The Supreme Court of Israel recently issued an opinion concerning the scope of attorney-client and work product privilege. The opinion continues a trend of expanding the scope of attorney-client privilege under Israeli law. At the same time, Israeli courts have often expressed concern that such expansion may result in inappropriate application of the privilege. Clients wishing to ensure the application of privilege to investigations of cybersecurity breaches must be mindful of applicable limitations under Israeli law.
Opinion in Anonymous v. Meuhedet Health Fund
The literal statutory language implementing the attorney-client privilege under Israeli law covers only attorneys and documents held by attorneys. However, in a series of decisions, the Supreme Court of Israel has expanded the scope of attorney-client privilege to also cover documents held by third parties, and which otherwise have a "substantial relationship to the professional services provided by the attorney." In Anonymous, the Supreme Court held that attorney-client privilege may apply in certain circumstances to cover documents prepared by an attorney and which unintentionally came into the possession of a third party. Anonymous also reiterated existing case law holding that work product privilege covers only communications where anticipation of litigation was the "primary or dominant" purpose for the preparation of such documents.
As Israeli courts have expanded the scope of situations to which attorney-client and work product privilege apply, they have also expressed concern regarding the inappropriate application of the privilege. For example, in a 2011 decision in Heinz Israel Ltd. v. State of Israel, the Supreme Court held that attorney-client privilege protects not only documents in the possession of an attorney, but also documents held by the attorney's client. At the same time, Supreme Court President Beinisch expressly wrote that the expansion of the privilege "justifies a more rigorous determination concerning which documents the privilege applies to." President Beinisch specially noted that the privilege should not apply simply because an attorney was included as an addressee to the communication. Cases following Heinz held that communications of internal investigations by insurance companies concerning their possible liability would not be covered by attorney-client privilege, despite claims that such communications were intended for review by the insurance company's attorneys.1
Anonymous also reviews Israeli case law concerning the application of the work product privilege. Under Israeli law, the work product privilege applies where preparation for trial was the primary or dominant purpose for creation of the documents. As such, courts have held that documents required to be prepared pursuant to law or for ordinary commercial purposes were not covered by the work product privilege, despite claims that such documents were also prepared in anticipation of court cases.
Security Incident Response
Companies that have suffered cybersecurity breaches often require the advice of technical and forensic consultants to understand the scope of the breach and the vulnerabilities that facilitated the breach. Public disclosure of these investigations can impact a company's reputation and legal liability.
Under Israeli law, as reiterated by Anonymous, it is not clear that attorney-client privilege will apply to communications where lawyers are only incidental or secondary addressees. Moreover, it is not clear that work product privilege will apply to technical analysis of a breach, if such analysis was prepared in the ordinary course of a company's activities or pursuant to its legal obligations (such as, for example, a company's legal obligations to document or provide notification for security incidents pursuant to the recently enacted Israeli Privacy Regulations (Information Security) 2017). As such, companies interested in preserving privilege under Israeli law during breach response must ensure that communications are properly prepared towards that goal. For example, companies hiring technical experts to investigate breaches should consider whether such experts should be hired by and report to the company's attorneys. In addition, in order to show that any communications were prepared "primarily" in anticipation of litigation, companies should expressly state in any retention agreements with experts that the services are sought in anticipation of litigation, and such technical services should in fact be directed, at least in part, at assessing compliance with applicable law and contractual security requirements.
Finally, companies should also consider whether contractual obligations to prepare security incident analyses may limit the application of privilege to such analyses under Israeli law. As such, in ordinary course commercial agreements, firms may want to consider limiting their obligations to prepare or provide security incident reports.