As organizations increasingly engage consultants to conduct cyber risk assessments and to assist in the event of a breach, a logical concern is whether the attorney-client privilege is available to protect those efforts. The Kovel decision in the Second Circuit extended the attorney-client privilege to third parties assisting attorneys in representing clients under certain circumstances. This two-part series describes the use of so-called “Kovel arrangements” by companies to extend the attorney-client privilege to interactions with consultants. This first article describes the requirements of the Kovel privilege as established by case law, as well as critical considerations for deciding whether to invoke or waive the privilege when interacting with regulators or litigants. The second article will detail the requisite features of a fully compliant Kovel arrangement and will examine circumstances under which it is and is not appropriate for companies to employ Kovel arrangements. See also “Target Privilege Decision Delivers Guidance for Post-Data Breach Internal Investigations” (Nov. 11, 2015).