In ongoing multidistrict litigation concerning Capital One’s 2019 data breach, Capital One succeeded in defeating a motion to compel disclosure of a privileged root cause analysis conducted by PwC. In contrast to an earlier ruling requiring Capital One to turn over a similar root cause analysis conducted by cybersecurity expert Mandiant, the court found that Capital One’s general counsel engaged PwC through a distinct and legally privileged representation to assist the company with its fiduciary and legal duties in anticipation of litigation. Last month, a federal court in D.C. ordered Clark Hill, PLC to produce a forensic report that was prepared following a data breach, finding that Clark Hill had not met its burden to show that the report would not have been prepared in the ordinary course of business, and rejecting Clark Hill’s reliance on a two-tracked approach to the forensic investigation to support its privilege claims because there was little evidence in the record that it had actually taken such an approach. As these rulings show, privilege determinations vary widely, but adhering to best practices can maximize the chance of avoiding disclosure.
Recent court decisions regarding when forensic reports prepared following a data breach may be protected from discovery have revealed that whether these reports are privileged requires a highly fact-intensive inquiry into when, how and why the forensics company is engaged, the scope of the forensics company’s engagement and how the company that has suffered a breach behaves with respect to the report and in its remediation efforts in response to the attack. As these recent cases have shown, there is no “secret recipe” to ensure a forensics report remains protected from disclosure, but there are several steps companies can take to increase the likelihood that reports of their forensics investigations are protected.
Akin Gump Data Dive has previously covered the decisions issued in the Capital One multidistrict litigation pertaining to plaintiffs’ efforts to obtain root cause analyses prepared by forensics firms Mandiant and PricewaterhouseCoopers (PwC) that Capital One alleged were protected by the work product doctrine and attorney-client privilege. While the court ordered production of the Mandiant report on the basis that Mandiant was performing work pursuant to the terms of a statement of work that had already been agreed to prior to discovery of the data breach, the court denied the plaintiff’s motion to compel the PwC report, finding that it was indeed subject to privilege protections. The latter ruling relied on the following facts: Capital One retained PwC specifically to render an expert opinion to Capital One’s legal department after more than 60 lawsuits were filed concerning the breach; unlike the ongoing relationship Capital One had with Mandiant wherein Mandiant was already engaged to perform the services included in rendering its forensic investigation report, Capital One did not have such an agreement with PwC prior to the filing of the first lawsuits; and Capital One restricted the sharing, copying and printing of the PwC report, whereas the Mandiant report had been disseminated for a number of business purposes outside of the anticipation of litigation.
The Capital One decisions provided some insight into the types of forensic reports courts might deem protected from discovery during data breach litigation. Namely, these decisions suggested that taking a two-tiered approach to breach investigations, thereby separating the business purpose-related aspects of the investigation from the legal investigation, would be a prudent step to ensuring that forensic reports prepared in anticipation of litigation remain protected. But on January 12, 2021, the United States District Court for the District of Columbia released a Memorandum Opinion that further dissected the so-called “two-track approach,” finding that law firm Clark Hill did not carry its burden to prove that a forensics report prepared by security-consulting firm Duff & Phelps was not privileged.1
In September 2017, Clark Hill suffered a cyberattack that resulted in the exfiltration of client data, including its clients’ sensitive personal information. Clark Hill had a standing agreement with cybersecurity vendor eSentire, which provided the firm IT security services. In an effort to follow the two-track approach to forensics investigations advanced during the landmark litigation concerning Target’s data breach in 2015, Clark Hill, through counsel engaged specifically to prepare for litigation resulting from the incident, engaged Duff & Phelps to perform a forensic analysis intended to be used by Clark Hill’s counsel to render legal advice.2 However, the District Court rejected Clark Hill’s argument that the Duff & Phelps report was privileged.
Importantly, the court did not reject the two-track approach wholesale. Rather, the court found that Clark Hill’s actions simply did not comport with the requirements of maintaining a two-track investigation. Though Clark Hill alleged that it conducted a two-track investigation to ensure Duff & Phelps’s investigation and report would be protected by privilege, the court found that Clark Hill’s efforts fell short.
The court noted that the record did not support Clark Hill’s assertion that it conducted a two-track investigation. For instance, the court found there was “no evidence that eSentire ever produced any findings, let alone a comprehensive report like the one produced by Duff & Phelps, about “the problem that allowed the breach to occur” or any recommendations to “ensure such a breach [cannot] happen again.”3 The opinion suggests that a proper two-track investigation involves the simultaneous, and most likely overlapping, investigative efforts of two forensics consultants, one working to investigate and remediate the breach to ensure ongoing business operations, and the second working to perform an investigation that would not have been performed in the absence of litigation.4 Notably, the court distinguished Clark Hill’s retention of Duff & Phelps (through its counsel), which seemed to step into the shoes of eSentire and replace its services, rather than being engaged separate from or in addition to eSentire. Further, the Duff & Phelps report appeared to be the only written record showing how the breach occurred, and it was shared with a variety of personnel outside of Clark Hill’s inside and outside counsel, including the internal IT team, and the FBI.5 Thus, the court found that the work product doctrine did not apply to protect the report from disclosure.
Separately, the court also found that the attorney-client privilege did not protect the Duff & Phelps report from disclosure. Noting that the report itself could not be characterized as an attorney-client communication, the court rejected Clark Hill’s suggestion that the attorney-client privilege “can attach to reports of third parties made at the request of the attorney or the client where the purpose of the report was to put in usable form information obtained from the client.”6 In making this determination, the court opined that the purpose of Duff & Phelps appeared to be “gleaning Duff & Phelps's expertise in cybersecurity, not in obtaining legal advice from its lawyer.”7 Again, the court highlighted that the report had been circulated for non-legal purposes, and that Duff & Phelps appeared to have been hired to perform non-legal services, including providing incident response advice to respond to what was believed to be an ongoing attack. The court therefore found the report and related materials were not privileged and ordered Clark Hill to produce them to the plaintiff.
This latest decision adds to the growing body of caselaw concerning when forensic reports may be considered privileged. Below, we offer some best practices to follow to maximize the chance of successfully asserting privilege over these reports.
Retain outside counsel to manage the investigation.
In the event of a data breach, retain outside counsel to conduct a legally privileged investigation. Whenever possible, outside counsel should directly engage the cybersecurity response vendor, and that vendor should be different from the company’s day-to-day cybersecurity provider. Work closely with counsel to document how the investigation will differ from other cybersecurity services the company regularly receives and explicitly include in any agreement that work will be undertaken at the direction of counsel.
Add—don’t replace—a cybersecurity vendor to provide services necessary for the rendering of legal advice.
Halting the work of an already-engaged vendor and replacing it with a vendor engaged specifically in response to the breach spells trouble. Instead, establish a “two-track approach” to the investigation, whereby the usual vendor investigates and remediates the breach to ensure business continuity, working closely with your IT team, and the second vendor, engaged by breach counsel, focuses its work on providing information to counsel that can be utilized in the provision of legal advice.
Avoid using stock language in the statement of work.
Simply copy-pasting the verbiage from a preexisting agreement with a cybersecurity vendor into a new agreement between counsel and the vendor does not automatically ensure the engagement is privileged. If using the same vendor for breach investigation work and day-to-day consulting is unavoidable, consider your needs in anticipation of litigation and tailor the agreement language accordingly. This factor is critical to demonstrate that any developed work product is created in a manner and form different from what would be created but for the anticipated litigation.
Think critically about requesting a written report of findings.
Companies should consider foregoing a written report of findings from the incident response vendor altogether. Findings and conclusions may be shared orally with key stakeholders.
If a written report is prepared, advise the preparers not to speculate while the preliminary investigation is ongoing. A written report that rests on conjecture and unsupported initial findings will not be helpful in future litigation. Unverified hypotheses should be conveyed orally and thoroughly investigated before they are documented as a “fact” or “finding.” Companies might also determine that they wish any written report to include a focus on exculpatory factors.
Create segmented teams to protect the privilege.
Responding to a data breach incident will likely require responses from multiple business units and external vendors, including teams focused on managing legal, regulatory, consumer, cybersecurity and governance aspects of the breach. To manage the response while protecting the privilege across these legal and non-legal groups, where possible, create segmented work streams assigned to distinct teams on a “need-to-know” basis. Engage outside counsel to direct the work of external vendors, including forensic analysts. The legal team may include members of in-house counsel, outside counsel and experts retained by counsel. Consider creating a separate email listserv to restrict access to information, calls and documents to the designated members on the legal team.
Limit distribution of privileged attorney work product.
Maintain the privileged nature of all attorney work product generated with regard to the incident and only share it as needed for litigation purposes, as opposed to business needs. On the other hand, if a separate report is prepared for business purposes, assume that it will not be privileged. Educate all team members on the importance of not forwarding communications or documents outside of the designated legal team and channeling incident-related communications through legal.
Keep track of where the written findings are shared and why.
If written findings must be shared outside of the legal team, document who receives the report and the reason for the distribution. If the need is a pure business need unrelated to preparing for litigation, avoid sharing the document in order to protect the privilege.
Prepare a separate, non-privileged incident report that can be shared.
After a data breach, information must often be disclosed to apprise board members, auditors, insurers and regulators. To meet these disclosure needs while protecting the privileged nature of the investigation, consider asking counsel to prepare a cover memorandum that addresses only non-privileged business needs and verified factual findings. This memorandum may be shared externally (including with government agencies like the FBI) while protecting attorney-client privileged findings in a separate report prepared only for the use of counsel that may contain broader findings and conclusions.
Pay expenses from the Legal budget.
To the extent possible, fees related to any cybersecurity response overseen by outside counsel should come from the company’s legal budget. While it may seem natural to deduct these expenses from the cybersecurity or IT budgets, some courts have focused on this factor as an indication of whether the company has consistently treated the response as legally privileged.
Be prepared for disclosure.
Court precedent on protecting privilege over forensic reports and/or work performed in response to breaches varies by jurisdiction and is constantly changing. Companies should prepare any written report with the understanding that the final report—as well as drafts, comments and edits to the report—may eventually be produced in litigation. For this reason, taking all necessary steps at the outset to address the incident properly and expediently will help ensure that, should information regarding the breach response ultimately be disclosed in litigation, it will not be to the company’s detriment.
1 Guo Wengui v. Clark Hill, PLC, No. CV 19-3195 (JEB), 2021 WL 106417 (D.D.C. Jan. 12, 2021).
2 See In re Target Corp. Customer Data Sec. Breach Litig., MDL No. 14-2522, 2015 WL 6777384, at *2–3 (D. Minn. Oct. 23, 2015) (upholding Target’s assertion of privilege with regard to documents and communications of its Data Breach Task Force, which were separate from Target’s ordinary-course investigation of the breach).
3 Wengui, 2021 WL 106417, at *3.
4 Id. at *5.
5 Id. at *4.
6 Id. at *5 (quoting FTC v. TRW, Inc., 628 F.2d 207, 212 (D.C. Cir. 1980)).
7 Id. (quotation marks and citation omitted).