It faces mounting challenges to ensure that internal inquiries remain covered by the right. State regulators like the United States In investigating the boundaries of privileged information, the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) have become more proactive, emboldened by recent rulings in which courts not only consider but actually order demands for disclosure of investigative materials in the civil discovery process. It is now more important than ever for organizations to consider the security steps they should take to maintain these rights and safeguard against potential attacks in the face of this changing environment.
Capital One disclosed in July 2019 that it suffered a data breach that allegedly compromised over 100 million people’s personal data and information. Immediately, Capital One faced regulatory scrutiny and class action. During the class action, plaintiffs discovered that a third-party cybersecurity consulting firm had been hired by Capital One to investigate the July 2019 incident, and requested the forensic report of that company. Capital One believed the forensic report of the company was covered under the doctrine of the work-product. Nevertheless, the Eastern District of Virginia ordered publication of the report on the ground that it was not prepared “because of” the danger of litigation, but rather, regardless of the litigation, it would have been prepared in substantially the same form. See In re: Violation Litigation on Capital One Customer Data Protection., No. 1:19-MD-2915, Dkt. No. 641, 641 (E.D. Va. June 25, 2020). The court based on the pre-existing partnership and fee structure of the consulting company with Capital One for significantly similar services and on the broad dissemination of the study in drawing this conclusion.
In 2013, the audit committee of RPM retained outside counsel to conduct an internal review of accrual-related issues that had been the subject of an SEC investigation. The outside counsel for RPM then shared the investigation’s conclusions with the SEC on the express understanding that there was no waiver. Notwithstanding that arrangement, in a subsequent compliance action, the SEC requested the investigative documents of outside counsel, including witness interview memoranda, and the D.C. Their development was directed by the District Court. Comm’n v. RPM Int’l, Inc., No. 1:16-cv-01803-ABJ, Dkt. See Sec. and Exchange No. 81, 81 (D.D.C. Feb. 12, 2020). The court found that the internal investigation was carried out because without an investigation and not because of the SEC compliance action or expected litigation, the auditor of RPM would not sign the company’s form 10-K. The court therefore ruled that the inquiry was not a matter of right.
In addition, the court also concluded that by disclosing the contents of interview memos with both its auditor and the SEC, RPM had waived any arguable privilege.
Preventative measures in investigations and subsequent civil action to safeguard confidential documents
By laying a strong basis for attorney-client privilege and work-product confidentiality during an internal audit, businesses can minimize the likelihood of future disclosure.Key considerations to consider in order to construct the shield include the following:
Oversight: It is important to supervise the investigator. Routine, company, or regulatory-focused events tend to be investigations conducted through enforcement or internal audit. In comparison, inquiries undertaken or managed by in-house and outside lawyers appear to entail higher business risks and greater legal liability potential, raising the possibility of privileged treatment of relevant communications.
Types of material: Third-party emails, press or publicity materials, public announcements, company and technical documents and communications between non-lawyers only constitute lightning rods in disputes over rights. Consider who is involved in the preparation or discussion of such documents, why they are involved, what they contribute to the materials, when and how the materials are produced, and to whom they are revealed, whether the content is privileged.
Prior Disclosure: All previously exchanged or even summarized privileged information with third parties-auditors, regulators, and compliance agencies-are particularly vulnerable to challenge. This involves sharing information in exchange for “cooperation credit” in conjunction with inquiries by the government. Privacy and non-waiver arrangements with the state may not be binding.