Preserving Privilege in the Wake of a Cyberattack: A Litigation Risk Law Firms Can’t Ignore

Preserving Privilege in the Wake of a Cyberattack: A Litigation Risk Law Firms Can’t Ignore

According to an article by the Baker Donelson firm, companies often scramble in the aftermath of a cyberattack to assess the damage, identify vulnerabilities, and begin remediation, frequently relying on forensic investigations to guide these efforts. However, these same forensic reports can become liabilities if not properly structured for preserving privilege.

A failure to clearly establish and maintain attorney-client privilege or work product protection from the outset may result in sensitive findings being disclosed during litigation. The article highlights a recent Australian decision, McClure v. Medibank Private Limited, which provides a cautionary example with global implications, echoing a growing trend in US courts to pierce privilege claims when reports serve operational or regulatory, not legal, purposes.

In McClure, the court ordered the production of several forensic reports prepared by Deloitte, finding that although legal advice was among the purposes, it was not the dominant one. Public statements, board-level reporting, and communications with regulators indicated that the reports were also created for governance and customer reassurance, undermining Medibank’s privilege claims. 

US courts in cases like Guo Wengui v. Clark Hill and In re Capital One have applied similar reasoning, emphasizing that who commissions a report is less important than why it was created, how it was used, and who received it.

The article suggests forensic vendors should be retained and directed by legal counsel, with scope and access carefully managed to reflect a legal, not operational, purpose. This includes documentation, billing structures, and communications with stakeholders.

The implications are clear for law firm leaders who guide clients through breach response or face cyber risks themselves. Preserving privilege cannot be retroactively applied. It must be strategically built from day one.