Court Chips Away at Privilege Protections for Cyber Forensic Reports

by Jim Pastore, Luke Dembosky, Jeremy Feigelson, Avi Gesser, Corey Goldstein, and Mengyi Xu

On January 12, Judge James Boasberg of the U.S. District Court for the District of Columbia granted plaintiff Guo Wengui’s motion to compel production of a report (the “Report”) —and related materials—prepared by forensic vendor Duff & Phelps in Guo’s lawsuit against the law firm that formerly represented him, Clark Hill, PLC (the “Firm”). See Wengui v. Clark Hill, PLC, No. 19-cv-3195 (JEB), 2021 WL 106417 (D.D.C. Jan. 12, 2021). The court rejected claims the Report was protected by the work-product doctrine and attorney-client privilege.

Attorney Work Product

The Firm principally argued that the work-product doctrine applied because it had conducted a two-track investigation into the breach: a non-privileged track led by cybersecurity vendor eSentire, supervised by the Firm, and a privileged track led by Duff & Phelps at the direction of the Firm’s outside cybersecurity counsel. In rejecting that argument, the court distinguished In re Target Corp. Customer Data Sec. Breach Litig., MDL No. 14-2522, 2015 WL 6777384 (D. Minn. Oct. 23, 2015), where the court held an investigative report privileged in part because Target conducted such a two-track investigation.  Here, the court noted:

  • There was no sworn statement averring that eSentire conducted a separate investigation with the purpose of learning how the breach happened or facilitating the Firm’s response;
  • eSentire did not produce any investigative findings, much less a comprehensive investigative report;
  • in an interrogatory response, the Firm claimed that its understanding of the breach derived “solely” from the work of Duff & Phelps without mentioning eSentire at all; and
  • the Report was distributed not just to legal counsel, but also to IT personnel and executives at the Firm, as well as to the FBI, thereby demonstrating that the Report was used for a “range of non-litigation purposes.”

Attorney-Client Privilege

As to attorney-client privilege, the court held that the Kovel doctrine —which can bring certain vendor reports (for example, those prepared by forensic accountants assisting counsel) under the protection of attorney-client privilege—must be narrowly construed.  In rejecting the application of Kovel, the court noted the Report contained “not only a summary of the firm’s findings, but also pages of specific recommendations on how [the Firm] should tighten its cybersecurity.” Once again distinguishing the Target decision, the court found that (1) here, the Firm did not conduct a true “two-track” investigation; (2) the Report was shared with a wider audience than legal personnel, indicating its purpose went beyond obtaining legal advice; and (3) the Report contained remediation recommendations whereas the report in Target did not, underscoring that the Report was not prepared for the purpose of allowing outside counsel to provide legal advice.

Key Takeaways

  • This decision continues a recent trend of courts finding that, in certain circumstances, forensic cybersecurity reports are not protected by privilege.
  • Other cases have noted that the vendor had a pre-existing relationship with the company, and such pre-existing relationship was a factor in rendering work product protection inapplicable. Here, however, the court made no mention of any pre-existing relationship between Duff & Phelps and the Firm.
  • If the privilege claim is supported by a two-track investigation, the evidence must demonstrate that a two-track investigation took place. To that end, companies should consider having separate reports prepared by both the privileged and non-privileged investigations, or consider having no reports prepared at all.
  • But even if a report is not prepared, the holding in Wengui v. Clark Hill, PLC suggests that materials prepared by the vendor might nonetheless be subject to discovery.  
  • Carefully consider how and with whom to share the privileged report. Sending a forensic report to a wide group of people in addition to in-house counsel can result in the report not being privileged.
  • Consider separating recommendations from investigative findings.
  • Although there will still be circumstances where a vendor’s cyber report will clearly be covered by the both work-product doctrine and attorney-client privilege, this decision does appear to narrow the path for such protections going forward.
  • Accordingly, such reports should be drafted with the understanding that privilege claims may not succeed.

Jim Pastore, Luke Dembosky, Jeremy Feigelson, and Avi Gesser are partners, and Corey Goldstein and Mengyi Xu are associates, at Debevoise & Plimpton LLP. The authors would like to thank Katharine Witteman for her contribution to this post. This post originally was published on the Debevoise Data Blog

Disclaimer

The views, opinions and positions expressed within all posts are those of the authors alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law.  The accuracy, completeness and validity of any statements made within this article are not guaranteed.  We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the authors and any liability with regards to infringement of intellectual property rights remains with them.

Share this post:

Share on LinkedInShare on Reddit