On January 12, Judge James Boasberg of the U.S. District Court for the District of Columbia granted plaintiff Guo Wengui’s motion to compel production of a report (the “Report”)—and related materials—prepared by forensic vendor Duff & Phelps in Guo’s lawsuit against the law firm that formerly represented him, Clark Hill, PLC (the “Firm”).  See Wengui v. Clark Hill, PLC, No. 19-cv-3195 (JEB), 2021 WL 106417 (D.D.C. Jan. 12, 2021).  The court rejected claims the Report was protected by the work-product doctrine and attorney-client privilege.

Attorney Work Product

The Firm principally argued that the work-product doctrine applied because it had conducted a two-track investigation into the breach: a non-privileged track led by cybersecurity vendor eSentire, supervised by the Firm, and a privileged track led by Duff & Phelps at the direction of the Firm’s outside cybersecurity counsel.  In rejecting that argument, the court distinguished In re Target Corp. Customer Data Sec. Breach Litig., MDL No. 14-2522, 2015 WL 6777384 (D. Minn. Oct. 23, 2015), where the court held an investigative report privileged in part because Target conducted such a two-track investigation.  Here, the court noted:

  • There was no sworn statement averring that eSentire conducted a separate investigation with the purpose of learning how the breach happened or facilitating the Firm’s response;
  • eSentire did not produce any investigative findings, much less a comprehensive investigative report;
  • in an interrogatory response, the Firm claimed that its understanding of the breach derived “solely” from the work of Duff & Phelps without mentioning eSentire at all; and
  • the Report was distributed not just to legal counsel, but also to IT personnel and executives at the Firm, as well as to the FBI, thereby demonstrating that the Report was used for a “range of non-litigation purposes.”

Attorney-Client Privilege

As to attorney-client privilege, the court held that the Kovel doctrine—which can bring certain vendor reports (for example, those prepared by forensic accountants assisting counsel) under the protection of attorney-client privilege—must be narrowly construed.  In rejecting the application of Kovel, the court noted the Report contained “not only a summary of the firm’s findings, but also pages of specific recommendations on how [the Firm] should tighten its cybersecurity.”  Once again distinguishing the Target decision, the court found that (1) here, the Firm did not conduct a true “two-track” investigation; (2) the Report was shared with a wider audience than legal personnel, indicating its purpose went beyond obtaining legal advice; and (3) the Report contained remediation recommendations whereas the report in Target did not, underscoring that the Report was not prepared for the purpose of allowing outside counsel to provide legal advice.

Key Takeaways

  • This decision continues a recent trend of courts finding that, in certain circumstances, forensic cybersecurity reports are not protected by privilege.
  • Other cases have noted that the vendor had a pre-existing relationship with the company, and such pre-existing relationship was a factor in rendering work product protection inapplicable. Here, however, the court made no mention of any pre-existing relationship between Duff & Phelps and the Firm.
  • If the privilege claim is supported by a two-track investigation, the evidence must demonstrate that a two-track investigation took place. To that end, companies should consider having separate reports prepared by both the privileged and non-privileged investigations, or consider having no reports prepared at all.
  • But even if a report is not prepared, the holding in Wengui v. Clark Hill, PLC suggests that materials prepared by the vendor might nonetheless be subject to discovery.
  • Carefully consider how and with whom to share the privileged report. Sending a forensic report to a wide group of people in addition to in-house counsel can result in the report not being privileged.
  • Consider separating recommendations from investigative findings.
  • Although there will still be circumstances where a vendor’s cyber report will clearly be covered by the both work-product doctrine and attorney-client privilege, this decision does appear to narrow the path for such protections going forward.
  • Accordingly, such reports should be drafted with the understanding that privilege claims may not succeed.

***

To subscribe to the Data Blog, please click here.

The authors would like to thank Debevoise law clerk Katharine Witteman for her contribution to this article.

Author

Jim Pastore is a Debevoise litigation partner and a member of the firm’s Data Strategy & Security practice and Intellectual Property Litigation Group. He can be reached at jjpastore@debevoise.com.

Author

Luke Dembosky is a Debevoise litigation partner based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Data Strategy & Security practice and a member of the White Collar & Regulatory Defense Group. His practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation and regulatory defense, as well as national security issues. He can be reached at ldembosky@debevoise.com.

Author

Jeremy Feigelson is a Debevoise litigation partner, Co-Chair of the firm’s Data Strategy & Security practice, and a member of the firm’s Intellectual Property and Media Group. He frequently represents clients in litigations and government investigations that involve the Internet and new technologies. His practice includes litigation and counseling on cybersecurity, data privacy, trademark, right of publicity, false advertising, copyright, and defamation matters. He can be reached at jfeigelson@debevoise.com.

Author

Avi Gesser is a Debevoise cybersecurity and litigation partner. He is a member of the Debevoise Data Strategy & Security Group, as well as the White Collar & Regulatory Defense Group. Avi has extensive experience advising on a wide range of cybersecurity matters, incident response issues, data strategy concerns and artificial intelligence risks. He can be reached at agesser@debevoise.com.

Author

Corey Goldstein is an associate in Debevoise's Litigation Department. He can be reached at cjgoldst@debevoise.com.

Author

Mengyi Xu is an associate in Debevoise's Litigation Department and a member of the firm’s Data Strategy & Security practice. Her cybersecurity and data privacy practice focuses on compliance design, incident preparation and response, and regulatory notification. She can be reached at mxu@debevoise.com