Law360, New York (April 9, 2015, 5:10 PM EDT) -- Reports generated from privacy and security audits and data breach investigations often contain unintentionally harmful statements about a company's security safeguards or privacy practices. Frequently these documents contain opinions on issues such as when a breach began or ended, when it should have been discovered, whether regulated data was accessed or acquired, and whether the company was engaging in reasonable security practices — critical topics for regulators and plaintiffs attorneys. Courts are recognizing, however, that when those audits and investigations are directed by counsel to evaluate a company's legal rights and obligations they are subject to the same protections from disclosure as any other attorney-client communication....