The subject of whether or not communications between breach counsel and the retained forensic experts has been much debated on both sides of the Atlantic.

In the UK, the general principle provides that legal advice privilege protects confidential communications. This is provided that the communications are for the dominant purpose of seeking and receiving legal advice in a relevant legal context.

To the best of our knowledge, the assertion of privilege over any report produced by the cyber security specialist who investigated the matter has not been overturned by a UK court. This means that said report does not have to be disclosed to external third parties.

The position in the United States is slightly different. In the past, courts have actively intervened to overturn privilege in certain circumstances, prompted by certain judges challenging the assertion that such forensic work is mainly for a legal purpose. This change in interpretation was recently exemplified in the Capital One data breach case. 

In this instance, the US District Court for the Eastern District of Virginia ordered Capital One to disclose a forensic investigation report relating to a cyber incident affecting 100 million people. The Court rejected Capital One’s assertion that the forensic reports, generated post-breach, were protected by attorney-client privilege.

Dismissing Capital One’s arguments, the Court found that despite Capital One being likely to face litigation, there was no evidence that services provided by the forensic consultant would have been any different if the threat of litigation was absent.

So, what is the predominant test in the US for assessing whether privilege attaches to these ‘dual purpose’ communications which implicate both legal and business concerns?

What is clear in the US is that there have been examples of three different tests being applied.

At present, the majority of Courts adopt the primary purpose test, whereby the communication will only be protected if the main purpose is legal advice. In the matter of In re Grand Jury in 2021 it was held by the Ninth Circuit that a law firm was required to hand over documents after unsuccessfully contesting the subpoena for the client communications. According to the Court, the ‘primary purpose’ test applied to attorney-client privilege claims for dual-purpose communication, i.e whether the primary purpose of the communication was to give or receive legal advice.

However, the DC Circuit in Property of the People, Inc v. Off of Mgmt. & Budget has held that a dual purpose communication is privileged whenever one of the significant purposes was obtaining or providing legal advice. On the other hand, the Seventh Circuit in US v. Frederick has held that dual purpose communications in respect of tax preparation advice and litigation use were not privileged at all.

In an effort to try and clarify this issue, In Re Grand Jury was considered by the US Supreme Court in January 2023. The Supreme Court was asked to consider the question of whether communications that were a combination of legal and non-legal advice are protected by attorney-client privilege, when legal advice was a predominant reason for the communication.  

The attorney for the petitioner submitted that “The significant purpose test [The DC Circuit test] protects clients' ability to seek bona fide legal advice from lawyers in situation where legal and non-legal purposes can't be separated. The Ninth Circuit's primary purpose test denies the privilege to communications that have a legal purpose anytime a court later finds that the non-legal purpose outweighs the legal purpose even by a little bit.”

Unfortunately, no further clarity was forthcoming. The basic concept of asserting privilege is to assist in the free flow of communications, which is balanced against the broadness of the right to discovery.  The Supreme Court Justices did not provide details as to why they dismissed the case. However, during oral arguments, the suggestion was that many of the justices felt there was not much for the Supreme Court to do and the issue was better left in the hands of the lower courts.  This was borne out by the Supreme Court ultimately declining to rule on the issue at hand.

In the absence of further guidance from the Supreme Court, conflicting tests for applying privilege to documents and dual purpose communications will be a challenge for those handling matters with a US dimension, including international matters.

At the moment, it seems unlikely that the US approach will be adopted by UK courts, subject of course to the requirements for legal advice privilege being satisfied. For international matters, advice from local counsel should always be sought.