Forensic Analysis and Privilege in the Wake of a Data Breach
In the wake of a data breach, counsel will often require the assistance of a forensic firm in order to provide legal advice to their client. The forensic analysis—which is often memorialized in a report to counsel—is crucial for counsel in understanding what occurred and formulating legal strategy relating to potential litigation and breach notification issues. For the same reasons, details of those forensic analyses and any related investigative reports are very likely to be the subject of a discovery request from plaintiffs if and when litigation ensues. Indeed, the requests for such reports are frequently a flashpoint in litigation that can determine the strength or weakness of the plaintiff’s case. Defendants typically object to producing these reports on the grounds that they fall under the attorney-client privilege and work-product protection.
In the years since 2015—when Target successfully shielded one such report from disclosure in litigation (by retaining two separate forensic firms to prepare a non-privileged report for the company and a privileged report for counsel, respectively)—a body of law has begun to emerge on the question of when a forensic report is privileged and when it is fair game for civil discovery. But this fact-intensive question is far from settled, and over the past year, a handful of new decisions suggest the landscape has become more challenging for defendants. This post summarizes these recent developments and highlights key factors courts tend to consider when determining whether a forensic report should be considered privileged.
Recent Case Law: Capital One and Clark Hill
In late May 2020, a magistrate judge in the Eastern District of Virginia held that a breach report prepared by Mandiant (a digital forensic investigator, among other things) in response to the Capital One data breach was not protected by the work product doctrine. The court concluded that the report was not prepared “because of litigation”—the governing standard in the Fourth Circuit. The court reasoned that, even without the threat of litigation, Capital One would have “called upon Mandiant to perform” the same services and “prepare a [substantially similar] written report.” Critically, the court found that (1) Capital One had a long-standing and pre-existing agreement with Mandiant to provide incident response services and (2) Mandiant’s investigation “was significant for regulatory and business reasons.” Even though Mandiant’s work was done “at the direction of outside counsel” and “was initially delivered to outside counsel,” its contents were disclosed to Capital One’s auditor, dozens of business personnel, and four of Capital One’s regulators. Accordingly, the court rejected Capital One’s argument that the report was protected from discovery.
More recently, in January 2021, the District Court of the District of Columbia rejected a defendant’s claim of work-product protection over a forensic report where the defendant attempted to use a “two-track” approach similar to the one taken by Target. 2021 U.S. Dist. LEXIS 5395 (D. D.C. January 12, 2021). In Wengui v. Clark Hill, the court ordered a defendant law firm to turn over a report produced by the forensic firm Duff & Phelps, which had been engaged by the law firm’s outside counsel in the wake of a cyber incident, finding that the defendant had not met its burden to show that the report would not have been “created in the ordinary course of business irrespective of litigation” and therefore was not attorney work product. Unlike in Capital One, the defendant law firm argued that it had followed the same two-track approach which had allowed Target to successfully withhold its forensic report from discovery in 2015. Clark Hill argued that it had, on one track, engaged its “usual” cyber security vendor, eSentire, to investigate the attack and create a report to facilitate continuity of the law firm’s operations and remediation of the breach. And at the same time, Clark Hill’s outside counsel hired Duff & Phelps to prepare the report at issue for the “sole purpose” of rendering legal advice.
The district court rejected this claim of work-product privilege, finding that Clark Hill could not substantiate this argument. Unlike Target, the court said, Clark Hill had not submitted documents showing that eSentire had actually done remedial work after the attack began. The defendant did not put in a sworn statement, as Target had done, averring that eSentire had conducted a separate “investigation” with the purpose of “learn[ing] how the breach happened” or facilitating an “appropriate” response, and the court found no evidence that eSentire ever produced any findings regarding “the problem that allowed the breach to occur” or any recommendations to “ensure such a breach [cannot] happen again.” Without explicitly disagreeing with the logic in Target, the Clark Hill court found that the report formed the sole basis of the defendant’s understanding of what occurred, that the defendant used it for purposes beyond preparing for litigation, and therefore could not shield it from discovery. The court also noted that Clark Hill’s approach "appear[ed] to [have been] designed to help shield material from disclosure."
Unlike in Capital One, the defendant in Clark Hill made a second argument—that the forensic firm’s role was to “put in usable form information obtained from the client," and thus their report fell within the Kovel doctrine, which can extend the attorney-client privilege where non-legal third parties are brought in to assist counsel. But the court rejected this argument as well, holding that the role of the forensic firm was to enable Clark Hill to obtain advice regarding cybersecurity and remedial measures, not legal advice.
Following these decisions, it is clear that whether a report will be shielded by privilege is a fact intensive inquiry and not a sure bet. In determining whether a forensic report will be deemed privileged, the court is likely to make the following inquiries, which counsel and clients should keep in mind:
- Who engaged the forensic firm—was it outside counsel, or the client itself? Did the forensic firm have a pre-existing contract with the client to provide incident response services?
- What was the purpose and scope of the forensic company’s work? Was it necessary for the lawyers to have the technical analysis in order to provide legal advice? If so, how?
- Was it necessary for the client to have the same report notwithstanding the potential for litigation?
- What other source of information—if any—formed the basis for the business’s understanding of what went wrong and allowed the business to take remedial actions?
- Who received the resulting report or analysis? Was it shared (in its entirety, or in smaller pieces) beyond the general counsel’s office with people in the business or third parties?
- What contemporaneous records were created that show the circumstances, purpose and scope of the forensic company’s work?
In response to efforts by plaintiffs to obtain the forensic report prepared following a data breach, courts are increasingly scrutinizing the circumstances surrounding the engagement of the forensic firm and the reason for the engagement. We expect litigation on this issue will increase and we will continue to follow the developments in this area.