In order to provide legal advice to clients in the aftermath of a hacking, lawyers must rely on digital forensics investigators to understand the nature and scope of the breach. Corporations also use this type of information to stop the attack and improve their security. Inevitably, plaintiffs’ attorneys seek these reports through discovery and defendant corporations try to block their release by claiming that they are covered by the attorney-client privilege or the related attorney work product doctrine. Courts across the country have signaled a willingness to look critically at these reports, how they were created, and how they were used to determine whether they are discoverable. As data breach litigation has become more common, a consensus appears to be forming around what steps corporations and their counsel must take to ensure that forensic reports of hacking incidents remain privileged.
Most recently, the United States District Court for the District of Columbia issued a ruling on the subject in Guo Wengui v. Clark Hill, PLC. [i] In Clark Hill, the plaintiff sought, among other things, to compel production of “all reports of its forensic investigations into the cyberattack” that led to the disclosure of his confidential information.[ii] The defendant argued that because the reports were prepared by an external security-consulting firm retained by defendant’s outside counsel, the reports were protected by the attorney-client and work-product privileges. The court, applying the thinking of a several high-profile and factually similar decisions, disagreed. The reasons it did so are instructive and offer valuable insight into how and when privilege attaches to forensic post-mortem breach reports.
A prominent Chinese businessperson and political dissident, Guo Wengui, accused his former law firm, Clark Hill, and his immigration attorney, Thomas Ragland, of malpractice after the firm was hacked and Wengui’s personal information made public online. Wengui claimed that even before retaining the firm to represent him in filing a political asylum petition he had warned them of the “persistent and relentless cyber attacks that he and his associates had endured” and cautioned them that they should “expect to be subjected to sophisticated cyber attacks” themselves if they took on his representation.[iii] In response to this warning, Wengui alleged that Clark Hill had agreed to "take special precautions to prevent improper disclosure of plaintiff's sensitive confidential information."[iv]
Those efforts proved to be insufficient, and in late 2017 the firm’s systems were hacked. The hacker obtained a trove of Wengui and his wife’s personal information, including passport identification numbers and the contents of their political asylum applications, and published the information on social media.
In responding to the hacking, Clark Hill worked with a stable of advisors. First, it engaged its usual cyber security vendor, eSentire, to “investigate and remediate the attack” and to preserve “business continuity.”[v] It also retained outside counsel, Musick, Peeler & Garrett, who then retained a second cyber security vendor, Duff & Phelps, ostensibly to help “prepare for litigation stemming from the attack.”[vi]
This two-expert approach was apparently designed to avoid the problem that had caused other courts to declare digital forensics expert reports discoverable. In re: Capital One Customer Data Security Breach Litigation serves as a compelling example.[vii] In that case a federal court in the Eastern District of Virginia upheld a magistrate order compelling production of a breach report prepared by a cybersecurity firm engaged by Capital One and its outside counsel. The court noted that the report was the only one produced about the incident and that although Capital One’s outside counsel had purportedly taken over direction of the cybersecurity firm, in fact the report had been prepared pursuant to a pre-existing statement of work with Capital One. Moreover, the court agreed with the magistrate’s reasoning that because the report was shared widely among non-legal employees it was created to serve a business, rather than exclusively legal, purpose. Ultimately, the court decided the report had to be produced because there was not “sufficient evidence to show that the services performed by [the cybersecurity firm] would not have been done in substantially similar form even if there was no prospect of litigation.” In other words, by relying on a single expert both for litigation and for the general business purpose of responding to the breach and improving its security, Capital One could not show the report was prepared “because of” anticipated litigation and therefore could not assert the attorney-client privilege to prevent its production.
By contrast, In re: Target Corporation Customer Data Security Breach Litigation found in favor of the attorney-client privilege, based on a similar theory, though articulated somewhat differently. In that case the Federal District Court in Minnesota found that a forensic report could only be privileged if it would not have exited but for the prospect of litigation.[viii] There, a company’s claim that privilege applied to a cybersecurity firm’s investigative materials was upheld when a separate, non-privileged investigation had been conducted to determine “how the breach happened.” Information generated on the litigation track was found to be protected because it would not have exited if it were not for the prospect of litigation.
Relying on the “two-track” or “two-expert” approach endorsed in In re: Target and its progeny and suggested by In re Capital One, Clark Hill produced materials generated by eSentire but not Duff & Phelps. It reasoned that the eSentire materials were discoverable because they were prepared to understand how the breach happened, but that the Duff & Phelps materials were not because they were generated by a vendor retained by outside counsel to assist them in “gathering information necessary to render timely legal advice.”[ix] Id.
However, the court did not agree that the “two-track” approach had been properly observed. The court first analyzed Clark Hill’s argument that the work-product privilege applied. In doing so it did not squabble with the rationale of In re Target, but instead found that the lawyer’s forensic report had not been prepared exclusively for use in preparation of litigation. It pointed to Clark Hill’s interrogatory answers, which stated that the firm’s understanding of the breach was based solely on what it had learned from outside counsel and through Duff & Phelps, as evidence that the Duff & Phelps report was the only substantive report on the breach.[x] Moreover, it found no evidence that eSentire had even prepared a report addressing why the breach occurred, fatally undermining the claim that the Duff & Phelps report was a second track. Instead, the court concluded that, rather than being a “second track,” Duff & Phelps was engaged to replace eSentire.
But that’s not all. Clark Hill’s two-track theory was also torpedoed by its profligate sharing of the Duff & Phelps report, as in In re: Capital One. The court found that the report was shared not only with inside and outside counsel, but with members of Clark Hill’s leadership and IT teams and with the FBI. The court looked to this sharing, and the use of the report for non-litigation purposes, as evidence that its true purpose was far broader than assisting outside counsel for litigation. It is notable that the profligate sharing of the report with outsiders not involved in the litigation seems like it alone could have been grounds to deny Clark Hill’s attempt to protect the report from Wengui on the alternative theory that the attorney-client privilege had been waived. That the court did not rest its decision on this theory suggests it thought it important to fully explain when the privilege does and doesn’t apply to expert reports.
As this case demonstrates, the legal landscape in responding to security incidents has become replete with traps for the unwary. For outside and in-house counsel, Clark Hill should serve as a warning. Although employing a two-track approach is still a viable method of protecting post-mortem incident reports from discovery, parties must now be more careful than ever to ensure that the record—from interrogatory responses, to deposition testimony, to the timeline and scope of vendor engagements—supports the theory. Failure to do so risks losing the protection that is often critical to defending breach-related claims.
[i] No. CV 19-3195 (JEB), 2021 WL 106417 (D.D.C. Jan. 12, 2021).
[iii] Guo Wengui v. Clark Hill, PLC, 440 F. Supp. 3d 30, 34 (D.D.C. 2020)
[v] Clark Hill, 2021 WL 106417, at *3.
[vii] In re Capital One Consumer Data Sec. Breach Litig., No. 1:19MD2915 (AJT/JFA), 2020 WL 3470261, at *1 (E.D. Va. June 25, 2020).
[viii] In re Target Corp. Customer Data Security Breach Litigation. MDL No. 14-2522, 2015 WL 6777384, at *2-3 (D. Minn. Oct. 23, 2015).
[ix] Clark Hill, 2021 WL 106417, at *3.