On January 12, 2021, the District Court of the District of Columbia was the latest court to grant a motion to compel production of a forensic report prepared by an external security-consulting firm in data breach litigation.1 This case involved a cyberattack on a law firm that led to the public dissemination of the confidential information of the plaintiff, who was a former client of the firm. The plaintiff moved to compel his former law firm to produce "all reports of its forensic investigation into the cyberattack."2 The defendant asserted that it had produced all relevant materials, including materials related to a second-track investigation conducted by its usual cybersecurity vendor, eSentire, for business continuity purposes. However, the plaintiff also sought a report prepared by Duff & Phelps, who was retained by the defendant's outside litigation counsel. The defendant argued the Duff & Phelps report was protected by the work-product and attorney-client privileges. The court rejected the defendant's arguments and ordered production of the Duff & Phelps report and associated materials.
To evaluate whether the Duff & Phelps report was protected work product, the court applied the "because of" test, i.e., "whether, in light of the nature of the document and the factual situation in the particular case, the document [could] fairly be said to have been prepared or obtained because of the prospect of litigation."3 The court found that the Duff & Phelps report would have been created in the ordinary course of business irrespective of litigation, because the investigation of the cyberattack was a "necessary business function regardless of litigation or regulatory inquiries."4 The defendant objected to this characterization and asserted it had conducted a two-track investigation, one in anticipation of litigation and, therefore, privileged, and one for business continuity purposes that was not privileged.
However, the court determined this was not supported by the record, because there was no comparable report prepared by eSentire and the defendant had not offered a sworn statement that a separate investigation had been conducted for the purpose of appropriately responding to the data breach. The court also noted that the Duff & Phelps report was shared with "select members of [defendant's] leadership and IT team" and with the Federal Bureau of Investigation (FBI) and used "for a range of non-litigation purposes."5 As a result, the court rejected the defendant's argument that the Duff & Phelps report would not have been commissioned and prepared in substantially the same manner, but for the prospect of litigation and, as such, found it was not protected work product.
With respect to the defendant's assertion of attorney-client privilege, the court acknowledged that, in a different case, another court had found attorney-client privilege applied to a similar report.6 However, the prior decision was determined to be distinguishable. First, the defendant in the prior decision had clearly utilized a two-track approach, i.e., two investigations were conducted by two external security-consulting firms, one of which was a "non-privileged investigation … set up so that [defendant] … could learn how the breach happened and … respond to it appropriately,"7 which was separate from the privileged investigation conducted in anticipation of litigation. Second, the earlier decision had not included any reference that the report had been shared as widely for non-legal purposes as the Duff & Phelps report. Third, the report in the earlier decision had not been focused on remediation, whereas the Duff & Phelps report included pages of specific recommendations on improving the defendant's cybersecurity practices. The court concluded that the purpose of the Duff & Phelps report was to provide Duff & Phelps's cybersecurity expertise, as opposed to legal advice. Accordingly, the court rejected the defendant's argument that attorney-client privilege applied to the Duff & Phelps report and ordered its production.
Unlike the Clark Hill case, a number of courts have found forensic reports prepared by external security-consulting firms and commissioned by outside counsel to be privileged or protected work product in other decisions. To mitigate against a court ordering production of materials or documents that a company considers to be privileged, companies should take care to: develop an incident response plan that provides guidance on how to effectively protect documents and materials created during the response to a data breach; engage outside counsel early when responding to a data breach; be clear regarding the purposes for which documents are created; and be cautious when using and sharing privileged documents to ensure such use and sharing is consistent with the specific purposes for which the documents were created.
For any questions or further information on protecting privilege when responding to data breaches, please contact any member of Wilson Sonsini's privacy and cybersecurity practice.
[1] Wengui v. Clark Hill, PLC, No. 19-cv-3195 (JEB), 2021 WL 106417 (D.D.C. Jan. 12, 2021).
[6] In re Target Corp. Customer Data Sec. Breach Litig., MDL No. 14-2522, 2015 WL 6777384 (D. Minn. Oct. 23, 2015).