The Perils of Sharing Privileged Communications with Third-Party Vendors
On May 6, 2019, Magistrate Judge Gorenstein issued an order that should be a wake-up call for attorneys contemplating hiring and sharing privileged communications with an outside public relations firm. This decision also has wider implications, especially for companies engaging a forensic consultant to assist in responding to a cyber incident or data breach.
The issue in Universal Standard Inc. v. Target Corp., 331 F.R.D. 80 (S.D.N.Y. 2019), a trademark dispute, was whether sharing attorney-client privileged communications with a public relations firm waived the privilege. At the deposition of Universal Standard’s chief of staff and in-house counsel, counsel for Target began to ask questions about emails that were sent among Universal Standard, its attorneys, and a public relations firm hired by Universal Standard in connection with its lawsuit against Target. Universal Standard claimed the emails were protected by the attorney-client privilege. Target disagreed.
Universal Standard argued that the emails were privileged and communications with the public relations firm did not constitute a waiver because: (1) the public relations firm was necessary to allow attorney-client communication; (2) the public relations firm was the “functional equivalent” of a corporate employee; and (3) the public relations firm was a consultant used by lawyers to assist in certain tasks that “promote broader public interests in the observance of law and the administration of justice.” The court found none of the exceptions applicable and the privilege had been waived.
As relevant here, the first exception applies where the disclosure is made to a third-party whose specialized knowledge and services aid the attorney in providing legal advice. This exception to waiver is narrowly construed. It is worth noting at the outset that Universal Standard engaged the public relations firm, a factor cited by the court in finding waiver. This was a blunder that could have been avoided simply by having outside counsel engage the public relations firm, as we have written in the past. Moreover, this exception did not apply because Universal Standard did not need the public relations firm to communicate with their attorneys and the communications involved public relations not legal strategy.
The second exception did not apply because the public relations consultant was not a de facto corporate employee and lacked the hallmarks of a “functional equivalent.” The functional equivalent exception turns on whether the consultant:
- exercised independent decision-making on the company’s behalf;
- possessed information held by no one else at the company;
- served as a company representative to third parties;
- maintained an office at the company or otherwise spent a substantial amount of time working for it; and
- sought legal advice from corporate counsel to guide his or her work for the company.
The court found no evidence establishing any of those five factors. Moreover, the public relations firm’s decision-making authority was limited to monitoring and responding to relevant public relations and press inquiries, which were unrelated to legal advice.
Last, the court rejected Universal Standard’s argument that the public relations firm was a consultant used by the lawyers to aid in legal strategy. Importantly, Judge Gorenstein again noted that the public relations firm was not hired by outside counsel but rather by Universal Standard and was hired for making a decision about the nature of publicity it sought. As the court observed, In re Grand Jury Subpoenas, 265 F. Supp. 2d 321 (S.D.N.Y. 2003), the case that Universal Standard cited for this exception, only applies where the attorney used the public relations consultant to devise and implement a legal strategy. Moreover, other courts have limited In re Grand Jury Subpoenas to the context of public relations consultants assisting lawyers during a high profile grand jury investigation.
What does any of this have to do with cybersecurity? First, a thoughtful crisis communications strategy is an integral part of any incident response. As we have written about before, and as this case reminds us, engaging a public relations firm to assist counsel to formulate a legal strategy in response to a cyber incident is fraught with peril and requires careful planning and close control over the logistics and handling of communications to preserve the privilege. Second, the issues raised here apply to the engagement of a forensic firm to assist counsel in formulating legal guidance in connection with a cyber incident, data breach, day-to-day compliance issues, and testing of a firm’s cybersecurity policies and systems. For example, it’s not hard to imagine plaintiff’s counsel or a regulator waging a similar fight over waiver of the attorney-client privilege regarding communications between the client, counsel, and a third-party forensic consultant engaged to assist in the response to a data breach or to conduct penetration and security testing.
In fact, the plaintiffs in In re Target Corporation Customer Data Security Breach Litigation (“In re Target”) did exactly that by moving to compel Target to produce certain documents that were prepared by Verizon, the forensic consultant hired to investigate the data breach of Target. No. 14-2522 (PAM/JJK), 2015 U.S. Dist. LEXIS 151974 (D. Minn. Oct. 23, 2015). Ultimately, Target convinced the court that the documents it sought to withhold were privileged because they related to “informing Target’s in-house and outside counsel about the breach so that Target’s attorneys could provide the company with legal advice and prepare to defend the company in litigation that was already pending and was reasonably expected to follow.” Id. at *11 (citing Rabushka v. Crane Co., 122 F.3d 559, 565 (8th Cir. 1997)).
At first blush, a party claiming the attorney-client privilege over confidential communications involving a forensic consultant is better positioned to defend the privilege than the plaintiff in Universal Standard. The forensic consultant has specialized skill necessary to assist counsel in understanding computer technology and is akin to an accountant hired to clarify complex financial issues directly related to providing legal advice. See United States v. Kovel, 296 F.2d 918, 922 (2d Cir. 1961) (extending the attorney-client privilege to cover communications made to agents of an attorney and explaining “what is vital to the privilege is that the communication be made in confidence for the purpose of obtaining legal advice from the lawyer”). But it is critical that the forensic consultant is used to assist counsel in formulating and implementing legal advice and facilitating communications between counsel and client on highly complex and technical subject matter. Cohen v. Cohen, 2015 U.S. Dist. LEXIS 21319, at *6 (S.D.N.Y. Jan. 29, 2015) (observing the attorney-client privilege also extends to “essential third parties, such as foreign language interpreters or accountants who can clarify complex financial issues directly related to the provision of legal advice”). Moreover, application of the privilege to confidential communications with a forensic consultant is not a foregone conclusion and there are no guarantees that a court will uphold the privilege. To help preserve the privilege and fend off such a claim, the guidance we previously provided with regard to public relations firms applies here:
1. The forensic firm should be engaged directly by outside counsel, not the client.
2. The engagement letter should be carefully written by outside counsel to make clear that:
a. the forensic firm is working under the direction of outside counsel and reporting directly to the law firm;
b. all communications between the forensic firm and outside counsel and/or the client’s representatives shall be confidential and made solely for the purpose of assisting counsel in rendering legal services to the client;
c. all documents and work product prepared by the forensic firm are confidential and should be treated as such; and
d. the forensic firm has an obligation to protect the confidentiality of the information exchanged with counsel and all documents it prepares.
3. To the extent practicable, communications between the client and the forensic firm should be through outside counsel or in the presence of outside counsel.
4. Forensic firms should label documents (including email traffic) as “Attorney-Client Privilege/Work Product Communications.”
5. Because it is essential that the services provided by the forensic firm facilitate legal advice and services, great caution should be taken to define what services the forensic firm is being asked to perform.
6. Careful consideration should be given to the nature of each service the forensic firm is undertaking when contemplating a disclosure to it. If, in connection with a particular assignment, the forensic firm is not engaged in helping outside counsel formulate legal strategy, sharing privileged information should be avoided.
7. The forensic firm should invoice the law firm for its services whenever possible.
We will continue to provide in-depth coverage of developments in the area of engaging third-party vendors to assist in responding to a data breach.