As corporate cybersecurity incidents become increasingly widespread, many companies find themselves engaging external computer forensics consultants for technical, investigative, and remedial assistance in responding to data breaches. As part of these engagements, cyber consultants sometimes prepare interim and final material detailing their findings, including points of vulnerability and weaknesses that may have contributed to the incident. Disclosure of the sensitive information in these reports can have adverse consequences, especially to the extent that the reports give adversaries a potential roadmap of deficiencies that can be leveraged in support of claims against a company and its officers and directors.
While some courts have protected these reports from third-party disclosure, two recent federal court decisions have ordered disclosure—even when the company engaged the cyber consultants with the express purpose of assisting counsel with providing legal advice to the company. These decisions are thus an important reminder that companies should not assume that either the attorney-work product doctrine or the attorney-client privilege will be held to apply to cyber incident reports.