Last week, the District of Columbia federal court added to the growing body of caselaw related to the privileged afforded forensic reports generated in response to cyber incidents. The ruling found that any such forensic report (or other compliance-related investigation summary) is not privileged if it “would have been created in the ordinary course of business irrespective of litigation.” See Wengui v. Clark Hill, 2021 U.S. Dist. WL106417 (D.D.C. Jan. 12, 2021) at *1.
In this matter, the Plaintiff sought the work product and arguably privileged report created for the Defendant’s counsel, by security-consulting firm Duff & Phelps. Where the Defendant argued that the report was created in anticipation of litigation and provided information to defense counsel regarding how the cyberattack unfolded, the Court found that the report was neither attorney-client privileged nor an attorney work-product, as it was created in the “ordinary course” of the response a business that suffered a cyberattack would follow. As the Court ruled, it was a “necessary business function regardless of litigation or regulatory inquiries.” Id at *2.
How the Defendant Argued for Attorney Work-Product Privilege & Attorney-Client Privilege
The Defendant’s argument for maintaining work-product privilege, i.e., that the forensic report was created to aide counsel’s understanding of the attack in anticipation of litigation, was based on defendant’s use of a parallel investigation. The Court did not find this persuasive, but the Defendant explained that two investigations unfolded in response to the breach: (1) a business-continuity oriented response for which the cybersecurity vendor was retained to “investigate and remediate” the cyberattack; and (2) a litigation-oriented response in which litigation counsel retained a firm “for the sole purpose” of “gathering information necessary to render timely legal advice.” Id. at *3. Additionally, the Defendant argued that the work provided by the consultant to the Defendant’s counsel constituted privileged communication as it translated the incident into a digestible report for the attorney. Id. at *5.
The Court’s Analysis
While the defendant argued that the parallel investigation path is well-worn and generating a protected report for litigation is separate from a business-continuity report, the Court’s careful review of the record is a reminder of how key factual details and steps can impact an argument over privilege. For instance, the Court noted that the Defendant claimed that its understanding of the root cause and progression of the attack was “based solely on the advice of outside counsel and consultants retained by outside counsel.” Id. Furthering that analysis, the Court noted that there is no evidence that suggests the second, litigation-oriented investigation “produced any findings, let alone a comprehensive report like the one produced” about the root cause of the breach. Id. The distribution of the root-cause business continuity report also worked against the Defendant in the Court’s analysis, as it suggested the report was the one document with the “recorded facts” of the incident. Id. at *4. Additionally, the Court found that the record suggested the Defendant relied the work of the business-continuity investigation, “instead of, rather than separate from or in addition to” the litigation-oriented investigation. Id. The Court built off existing case law, including Capital One, on the basis that the report was used for non-litigation purposes and the Defendant did not meet the burden of demonstrating that a substantially similar report would not have been produced in the absence of litigation. Id. at *5.
In considering the attorney-client privilege argument, the Court declined to extend such privilege to all manner of services or attached it to reports of third parties made at the request of the attorney. The Court instead reviewed the factual record and concluded that Defendant’s counsel used the security firm for its “expertise in cybersecurity, and not in obtaining legal advice” based on an in-camera review of the report and the Court’s note that it “provides not only a summary of the firm’s findings, but also pages of specific recommendations on how [Defendant] should tighten its cybersecurity.” Id.
What Now?
This ruling shows how steps taken in the immediate response of a cyberattack can echo significantly into a litigation. The greatest takeaway may be in the Court’s acknowledgement that “[a]lthough [Defendant] papered the arrangement through its attorneys, that approach ‘appears to [have been] designed to help shield material from disclosure’ and is not sufficient in itself to provide work-product protection.” Id. at *4. The Court’s ruling suggests that the use of parallel investigations is not at issue, but the parallel investigations should be genuine and produce reports oriented to the stated purpose. Counsel thus should consider such steps when assigning responsibilities in response to a cyberattack. Additionally, the substance and distribution of the generated report(s) can reflect to a Court the presence or absence of legal assistance vs. security and business continuity advice. A report heavy on recommendations and distributed widely can defeat attorney-client privilege and attorney work product protections according to this ruling, and IR counsel should take note when engaging third-party incident response firms.
In any incident, it is important to work with sophisticated and experienced tech counsel. The attorneys at Octillo have years of experience responding to large-scale data breaches and can help provide the guidance needed at every stage of a data incident.
*Attorney Advertising. Prior results do not guarantee future outcomes.