Overview

Companies responding to data breaches and other cyber incidents must assess whether incident response (IR) investigations conducted by third-party vendors are protected from discovery in litigation under the attorney-client privilege or attorney work-product doctrine. The issue arises most acutely with reports generated by the incident response firm, but other communications with the vendor may also be at risk for discovery if the work of the incident response firm is not part of a privileged investigation. Despite some unfavorable precedent in recent years, there is still a path to navigating the legal minefield around these issues.

In determining whether a given IR document merits protections, courts ultimately examine whether and how counsel directed the IR vendor’s work—an exercise that often becomes a multifactorial inquiry that probes all aspects of the relationships between the IR vendor, the company and counsel. Below, we enumerate some of the key factors courts consider when deciding such a question, illustrated by major relevant cases.

Relation to Vendor’s Ordinary Work

Courts formerly treated direction by outside counsel as a primary factor in determining whether an IR vendor’s report merited protection. For example, in In re Experian Data Breach Litigation, the court relied on the fact that the IR vendor’s report was initially delivered to outside counsel at outside counsel’s direction in finding that “but for the anticipated litigation, the report wouldn’t have been prepared in substantially the same form or with the same content.” 2017 WL 4325583, at *2-3 (C.D. Cal. May 18, 2017). However, courts are increasingly scrutinizing whether the actual services the IR vendor has provided to lawyers can in fact be differentiated from the vendor’s day-to-day services. Absent substantive differences in scope between privileged and ordinary-course work, there is a risk that a court may deny protections.

Beyond ensuring that counsel is directing IR vendors, companies must therefore make efforts to distinguish the actual work IR vendors do from the business-as-usual cybersecurity work many of these same vendors support. Work-product protection may be inapplicable when a vendor’s scope of work does not substantively change after outside counsel becomes involved, as that tends to indicate that the IR vendor’s work was done in the ordinary course rather than as an aid to the attorneys and in anticipation of litigation. See, e.g., In re Premera Blue Cross Customer Data Sec. Breach Litig., 296 F. Supp. 3d 1230, 1245 (D. Or. 2017) (“[Mandiant’s] scope of work did not change after outside counsel was retained. The only thing that changed was that Mandiant was now directed to report directly to outside counsel and to label all of Mandiant’s communications as ‘privileged.’”).

If companies will be penalized from a privilege standpoint by using the same vendor before and after an incident, it puts them in a Catch-22. Cybersecurity best practices favor engaging IR vendors pre-incident so that they are familiar with a company’s systems, processes and technologies, thus enhancing the speed and precision of any subsequent incident response work. For example, the IR firm can pre-deploy sensors, beacons and other technologies, as well as assist with risk assessments and testing, that will let it rapidly gather the technical data needed to diagnose and contain an active breach. But some courts have found that the pre-incident engagement of a vendor may be too similar to the vendor’s work during the incident, meaning that the vendor’s work product would not have been any different “but for” the litigation and therefore does not merit work-product protection. See, e.g., In re Cap. One, 2020 WL 3470261, at *6 (E.D. Va. June 25, 2020).

Budget Source

While it may seem natural to deduct expenses related to the IR vendor from a company’s cybersecurity or IT budget, some courts have found that payment from a business function other than the legal department weighs against a finding of privilege, as it tends to suggest the vendor operated in the ordinary course rather than in support of litigation or legal advice. For example, in denying work-product protection, the court observed that “Capital One paid Mandiant for this work from a Capital One fund denominated ‘business critical’ expenses.” See In re Cap. One, 2020 WL 3470261, at *1.

To the extent possible, IR vendor fees should be paid out of the legal budget.

Dual Track Investigations

Courts have viewed dual track investigations favorably, where the company conducts separate investigations: one in the ordinary course of business and another in aid of counsel. To preserve privilege, however, the tracks must be actually separate from one another, and the advice rendered must be independent. For example, in In re Target Corporation Customer Data Security Breach Litigation, the court found that one investigation was focused “on informing Target’s in-house and outside counsel about the breach so that Target’s attorneys could provide the company with legal advice,” while it conducted a parallel ordinary-course investigation with a separate team. 2015 WL 6777384, at *2-3 (D. Minn. Oct. 23, 2015). Conversely, in Guo Wengui, a dual track investigation was insufficient to shield a vendor report from disclosure where one vendor retained by counsel did the majority of incident response work, and there was no evidence that the other vendor, supposedly retained for business continuity purposes, did any work at all on the incident. 338 F.R.D. 7, 11-12 (D.D.C. 2021). Courts may therefore be less likely to protect reports if they find that the true purpose of a dual track approach appears “designed to help shield material from disclosure” without other indicators that it was for legal advice. Id. at 13.

Scope of Distribution

Even where privilege or work product may attach, courts also consider whether the IR vendor report was shared widely to nonlegal employees or otherwise disclosed to third parties, such as the FBI. See, e.g., In re Samsung, 2024 WL 3861330, at *14 (D.N.J. Aug. 19, 2024) (“The breadth of Samsung’s involvement or participation in Stroz’s process and wide dissemination of the Stroz Analysis undermine[s] Samsung’s assertion that Stroz was only retained to provide technical interpretation for the benefit of [outside counsel].”). Courts may also consider broad dissemination to be more consistent with a business purpose than with litigation. Broad distribution of the report can also create waiver issues if, for example, an attorney-client privileged document is shared with a third party to whom the privilege does not extend, such as an insurer.

Takeaways

While courts have increasingly chipped away at protections over vendor incident response reports, companies can still take precautions to attempt to preserve them. In considering how to handle post-incident IR work, consider the following:

• Who retained the vendor and for what purpose? Retention by legal counsel—particularly outside counsel—rather than the technology function is more likely to result in a finding of privilege.
• What was the scope of the vendor’s services? IR services that differ meaningfully from ordinary-course cybersecurity services are more likely to be protected. Ensure the documented scope is focused on work necessary for counsel to assess legal obligations and respond to litigation. Remediation should not be part of that scope.
• When was the vendor retained? Pre-incident retention for ordinary-course work may cut against a finding of privilege. If you decide to use the same vendor for proactive work as well as IR work, use separate agreements with different scopes of services.
• To whom was the report distributed? Broader distribution, especially to business and technical teams, tends to weigh against a finding that a report merits protections.
• Who paid the vendor? Payment by legal rather than the technology function is more likely to result in a finding that protections are merited.
• Was there a parallel investigation for business continuity? Multitrack investigations—one by legal and one by the business/technology function—can be an effective path toward protecting the report created by the privileged track.
• What were the contents of the report, and did it include go-forward remediation recommendations? The presence of remediation recommendations weighs against finding a report protected, but the absence of such recommendations is not necessarily sufficient to prove a report does merit protections.
• Was the report in a different form than it otherwise would have been if litigation were not anticipated and/or pending? In general, the closer a report adheres to legal concerns, especially those informed by actual or imminent litigation, the stronger any claim for protections will be.

Private Equity Report Spring 2026, Vol 26, No 1