What is a Kovel agreement?

A Kovel agreement (from United States v. Kovel, 296 F.2d 918, 2d Cir. 1961) is an engagement under which an attorney retains a third-party expert (such as an accountant or DFIR firm) to assist in providing legal advice to a client. The expert's work falls under the attorney's privilege when properly structured.

Can privilege protect a DFIR report from discovery?

Sometimes, when the chain is properly constructed. Capital One's incident report was held discoverable because the DFIR engagement was a continuation of pre-existing business work. Premera's was also held discoverable for similar reasons. Mature programs separate ordinary-course DFIR work from incident-specific counsel-led work.

How is privilege different from confidentiality?

Confidentiality is a contractual or policy obligation; it does not protect against subpoena or discovery. Privilege is a legal rule that exempts protected communications from compelled disclosure. NDA-confidential is not privileged; privileged is also confidential.

Does privilege apply to internal communications during an incident?

Internal communications about an incident can be privileged if they involve legal advice from counsel and are limited to the privilege circle. Operational communications among responders are generally not privileged, even if marked confidential. Define the privilege circle and discipline its scope from the start.

Privilege Chain - Attorney-Client Privilege in Cyber IR

Q: What is the privilege chain in cyber IR?

The privilege chain is the deliberate structuring of forensic engagements and internal communications so that incident response findings are protected by attorney-client privilege and the attorney work-product doctrine. A well-constructed privilege chain typically has outside counsel engage the DFIR firm under a Kovel-style agreement.

The privilege chain in cyber incident response is the deliberate structuring of forensic engagements, internal communications, and work product so that the resulting findings are protected by attorney-client privilege and the attorney work-product doctrine. A well-constructed privilege chain typically engages outside counsel first, who then engages the DFIR firm under a Kovel-style agreement, with all findings reported to counsel and shared with the client through counsel.

Source: United States v. Kovel, 296 F.2d 918 (2d Cir. 1961); In re Capital One Consumer Data Security Breach Litig., 2020 U.S. Dist. LEXIS 88068 (E.D. Va. May 2020); In re Premera Blue Cross Customer Data Security Breach Litig., 296 F. Supp. 3d 1230 (D. Or. 2017).

How the Privilege Chain Is Built

Outside counsel is engaged first under an engagement letter for legal advice in connection with the incident
DFIR firm is engaged by counsel, not by the client, under an agreement that explicitly states the engagement is to assist counsel in providing legal advice
Reports flow to counsel first, with counsel selecting what to share with the client (and how)
Internal communications about the incident are marked privileged and confidential and limited to a defined privilege circle
The same DFIR firm is not used for non-privileged ordinary business work on the incident

Why the Privilege Chain Matters

Forensic findings often expose root causes, control gaps, and decisions that may be unfavorable in subsequent litigation or regulatory enforcement. Without privilege, those findings can be subpoenaed and used in class action suits, regulatory enforcement, and shareholder derivative actions. A well-constructed privilege chain protects the candor required for honest investigation while still preserving disclosure to regulators and affected individuals.

Limits and Risks

The privilege chain is not absolute. Courts have rejected privilege claims when the DFIR engagement was a continuation of pre-existing business work (In re Capital One), when the report was widely distributed within the company beyond counsel's control, or when the work was performed primarily for business reasons rather than legal advice. Construct the chain at the start of the incident and maintain discipline throughout.

Maintain privilege chain integrity

IR-OS supports counsel-led engagement structure, privilege circles, and the defensible record that preserves attorney-client privilege through the response.

Start free

Privilege Chain - Attorney-Client Privilege in Cyber IR

How the Privilege Chain Is Built

Why the Privilege Chain Matters

Limits and Risks

Related Terms

Maintain privilege chain integrity