6 Ways to Keep Communications with Legal Vendors & Consultants Confidential

Communications between lawyers and outside consultants, such as cybersecurity incident response teams and e-discovery vendors, are largely protected by the attorney work product doctrine, but may also be protected by the attorney-client privilege and court rules preventing the disclosure of communications with non-testifying consultants. Despite the fact a lawyer’s communications with consultants, experts, and vendors are third-party communications, they are generally confidential or privileged, but to preserve the confidentiality of these communications, there are a few things to keep in mind.

Protection Under the Work Product Doctrine

The work product doctrine generally prohibits the disclosure of a lawyer’s work performed in anticipation of litigation.  Attorney work product protection is often set out in court rules such as Federal Rule of Civil Procedure 26(b)(3)(A) and state counterparts like California Code of Civil Procedure 2018.030 and Indiana Rule of Trial Procedure 26(b)(3).  Federal Rule of Civil Procedure 26(b)(3)(A) provides that “[o]rdinarily, a party may not discover documents and tangible things that are prepared in anticipation of litigation or for trial by or for another party or its representative (including the other party’s attorney, consultant, surety, indemnitor, insurer, or agent).”

The genesis of work product protection is found in case law including Hickman v. Taylor, 329 U.S. 495 (1947), a United States Supreme Court case in which the justices noted that disclosure of an attorney’s work “contravenes the public policy underlying the orderly prosecution and defense of legal claims. Not even the most liberal of discovery theories can justify unwarranted inquiries into the files and the mental impressions of an attorney.”  Acknowledging that attorneys rely on the help of investigators, consultants, and other third parties, in United States v. Nobles, 422 U.S. 225 (1975) the Court made clear that the work product doctrine also limits disclosure of the work of those assisting attorneys in litigation. “[The reality] is that attorneys often must rely on the assistance of investigators and other agents in the compilation of materials in preparation for trial. It is, therefore, necessary that the doctrine protect material prepared by agents for the attorney as well as those prepared by the attorney himself.”

Protection Under the Attorney-Client and Attorney-Consultant Privileges

In addition to work product protection, in certain circumstances, the attorney-client privilege may also shield communications between attorneys and third parties assisting with litigation

For instance, when the third party communicating with the attorney is the “functional equivalent” of an employee to the client, such as an independent contractor, the communications may be privileged. See, e.g. In re Bieter Company, 16 F.3d 929 (8th Cir. 1994).

Additionally, under the Federal Rules of Civil Procedure and many state rules, communications with non-testifying litigation consultants are not subject to discovery.  For instance, Illinois Rule of Civil Procedure 201(b)(3) provides that “[t]he identity, opinions, and work product of a consultant [who will not be called at trial] are discoverable only upon a showing of exceptional circumstances under which it is impracticable for the party seeking discovery to obtain facts or opinions on the same subject matter by other means.”

But Beware: If a Consultant or Vendor is Hired Before Litigation, Attorney Work Product Doctrine May Not Apply

Communications between lawyers and consultants are privileged only if the primary purpose of communications relate to legal services. If a consultant is engaged for both business and legal purposes, the communications may not be privileged.

In a recent case, communications with a vendor hired to assist with a cyber incident response were found not privileged because the company was hired prior to litigation and for what the court concluded was business reasons and not legal purposes.

In the Capital One Consumer Data Security Breach Litigation, the court ordered Capital One to turn over a forensic report compiled by its data security vendor because Capital One’s Cyber Security Operations team hired the vendor before the data breach occurred. The court noted that in federal court, attorney work product protection stems from Federal Rule of Evidence 502 . This protects from disclosure material prepared in anticipation of litigation or trial. “[M]aterial must be prepared because of the prospect of litigation. Materials prepared in the ordinary course of business or pursuant to regulatory requirements or for other non-litigation purposes are not documents prepared in anticipation of litigation.”

The court concluded that because Capital One and the vendor had a long-standing relationship and performed the same services regardless of the data breach litigation, the vendor did not create the report solely “because of” the lawsuit. To determine whether documents are created “because of” litigation courts “weigh factors such as the timing of retention of a non-testifying expert in relation to the litigation at issue . . . .”

Read a more thorough examination of the Capital One opinion.

Six Steps to Take to Preserve Confidentiality of Communications with Third Party Legal Vendors and Consultants

Regardless of where the protection for communications between attorneys and litigation vendors arises, confidentiality is not absolute and steps should be taken to preserve the privileged nature of the communications.  Below are six things to keep in mind to ensure the confidentiality of the communications.

1. Make sure any agreement with litigation and e-discovery vendors acknowledges that confidential and privileged information will be exchanged during the engagement and that all parties are obligated to preserve confidentiality.
2. Be aware that to be shielded from discovery, the primary purpose of the communication must relate to the attorney’s legal services.  If a consultant is engaged for both business and legal purposes, the communications may not be privileged.  For instance, the court in Foret v. Transocean Offshore (USA), Civil Action 09-4567 (E.D. La July 6, 2010) held that accident reports compiled by an engineer were discoverable because some of the report’s information would have been prepared in the ordinary course of business. This can be especially true of cyber incident forensic reports because cybersecurity consultants are often retained prior to litigation as a preventative measure.
3. Do not forfeit the privilege unless you need to.  This seems quite obvious, but privileges are sometimes unknowingly lost when a party offers testimony from a consultant and then refuses to produce communications with the witness.  For instance, in Nobles, noted above, the Court concluded that by presenting an investigator as a witness, the party lost the work product privilege relating to matters covered in his testimony.
4. Similarly, unless it is your intent, do not put the privileged communications at issue.  For instance, if a spoliation claim arising from the destruction of electronic evidence on a computer is based on a forensic consultant’s investigation of the device, communications with the consultant will be at issue.
5. Be wary of sharing communications with others.  Disclosing privileged communications to others may waive confidentiality unless they share a common interest with the client.
6. Finally, consider obtaining an agreement with opposing counsel during a Rule 26(f) meet and confer conference or in an ESI protocol that communications with litigation and e-discovery vendors are not discoverable.