Privilege in Breach Response: Protecting the Investigation

When a breach surfaces, a well-advised organization moves fast: retain counsel, engage a forensic firm, contain the intrusion, and gather the facts. What few teams register in those first hours is that the early choices—who hires the forensic firm, what the engagement letter says, where the report is circulated—will largely decide whether the resulting investigation can later be withheld from an adversary. Privilege is not a stamp applied after the fact. It is a posture set at the outset and held throughout.

By the time a regulator, a class plaintiff, or a counterparty demands the forensic report, the record is already fixed. A neutral asked to weigh a privilege objection over breach forensics is not divining what the parties meant in the abstract. The neutral reads the contemporaneous artifacts—the statement of work, the distribution lists, the invoices—and asks whether they reflect a confidential communication, among privileged persons, made to obtain legal advice or in anticipation of litigation. Where those markers are missing, no later characterization will conjure them.

The stakes are tangible. A forensic report ordinarily catalogs what the attacker reached, how long the intruder lingered, which controls failed, and what the organization knew and when. Few documents serve an opposing party better. The fight over that single report is frequently the most consequential discovery dispute in the entire matter.

Breach investigations implicate two distinct doctrines, and treating them as one is a frequent and costly error. Attorney-client privilege shields confidential communications between lawyer and client made to give or get legal advice. The work-product doctrine shields materials prepared in anticipation of litigation. A forensic report may qualify for one, both, or neither, and the inquiry differs for each.

Privilege turns on purpose: a communication is protected only when made in furtherance of legal services. When in-house counsel wears two hats at once—legal advisor and business operator—a court must sort out which role produced the document, and the courts have not converged on how. Several circuits ask whether the primary purpose of the communication was legal advice; the D.C. Circuit has framed the question as whether a significant purpose was legal. The Supreme Court left that divide unresolved when it dismissed In re Grand Jury in 2023, so the uncertainty persists.

Work product is often analyzed under the because-of formulation associated with United States v. ChevronTexaco: protection attaches when, on the totality of the circumstances, the document was created because of anticipated litigation and would not have been created in substantially similar form but for that prospect. Most forensic-report claims rise or fall here, and the load-bearing phrase is substantially similar form. If the organization would have run essentially the same investigation for ordinary security and remediation, the report looks like a routine business record wearing litigation dress.

The recurring failure follows a pattern. Breach response serves two ends at once—the organization needs the forensic facts to repair its network and to defend itself—and the paperwork never separates them. Courts have grown wary of structures that funnel a routine security function through a law firm to manufacture cover. Where the same vendor performed similar work before the incident, where the report goes to IT and management rather than to counsel, where remediation teams act on it operationally, and where the engagement reads like an ordinary security contract, the but-for-litigation story falls apart.

A lesson from the antitrust setting carries over. In the government's case against Google, the court examined a communicate-with-care practice of copying in-house lawyers and marking messages privileged to keep them from discovery, and cautioned that documents labeled privileged must be substantively privileged. The breach analog is the forensic report headed Privileged and Confidential and addressed to the general counsel while the substance and the real workflow describe routine remediation. A label cannot turn a business record into legal advice, and reflexive over-labeling erodes the credibility of every legitimate claim the organization makes later.

Then there is the in-house who-is-the-client problem. The corporation is the client; no individual employee is. Under the subject-matter approach associated with Upjohn Co. v. United States, the privilege can reach employees communicating within the scope of their duties so the company can secure legal advice—provided those employees understand that is what is occurring. Under the narrower control-group approach reflected in Consolidation Coal Co. v. Bucyrus-Erie Co., it reaches only senior decision-makers. In a breach, the people holding the facts are usually line engineers and security analysts—precisely the group a control-group jurisdiction may exclude. Counsel who has not set expectations with that group has not built a privileged record.

Even a properly privileged investigation can be given away. Confidentiality is an element of the protection, not an afterthought, and conduct inconsistent with confidentiality forfeits it. Breach response is unusually exposed because so many parties have a real need to know—regulators, insurers, board committees, business partners, and at times customers.

Sharing forensic findings with a regulator in the spirit of cooperation, or summarizing the report for a cyber insurer to support a claim, can waive the protection, and not always narrowly. Some courts treat disclosure of a protected document as waiving the entire subject matter, pulling in related communications the organization never meant to surrender. Distributing draft reports across a wide internal list, forwarding findings to vendors outside any common-interest arrangement, or restating conclusions in board minutes that are themselves discoverable can each puncture the protection. An organization that guarded a report for months can lose it in one well-meaning email.

These are the questions where disputes turn ugly, because they spawn collateral fights over what else was disclosed and which subjects were thereby opened. A neutral evaluating the objection looks for discipline: a defined distribution list, a clear common-interest framework with the insurer, and a documented rationale for each external disclosure. Discipline is provable. Good intentions are not.

The protections are real, and they are available to organizations that earn them. The throughline is intentionality, set early and documented as it happens. Counsel, not IT, should retain the forensic firm, and the engagement letter should state that the work is performed at counsel's direction to enable legal advice and in anticipation of litigation. Where practical, retain a forensic firm separate from the one that handles routine, ongoing security, so the litigation purpose is not blurred by a standing business relationship.

Separate the two workstreams. The organization needs operational remediation regardless of any lawsuit; let that run on its own track. Keep the legal-analysis workstream—the report prepared to advise counsel on exposure—distinct in authorship, distribution, and purpose. When legal and business content must share one document, mark the legal analysis expressly and wall it off from the operational findings. Control distribution tightly, teach employees that copying a lawyer confers nothing, and reserve privilege headers for documents that genuinely warrant them.

Above all, set expectations with the witnesses who hold the facts. Tell employees plainly that counsel represents the company and not them individually, that their account is being collected so the company can obtain legal advice, and that the conversation is confidential. That single instruction anchors an Upjohn claim more securely than any stamp. The discipline is modest; the difference when the dispute arrives is decisive.

When a privilege fight over breach forensics reaches a mediator or a court-appointed special master, the case for resolving it through a neutral process becomes plain. Privilege disputes are expensive, slow, and corrosive to the trust between parties, and they spawn satellite litigation that can dwarf the underlying merits. A neutral fluent in both the legal framework and the technical record—able to read an engagement letter, a forensic methodology, and a distribution log—can cut through the posturing and reach a defensible line far faster than full motion practice.

That role is not advocacy. The neutral does not strain to save a report the record will not bear, nor to pierce a protection that was properly kept. The task is to apply the test honestly to the facts as the parties created them, which is the strongest reason to get the underlying record right the first time. An organization that builds its investigation with privilege in mind hands a neutral something principled to protect. One that improvises hands the neutral, and its adversary, a record that speaks for itself.