Another Court Holds a Third-Party Cyber Forensics Report as NOT Privileged
On January 12, 2021, the United States District Court for the District of Columbia joined the growing list of courts that have held that reports generated by third-party forensics firms in response to a cyberattack are not protected from discovery in subsequent litigation. What’s especially interesting about the case, Wengui v. Clark Hill, PLC, 2021 U.S. Dist. LEXIS 5395 (D.D.C. Jan. 12, 20201), is that the cyberattack victim, a law firm, argued that it had commissioned two reports in its investigation. One report, commissioned to investigate the attack, was produced in discovery. The other report – which was subject to the discovery dispute – was argued to have been expressly commissioned by outside counsel in anticipation of litigation. The federal court rejected the argument based in part on the content of the report, its dissemination, and the law firm’s own discovery responses.
The case involved plaintiff Guo Wengui suing his former law firm, Clark Hill, following the law firm’s cyberattack that led to the public dissemination of his information. In discovery, Wengui requested from the firm all forensic investigation reports about the cyberattack, and in particular, a report prepared by Duff & Phelps (a/k/a Kroll). Clark Hill refused to produce the report, contending that the report was both attorney-client privileged and protected by the work product doctrine. It argued that it did not hire Duff & Phelps; instead, the forensics firm had been retained by outside litigation counsel to assist in its representation of Clark Hill, and to help “prepare for litigation stemming from the attack.” In so arguing, Clark Hill pointed to a report prepared by a second forensics firm, eSentire, which had been produced in the litigation. The firm also refused to answer interrogatories seeking “Clark Hill's understanding of the facts or reasons why” the attack occurred, arguing that “its ‘understanding’ of the progression of the . . . incident is based solely on the advice of outside counsel and consultants retained by outside counsel,” and was therefore privileged. Id. at *2-3. The court rejected Clark Hill’s arguments and held that the sought information and documents were not privileged.
The Work Product Doctrine
Under the work product doctrine, “[o]rdinarily, a party may not discover documents and tangible things that are prepared in anticipation of litigation . . . by or for another party or its representative (including the other party's attorney, consultant, . . . or agent).” Fed. R. Civ. Pro. 26(b)(3)(A). To determine whether a document has been “prepared in anticipation of litigation,” courts in the D.C. Circuit apply the “because of” test, which requires courts to inquire “whether, in light of the nature of the document and the factual situation in the particular case, the document can fairly be said to have been prepared or obtained because of the prospect of litigation.” Wengui, 2021 U.S. Dist. LEXIS 5395 at *5 (emphasis in original). “Where a document would have been created in substantially similar form regardless of the litigation, it fails that test, meaning that work product protection is not available.” Id. (internal quotes omitted). Thus, “the privilege has no applicability to documents prepared by lawyers in the ordinary course of business or for other non-litigation purposes.” Id.
In rejecting arguments that the Duff & Phelps Report was protected by the work product doctrine, the court determined that the report had non-litigation purposes, namely to inform Clark Hill of various aspects of the attack and its remediation, thereby making the report one prepared in the firm’s ordinary course of business. The court explained:
For many organizations, surely among them law firms that handle sensitive materials, discovering how a cyber breach occurred is a necessary business function regardless of litigation or regulatory inquiries. There is a need to conduct an investigation . . . in order to figure out the problem that allowed the breach to occur so that the organization can solve that problem and ensure such a breach cannot happen again.…. It is therefore more likely than not, if not highly likely, that Clark Hill would have conducted [an] investigation into the attack’s cause, nature, and effect irrespective of the prospect of litigation.
Id. at *6-7(internal brackets and quotation marks omitted). Because the report summarized the investigation’s findings, the court concluded that “substantially the same [document] would have been prepared in any event . . . as part of the ordinary course of [Defendant’s] business.” Id. at *7. Additional factors that led the court to determine that the work product doctrine did not apply included:
- The Report was shared not just with in-house and outside counsel, but also with “select members of Clark Hill’s leadership and IT team,” suggesting that the Report was used to help manage issues beyond potential litigation.
- Clark Hill shared the report with the FBI as part of the FBI's investigation of the cyber incident, suggesting that the report “was the one place where [Defendant] recorded the facts” of what had transpired.
- The Report itself revealed other parties with whom Duff & Phelps worked to help Clark Hill respond to and manage the cyber incident in non-litigation purposes.
- The Report provided remediation advice and showed that Duff & Phelps had been retained to respond to and stop the attack.
According to the court, “[t]he fact that ‘the [R]eport was used for a range of non-litigation purposes’ reinforces the notion that it cannot be fairly described as prepared in anticipation of litigation.” Id. at *12.
The court also rejected the existence of a two-track investigation of the incident, one track of the investigation conducted by eSentire to determine the facts of the cyberattack, and one track to assist outside counsel in anticipation of litigation. Id. at *7. For one reason, two days after discovery of the attack, Clark Hill had retained Duff & Phelps to take charge of the investigation “instead of, rather than separate from or in addition to, eSentire, to do the necessary investigative work.” Id. at *10 (emphasis in original). Second, the multiple non-litigation aspects of the Duff & Phelps report evinced purposes for the investigation and report well beyond assisting counsel to prepare for litigation. Id. at *12.
Finally, the court rejected the contention that the Duff & Phelps Report fell within attorney-client privilege protections. While counsel may retain non-lawyers to assist in the rendering of legal advice, if advice sought by such consultants is not legal in nature, the attorney-client privilege does not apply. Id. at *16. Here, the remedial aspects of the Duff & Phelps Report, and the full scope of the report, demonstrated that Clark Hill used the report to obtain advice on how to respond to and remediate the cyberattack, and not legal advice. The court explained:
Duff & Phelps undertook a full investigation — the only one apparently commissioned by Clark Hill — with the goal of determining how the attack happened and what information was exfiltrated. The Report provides not only a summary of the firm's findings, but also pages of specific recommendations on how Clark Hill should tighten its cybersecurity. And it was shared with both Clark Hill IT staff and the FBI, presumably with an eye toward facilitating both entities' further efforts at investigation and remediation.
Id. at *16. (Because the court found that the Report was not privileged, it did not address whether providing a copy to the FBI waived such privilege.) According to the court, Clark Hill’s own discovery responses, namely that its “understanding” of the incident was based solely on the advice of outside counsel and the report, further evinced that the report’s purposes extended beyond litigation to the firm’s operations and business.
What this case means
When a forensics team is retained to investigate (and produce) a report, counsel and the client alike should assume that the report will not be privileged. Further, while retaining separate forensics firms to produce separate reports may strengthen a privilege argument over one of the reports – and we have written about that here – setting up such dual-purposed investigations must be substantive. What will the report address? How will it be used? Who will review it? These questions, among other issues, must be addressed and answered in the beginning in order to provide a company and counsel an ability to advance a strong legal argument that a forensic report is protected from discovery.
If you have questions or would like further information, please contact Joshua A. Mooney (firstname.lastname@example.org; 215.864.6345).