Last month, in Guo Wengui v. Clark Hill, PLC, the United States District Court for the District of Columbia granted Plaintiff’s motion to compel production of Defendant’s third-party forensic investigation report following a cybersecurity incident.[1]  The court held that the forensic report was not covered by the attorney-client privilege or the work product doctrine, providing a cautionary tale for companies conducting post-breach investigations.

Background

The litigation against Clark Hill, PLC (“Defendant”) stemmed from a cyberattack targeting the firm and one of its clients, Wengui, a political dissident from China.   Clark Hill was advising Wengui on an asylum application when the firm was hacked and Wengui’s confidential information was published online.  In September 2019, Plaintiff brought suit and requested that Defendant produce any third-party reports from its forensic investigation into the cyberattack.  When Defendant objected, asserting work-product protection and attorney-client privilege, Plaintiff filed a motion to compel.

The D.C. District Court’s Decision

The court agreed with Plaintiff that a report (“Report”) created by the Defendant’s forensic investigation firm, Duff & Phelps, and the associated materials were not protected by either work-product or attorney-client privilege.  Duff & Phelps had been hired by the Defendant’s outside litigation counsel to conduct an investigation into the breach.

The work-product doctrine covers documents “prepared in anticipation of litigation.”  The D.C. Circuit applies the “because of” test, which asks “whether, in light of the nature of the document and the factual situation in the particular case, the document can fairly be said to have been prepared or obtained because of the prospect of litigation.”[2]  In other words, Defendant must show that the document “would [not] have been created in the ordinary course of business irrespective of litigation.”[3]  Here, the court was ultimately persuaded by Plaintiff’s argument that determining how the data breach occurred was a necessary business function, and concluded that the Report would have been created regardless of litigation.

Defendant unsuccessfully argued that the Report was prepared in anticipation of litigation because its breach investigation was conducted in two tracks: 1) its regular cybersecurity vendor conducted an investigation targeted to business continuity issues, while 2) Duff & Phelps was retained by Defendant’s outside litigation counsel for “the sole purpose of assisting the firm in gathering information necessary to render timely legal advice.”[4]  In support of its argument that the latter track was protected from disclosure, Defendant cited In re Target, in which the court recognized as privileged the company’s “second track” investigation “to inform counsel about the breach so that [counsel] could provide . . . legal advice and prepare to defend the company.”[5]  The D.C. District Court distinguished In re Target because: 1) there was no sworn statement affirming that the first track investigation was conducted to learn how the breach happened and to facilitate an effective response; 2) Duff & Phelps had been hired for the second track investigation in lieu of, not in addition to, the regular vendor; and 3) the Report was broadly shared with Defendant’s leadership, the FBI, and other entities for non-litigation purposes.

Defendant also argued that the Report was covered by the attorney-client privilege on the grounds that privilege can “attach to reports of third parties made at the request of the attorney or the client where the purpose of the report was to put in usable form information obtained from the client.”[6]  The court likewise rejected this argument, finding that Defendant’s objective in consulting Duff & Phelps was to obtain its cybersecurity expertise, not to facilitate legal advice.

Implications

This decision is in line with the U.S. District Court for the Eastern Division of Virginia’s much discussed decision in In re Capital One,[7] where a similar forensic report was deemed discoverable.  Taken together, these decisions suggest that companies investigating data breaches should take the following steps to try to maximize potential privilege and work product protections over investigative reports and related communications:

  • Implement a “two-track” investigation system, where the vendor that routinely handles cybersecurity for business purposes is not the same one that is hired in the aftermath of a cyberattack for litigation purposes. Although this did not prevail in the Wengui decision, there was a fact-specific issue in that case as the Defendant had not fully implemented a two-track investigation system.
  • Build a record establishing the implementation of the two-track investigation system by documenting the purpose and progress of both work streams. The court rejected the Defendant’s work product objection in part based on a finding that the Defendant’s use of the two-track system was not adequately supported by the record.  Such documentation could include a report of findings and recommendations produced by the cybersecurity vendor used in the first non-work product track, and internal documents showing how the company used the first-track report or information produced by the first-track investigation and the purpose for using the two-track system, all of which the court cited as relevant to its determination.
  • Limit the use of the forensic report solely to litigation purposes, and share only with those who need it in connection with rendering legal advice to the company. Sharing the report with a third party, including law enforcement, could result in a waiver of privilege protections.
  • Avoid remediation recommendations in the “second track” forensic report, and ensure that the report is a document that focuses on assisting counsel, not improving data security.

Incident responses to data breaches are fast moving and involve coordinating a number of internal and external parties.  It is therefore critical to keep potential privilege and work product protection in mind when generating reports and communications, given the ever increasing risk of litigation that can follow a cybersecurity incident.

[1] Guo Wengui v. Clark Hill, PLC, et al, Civil Action No. 19-3195, Dkt. 49 (D.D.C. Jan 12, 2021).

[2] United States v. Deloitte LLP, 610 F.3d 129, 137 (D.C. Cir. 2010) (emphasis added).

[3] Banneker Ventures, LLC v. Graham, 253 F. Supp. 3d 64, 72 (D.D.C. 2017).

[4] Guo Wengui v. Clark Hill, PLC, et al, at *3.

[5] In re Target Corp. Customer Data Sec. Breach Litig., MDL No. 14-2522, 2015 WL 6777384, at *2-3 (D. Minn. Oct. 23. 2015).

[6] FTC v. TRW, Inc., 628 F.2d 207, 212 (D.C. Cir. 1980).

[7] Consumer Data Sec. Breach Litig., MDL No. 1:19md2915 (AJT/JFA) (May 26, 2020).