybersecurity context, where there may be few clear lines between investigating the extent of an attack, planning remediation of the attack’s effects, identifying legal obligations and reducing litigation exposure. Accordingly, to maintain their best chances of preserving privilege, businesses have strong reason to ask outside counsel, rather than their in-house lawyers, to conduct the post-breach investigation. A decision that legal advice only needs to be a “significant” purpose of a communication might have made it easier for businesses to assert privilege in the wake of a data breach. Nonetheless, the Court has deferred this clarification to a later day.
In light of the continued uncertainty, best practices in preserving privilege in the wake of a data breach remain critical: hire outside counsel and ensure that counsel engages and directs the activities of forensic firms and other experts whose work is focused on assisting counsel in providing legal advice and formulating litigation strategy; separate, as much as one can, the post-breach remediation efforts from the forensic investigation; and share the final investigatory report only on a “need-to-know” basis.