A federal court recently added additional wrinkles to one of the most important aspects of responding to a data breach: a forensic investigative report. The court ordered a law firm to turn over a report produced by a forensics firm engaged by the law firm’s counsel in the wake of a cyber incident. Experienced cyber counsel know that protecting the confidentiality of work product—including investigative reports—is critical in the aftermath of a breach and in ensuing litigation; this decision makes clear that companies and their counsel need to be as deliberate as ever to maintain the integrity of all appropriate legal privileges during a fast-moving breach response.
The case, Wengui v. Clark Hill, PLC, was brought by a former client of defendant Clark Hill in response to a cyberattack on the firm. Wengui claims that the law firm had insufficient measures in place to safeguard client data. In discovery, he sought reports of the law firm’s forensic investigation into the cyberattack, including a report done by an outside forensics firm, Duff & Phelps. The law firm refused to produce the report on the grounds that it was protected by the attorney-client and work product privileges.
The court’s order, requiring production of the forensics report, has garnered substantial attention, and for good reason. Post-breach investigative reports often contain detailed information about a defendant’s cybersecurity measures, potentially including analysis of what may have precipitated or facilitated the breach. They are also critical for breach victims and their counsel to fully understand the technical details and context for a breach in order to inform the company’s legal strategy going forward. The court’s decision in Clark Hill, that the report was neither protected work product nor an attorney-client privileged communication, adds to an increasingly complex universe of decisions defining the scope of protection for documents produced at the request of counsel in response to cyberattacks.
The court’s key holding was that the forensics report was not attorney work product because it would have been “created in the ordinary course of business irrespective of litigation.” The court noted that for “many organizations . . . discovering how a cyber breach occurred is a necessary business function regardless of litigation or regulatory inquiries.” The court opined that “there is need to conduct an investigation . . . in order to figure out the problem that allowed the breach to occur so that the organization can solve that problem and ensure such a breach cannot happen again.” Based on this premise, the court held that it was “more likely than not, if not highly likely, that Clark Hill would have conducted an investigation into the attack’s cause, nature, and effect irrespective of the prospect of litigation.” According to the court, “it is clear that the Duff & Phelps Report summarizes the findings of such an investigation, and that substantially the same document would have been prepared in any event . . . as part of the ordinary course of” Clark Hill’s business.
Notably, the court rejected Clark Hill’s argument that the Duff & Phelps report was created through a direct engagement with counsel for the purpose of facilitating legal advice, and on a separate “track” from another report prepared by a different vendor, which was focused on business continuity and remediation. Specifically, Clark Hill argued that on one track, it engaged eSentire, a cybersecurity firm, to investigate the attack and create a report to facilitate continuity of the law firm’s operations and remediation of the breach. And at the same time, Clark Hill argued, its counsel hired Duff & Phelps to prepare the report at issue for the “sole purpose” of rendering legal advice. Some defendants in similar cases, such as Target in litigation arising from a data breach in 2013, have succeeded in making this type of two-track argument. But the court rejected that theory here because it found that Clark Hill turned to “Duff & Phelps instead of, rather than separate from or in addition to” eSentire to conduct the necessary investigative work. The court also found that the report was shared widely—not just with outside and in-house counsel—but also with members of Clark Hill’s leadership and IT teams, as well as with the FBI, weakening Clark Hill’s argument that it was produced solely in anticipation of litigation. The court made this finding based on the record despite the fact that Clark Hill’s outside counsel themselves retained Duff & Phelps.
The court also declined to classify the report as privileged under the attorney-client privilege. As we have previously explained, the attorney-client privilege can at times extend beyond the attorney and client, such as to reports by third parties made at the request of an attorney. In Clark Hill, however, the court held that the objective of the report was for Clark Hill to obtain advice regarding cybersecurity and remedial measures, in addition to legal advice; the court noted that the report contains “pages of specific recommendations on how Clark Hill should tighten its cybersecurity.”
The Clark Hill decision, which comes on the heels of other decisions rejecting work product protection for breach investigation reports, adds several new considerations to the mix that companies and counsel must consider when engaging forensic firms following a data breach. One of the most critical questions is how the content of any investigative report, which will necessarily touch on issues of remediation and technical advice, will color the question of whether it is considered privileged or work product. In many ways, the Clark Hill decision puts companies and their outside counsel in an unenviable position: needing the technical expertise and details of outside forensics consultants to shape their legal strategy, but wondering if written reports documenting the investigation will be fair game for civil discovery. And where a report is necessary, counsel will continue to struggle with related issues as to the scope of the engagement letter when retaining a forensics firm, how to structure the retention of multiple investigative firms in responding to and remediating a breach, and the thorny dilemma of with whom (if anyone) resulting reports can be shared while maintaining legal privileges.
This issue will continue to have wide-ranging implications on breach response practices, and we will continue to monitor and report on decisions regarding the discoverability of forensic breach reports.