Judy Selby and Melissa Kocak have a nice summary of the effect of several recent decisions, including the Target data security breach class action, on the question of whether attorney-client privilege and work-product protections apply to the use of outside vendors when developing data security and information governance policies:
Structuring Retention of Attorneys and Consultants
Companies can help to preserve the privilege by engaging outside counsel to provide legal guidance regarding the prospective development of enterprise-wide information governance architecture and risk assessments associated with data privacy and security in connection with compliance, potential litigation or regulatory requirements.
To fall within the Kovel doctrine and protect the confidentiality of communications among the client, outside counsel, and consultants, outside counsel should document in the consultant’s engagement letter that the consultant’s services are being povided to assist counsel with comprehending the client’s information practices. The letter should also indicate that these services, in addition to all corresponding communications, including the receipt and provision of information, are to be treated as confidential and privileged. Further, the letter should set forth the reasons why counsel is seeking “translation” of complex data into a “usable form” to deliver informed legal advice.
Moreover, during the course of this tripartite relationship, clients should contemporaneously memorialize that the consultant was retained to facilitate outside counsel’s understanding of complex technical issues and the provision of competent legal advice.