In Wengui v. Clark Hill, PLC, Judge Boasberg of the District Court for the District of Columbia, granted the plaintiff’s motion to compel the defendant to produce a report and additional materials associated with a cyberattack. In its ruling, the court emphasized that materials that would otherwise be created in the ordinary course of business, irrespective of litigation, or that are shared with third parties for non-legal purposes, may fail to enjoy work product privilege. Furthermore, the court emphasized that the attorney-client privilege may not apply to third-party reports requested by a client when they are not truly requested for the purposes of obtaining legal advice from the client’s lawyer.

The issue in this case was whether materials requested by the plaintiff in discovery were subject to either the work-product or attorney-client privileges. The court held that neither the Duff & Phelps report – a report that summarized the findings of the investigation into the cyberattack – nor additional information relating to entities or individuals, other than the plaintiff, who may have also been impacted by the cyberattack were subject to the work-product or attorney-client privileges.

Under the work-product privilege, a document is privileged if it is “prepared in anticipation of litigation.” The court held that the Duff & Phelps report did not qualify for work-product privilege protection as the report was used for a “range of non-litigation purposes.” The defendant contended that it requested the report from its outside counsel to assist in the “prepar[ation] for litigation stemming from the attack,” and emphasized that the report, in conjunction with the work eSentire conducted “to investigate and remediate the attack,” was part of a “two-tracked investigation of the incident.” More specifically, Defendant argued that eSentire was retained to conduct an “ordinary-course investigation” into the causes of the cyberattack which “did not result in protected work product.” The defendant further argued that Duff and Phelps was retained as a “separate team” on a “separate track” to prepare a report “inform[ing] [its] counsel about the breach so that [they] could provide . . . legal advice and prepare to defend the company in litigation.”

The court found scant evidence in the record that eSentire conducted a separate investigation into the cyberattack, and therefore was not convinced that the defendant met its burden of showing the work-product privilege applied to the report. To the contrary, the court reasoned that the record indicated that the Duff & Phelps report was prepared “instead of, rather than separate from or in addition to, eSentire[’s] [investigatory work].” After in camera review, the court was not persuaded that the report “would [not] have been created in the ordinary course of business irrespective of litigation,” finding scant evidence in the record to support defendant’s contention of a “two-tracked investigation.” Indeed, the court highlighted defendant’s interrogatory answer providing that “[defendant’s] understanding of the progression of the September 12, 2017 cyber-incident is based solely on the advice of outside counsel and consultants retained by outside counsel.” Furthermore, the court noted the fact that the report was shared with both the FBI, as part of its investigation into the cyber-attack, and “select members of [defendant’s] leadership and IT team,” undermining the notion that the report was prepared only in anticipation of litigation.

Under the attorney-client privilege, a communication between an attorney and client is privileged if the communication “was made for the purposes of obtaining or providing legal advice to the client.” The court held that neither the Duff & Phelps report nor the additional materials containing information on individuals qualified for attorney-client privilege protection.

First, regarding the report, the defendant contended that the privilege could also “attach[] to reports of third parties made at the request of the attorney or the client where the purposes of the report was to put in useable form information obtained from the client” under precedent set in United States v. Kovel. However, the court reasoned that that the holding should be interpreted narrowly, noting that even in Kovel the court stated that “‘if the advice sought [by the client] is the accountant’s rather than the lawyer’s, no privilege exists’ over the accountant’s report.” Therefore, the court reasoned that as “[defendant’s] true objective was gleaning [Duff & Phelp’s] expertise in cybersecurity, not in ‘obtaining legal advice from [its] lawyer,’” the report was not privileged. The court specifically took note of the fact that the Duff and Phelps report “include[d] pages of specific remediation advice.”

Second, regarding the materials containing information on individuals other than plaintiff, the court reasoned that while defendant could redact necessary information to “safeguard the identity of [defendant’s] clients and any of their confidences,” it must subsequently produce the materials to the plaintiff, as the discovery request from the plaintiff was both “relevant” and “proportional to the needs to the case.”

Accordingly, the court granted the plaintiff’s motion to compel.

Despite this ruling, the law remains unsettled on when the attorney-client privilege and work product doctrine apply to incident response forensics. One thing is becoming clear – courts are not providing protection when investigating a breach and addressing any discovered vulnerabilities is considered a business issue. Thus, clear demarcation of roles and workflow between privileged and non-privileged actions is essential. Businesses should prepare to give their best shot to establish the attorney-client privilege and work product doctrine but proceed as if protections may not apply. Below are a few key takeaways for organizations looking to improve their incident response function based on the lessons learned from this case:

  • Do not assume that engaging outside counsel to assist with forensic efforts will automatically shield your incident response efforts from prying eyes.
  • Be careful when sharing forensic reports and related materials with third parties for non-legal purposes.
  • If a two-track investigation has been set up (one privileged, and one not-privileged), ensure there is sufficient documentation to evidence that position and maintain a clear demarcation of roles and workflow. To this end, organizations may want to consider omitting recommendations on how to improve cybersecurity from the privileged report, as that may be construed as more of a business issue.