Adding to an emerging trend of federal cases addressing privilege in the context of forensic reports, the DC District Court ruled last month that forensic reports created in response to a cybersecurity incident were not subject to attorney-client privilege nor attorney work product protection because the reports were created in the ordinary course of business. This decision has significant implications for organizations preparing to respond to cybersecurity incidents and continues a pattern of increased scrutiny by plaintiffs and courts alike on claims of privileged communications/work-product invoked over such forensic reports. This case serves as an important reminder to all organizations that taking appropriate steps to address privilege and confidentiality is vital to preserving arguments to protect work product and communications in the context of collateral litigation that often follows cybersecurity incidents.
Cyberattack
In Wengui v. Clark Hill, PLC, a discovery dispute arose in a malpractice lawsuit brought by plaintiff Guo Wengui, a former client of the Clark Hill law firm, which had been retained by Wengui for assistance on an asylum petition and sued after a hacker published the client’s confidential information on-line. Wengui sued the law firm on the theory that the firm failed to take sufficient precautions to protect his data and moved to compel the law firm to produce all reports relating to its forensic investigation into the cyberattack that led to the publication of his confidential information.
Clark Hill argued that it had produced all relevant internally generated materials and that the documents the plaintiff sought, which were produced by an external security-consulting firm, were covered by both attorney-client privilege and attorney work product protections. To support this argument, Clark Hill pointed out that the external security-consulting firm was retained by Clark Hill’s external counsel to assist in preparing for litigation stemming from the attack.
Work-Product Protection
The court ruled that the process of investigating a breach represents a necessary business function regardless of litigation or regulatory inquiries when an entity handles sensitive information. The report in question summarized the findings of the forensic investigation. Such investigations, the court determined, are standard for organizations that handle sensitive information because they are expected to detect the source of a breach, mitigate risks, and prevent future incidents.
Clark Hill also argued that they initiated two different reports from different third party providers, one report prepared reflecting the steps taken to investigate the breach, mitigate risks and prevent future incidents and another report produced by a different external security consulting firm in anticipation of litigation. The court agreed with Clark Hill’s legal argument that it should apply the ruling in In re: Target Corp. Customer Data Security Breach Litigation. In that case, Target conducted a two-track investigation, and the court ruled that Target appropriately withheld the forensic report created in anticipation of litigation; however, the court found that there was no factual support in the record for the existence of a two-track investigation, noting that the second external security consulting firm had replaced the first one two days after the attack had begun.
As a result, Wengui stands for the same proposition as Target, both cases holding that a two-track investigation provides strong evidence that a report was created in anticipation of litigation. This result suggests that a company should consider utilizing its existing third-party IT provider or cybersecurity firm to conduct an investigation for business purposes while engaging a different cybersecurity firm to conduct an investigation predicated on anticipation of litigation.
Further, the court noted that the report at issue was shared within the Clark Hill law firm, including with members of the firm’s leadership and IT teams, and was used for a range of non-litigation purposes, and, therefore, could not be considered to have been prepared in anticipation of litigation. Ultimately, the report was not afforded work-product protection by the court.
Attorney-Client Privilege
The Wengui court similarly concluded that the report was not protected by attorney-client privilege, noting that Clark Hill’s principal objective in securing the report was utilizing the external security consulting firm’s expertise in cybersecurity, not in obtaining legal advice from its lawyer. The court cited the fact that the report was shared with both IT staff and the FBI as further proof that the report was not a confidential communication between attorney and client, although it declined to address whether sharing such a report with the FBI would be considered a waiver of attorney-client privileged, were it to have existed in this case.
This case follows the recent decision in In re: Capital One Consumer Data Security Breach Litigation wherein the federal district court for the Eastern District of Virginia similarly found that the forensic report was discoverable. There, the court observed that distribution of the forensic report to roughly 50 employees, a corporate governance general email box, an accounting firm, and four regulators, taken together demonstrated that the report was not by the attorney work product doctrine. Notably, Wengui is more restrictive than Capital One, in that in Wengui, the court noted that the report was only shared with select members of Clark Hill’s leadership and IT team, as well as with the FBI for the purpose of assisting its investigation of the cyber incident. Notwithstanding the limited distribution of the report, the Wengui court found that this was evidence that the report was not created in anticipation of litigation, but for business and investigative purposes.
These cases are generally in accord with the Fourth Circuit’s 2019 decision, In re Dominion Dental Services, wherein the court ruled that materials prepared by a consultant following a breach were not privileged because (1) the consultant had a relationship with the defendant pre-dating the breach, and which anticipated services in the event of a breach; and (2) the defendant used the materials for non-litigation purposes, including public relations.
Takeaways
Every organization should build into the existing cybersecurity response plans appropriate separations for investigations and privileged communications to address the requirements for maintaining privileged communications and work product. The scope, work plan, and use of the materials created by third party consultants in response to cybersecurity incidents should be made clear at the outset of the investigation and maintained throughout the investigation.
Creating a clearly-delineated and separate two track investigation, limiting disclosure of the full report to in-house counsel (and providing a high-level summary report to directors, auditors and government agencies), and outlining remediation plans in a separate report should reduce the prospect for disclosure of a report. Working with counsel to effectively manage these issues in the midst of an attack is certainly a challenge, but the consequences of not preparing for these issues could be significant in follow-on litigation.