Managing internal investigations can be complex for legal counsel, especially when they involve technical areas such as cybersecurity and digital forensics. Given the specialized nature of these topics, experts are often called upon to support outside counsel and to provide reports of findings and opinions to assist in developing appropriate legal advice. When an expert is engaged to investigate the factual aspects of a technical event or to render an expert opinion on a technical question, disclosure issues frequently arise.  Legal practitioners should be certain to structure their engagement appropriately to account for the consulting or testifying role of experts. 

Expert reports can arguably be protected from disclosure by either the attorney-client privilege or under the attorney work product doctrine, depending on the context in which they are provided. Professionals who are involved in investigative work should carefully craft engagement letters to ensure notes and findings are properly protected using one of these privileged protection mechanisms.

Case law [1] defines the attorney-client privilege as a communication which is:

  1. made in confidence;
  2. to an attorney;
  3. by a person who is or is about to be a client;
  4. for the purpose of obtaining legal advice from that attorney; making it
  5. privileged from disclosure at the insistence of the client;
  6. unless waived.

Related to attorney-client privileged communications is the attorney work product doctrine. This doctrine is a qualified privilege codified in Rule 26(b)(3) of the Federal Rules of Civil Procedure. The doctrine strikes a balance between the “right to know” and the lawyer's ability to prepare his case and zealously represent his or her client. Further, ample case law [2] cites this doctrine as a tenet of legal rules, including the notable quote in the In re Asia Global Crossing, Ltd. case:

“Inherent in recognition of a privilege for attorney work product is a judgment that society's interest in ferreting out the truth through litigation will not best be served by exposing a party's case to impeachment by documents reflecting the opinions or preliminary evaluations of its counsel, even if the party's position in court is inconsistent with counsel's private thoughts.”

In short, the attorney-client privilege protects information disclosed in confidence related to obtaining legal advice, whereas the work product doctrine protects a lawyer’s thoughts, impressions, notes, and strategies related to rendering legal advice in the face of actual litigation.

The question becomes then, what limitations are there on the applicability of the attorney-client communication privilege and attorney work product doctrines? What about those who assist attorneys in developing communications, briefs, ideas, work product, strategies, and themes in representation of the attorney’s client? The protections afforded by the attorney-client privilege and work product doctrines are not absolute, and practitioners must take proper steps to ensure that information intended to be privileged is, in fact, protected.

In July 2021, the United States District Court for the Middle District of Pennsylvania issued an order in the Rutter [3] data breach litigation on this very topic. In that case, Chief Magistrate Judge Karoline Mehalchick ordered the production of an investigative report to Plaintiffs that Rutter had previously asserted both attorney-client privilege and work product doctrine protection over. The investigative report was a cyber incident response report from Kroll. Several key themes emerged from the order:

  1. While Rutter’s outside counsel engaged Kroll, Rutter paid Kroll directly, possibly indicating that the true contract was between Rutter and Kroll.
  2. The description of services in the engagement letter between Kroll and Rutter was insufficient to provide attorney/client or work product privilege protection because the services, as described in the Statement of Work, were not related to the anticipation of litigation or at the direction of counsel.
  3. Rutter’s executives admitted that they would have conducted the investigation regardless of engaging or involving outside counsel.
  4. Rutter’s executives and information technology staff interfaced directly with Kroll without involving outside counsel or obtaining legal advice.
  5. Kroll delivered their investigation report to Rutter directly without involving outside counsel for legal advice and input.

Notably, the Statement of Work between Rutter and Kroll contained the following language:

The overall purpose of this investigation will be to determine whether unauthorized activity within the Rutter’s systems environment resulted in the compromise of sensitive data, and to determine the scope of such a compromise if it occurred.”

The language did not acknowledge the anticipated litigation, nor indicate that the investigation was conducted at the direction of counsel. In fact, while it is possible that counsel may have advised Rutter that litigation could result from the breach, the court did not find any support for this notion in the engagement documentation. In a footnote, the court cited [4] how anticipation of litigation may be triggered:

“A reasonable anticipation of litigation is not established by the mere fact litigation occurred, the party consulted or retained an attorney, undertook an investigation, or engaged in negotiations.” 

This is not the first time the courts have ordered the production of investigative reports. Previously, the United States District Court for the Eastern District of Virginia issued a ruling in the CapitalOne[5] data breach litigation that was an eye-opener for both legal counsel and professional services experts. In that matter, the court ordered Capital One to turn over the investigative report in a class action stemming from a 2019 data breach that affected approximately 100 million US residents.  The court rejected Capital One’s argument that the report was protected from disclosure by the attorney work product doctrine.

Similar to the Rutter case, the Court considered work that was described in the Statement of Work (SOW). In this instance, the descriptions in the SOW appeared to have been taken from a prior Master Services Agreement executed between Capital One and Mandiant years earlier. Subsequent SOWs existed between the two parties – all with very similar language. When the data breach occurred, Capital One’s counsel executed a new letter of agreement with Mandiant. But the letter of agreement read much like the earlier SOWs executed directly with Capital One, despite the size and significance of the data breach. The Court found this significant in later holding that the forensic report was not work product. The rationale of the Court focused on the fact that despite the similarities of the old and new SOWs, the Court focused on the fact that the prior cyber security work was not investigative in nature nor produced what would have been considered protected attorney work product.  That difference in substance between prior work and the work at issue was a central issue for the Court insofar as the SOWs were insufficient in drawing out the distinctions.

Paul Ferrillo, partner at Seyfarth Shaw, LLP, offered the following on this subject:

"As outside cyber security counsel for large companies, I often encounter situations where engaging experts is necessary to investigate and opine on cyber security incidents.  Given the delicate nature of engaging experts to preserve privilege, I cannot recommend enough that fellow lawyers take the time to carefully ensure engagement letters and statements of work are properly structured between the parties in order to best protect attorney-client and work product privileges."

It is critical to remain mindful of best practices for protecting privilege when engaging outside experts. Despite the urgency companies may have to engage experts to assist with high-stakes matters, solidifying formalities can significantly enhance assertions of attorney-client and work product privilege protections if litigation should arise. It’s reasonable to anticipate litigation following data breaches, in which case protecting privilege should be top of mind.

Outlined below are some best practices to consider when engaging expert consultants:

  1. Determine the best protection: Understand the distinctions between protected disclosure under the attorney-client privilege and attorney work product doctrines, and decide which one best applies to the situation.
  2. Securing legal counsel is key: In the case of a data breach, an Incident Response Plan should clearly outline that legal counsel should be engaged as soon as a data breach is discovered.  Experts should be engaged secondarily with the guidance of legal counsel.
  3. Outside counsel should engage consulting experts: Legal counsel should endeavor to both engage and pay the expert directly.  In certain types of cases (data breach for example), the end client’s insurance coverage may dictate the engagement structure.  In those cases, the end client, legal counsel, and the insurance provider should discuss the implications of such an arrangement.
  4. Statements of Work should reflect the depth and breadth of the situation: Be certain that SOW’s reflect the terms and scope of the current engagement, rather than a prior one.  All SOW’s should reflect the intent that the agreed-upon work is in anticipation of litigation, in support of the rendering of legal advice and opinions, or at the direction of counsel.
  5. Identify a key communicator: Legal counsel provides legal risk assessment, compliance analysis, and legal strategy.  The attorneys should be the primary conduit for client communication, review all written technical reports from experts, deliver the findings, and serve as the direct communicator between experts and the end client.  Avoid situations where the end client and expert are directly communicating without counsel involved.
  6. Designate as privileged: To preserve any argument over privilege,  upon completion do not disseminate the report to any third parties outside of the company, the Board of Directors, or senior members of the IT department. Appropriate ‘Confidentiality’ and ‘Attorneys’ Eyes Only’ designations may also bolster the document’s protected nature.

Views reflect the opinions of the authors and are not the opinions of AlixPartners. 


[1] See J. Wigmore, Evidence § 2292 (McNaughton rev. ed. 1961)

[2] See In re Asia Global Crossing, Ltd., 322 BR 247 - Bankr. Court, SD New York 2005, Upjohn Co. v. United States, 449 U.S. 383, 398, 101 S.Ct. 677, 66 L.Ed.2d 584 (1981), Bowne of New York City, Inc. v. AmBase Corp., 150 F.R.D. 465, 471 (S.D.N.Y.1993), Hickman v. Taylor, 329 U.S. 495, 67 S.Ct. 385, 91 L.Ed. 451 (1947), United States v. Nobles, 422 U.S. 225, 238, 95 S.Ct. 2160, 45 L.Ed.2d 141 (1975)

[3] See In re Rutter’s Data Security Breach Litigation, No. 20-cv-382

[4] Faloney v. Wachovia Bank, N.A., 254 F.R.D. 204, 214 (E.D. Pa. 2008)

[5] In Re: Capital One Consumer Data Security Breach Litigation, MDL No. 1:19md2915 (AJT/JFA) (May 26, 2020)