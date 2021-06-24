REUTERS/Mike Blake

June 24, 2021 - It has become increasingly difficult for companies to protect forensic reports prepared in connection with a data breach. Despite their sensitive nature, plaintiffs' attorneys frequently seek to obtain these reports in cyber-related litigation as they can often provide a road map for their claims.

This article examines recent developments in case law addressing claims of privilege over forensic reports and provides some best practices you can take to protect them from production in cyber-related litigation.

One of the more recent decisions addressing the attorney-client privilege and work product protections regarding forensic reports is Guo Wengui v. Clark Hill, PLC out of the U.S. District Court for the District of Columbia.

The law firm Clark Hill experienced a data breach in 2017. In responding to the incident, Clark Hill engaged its regular cybersecurity firm to perform an investigation. The work under that engagement was classified as being for "business continuity."

Clark Hill also retained outside counsel a few days later which engaged an independent forensic company, Duff & Phelps, to perform an investigation and specifically noted that the purpose of the investigation was to assist the firm in providing legal advice.

Clark Hill was sued by one of its clients, Guo Wengui, whose information was involved in the incident. During discovery, the plaintiff requested copies of all reports from the forensic investigation and Clark Hill produced some documents from the cybersecurity firm that it retained, but did not produce any reports from Duff & Phelps claiming that those were protected by the attorney-client privilege or were work product.

Following discovery motions, on Jan. 12, 2021, the court ordered Clark Hill to produce the forensic report prepared by Duff & Phelps at the direction of litigation counsel.

In rejecting Clark Hill's privilege claims, the court held that the report was not work product because it was prepared to assist in providing "cybersecurity advice" rather than "legal advice". Specifically, the court found that the report was not protected by the work product doctrine because it was not prepared "because of" litigation and would have been created irrespective of the case.

When the court looked at the engagements between the forensic company retained by Clark Hill directly and Duff & Phelps, which was retained by outside counsel, the court concluded that the Duff & Phelps report was prepared instead of, rather than in addition to, the work performed by the first forensic company, and therefore was not protected.

The other distinguishing factor that the court considered was the fact that the report was shared with a broad audience that included in-house leadership, the IT team, and the FBI. The court said that sharing this report with these audiences constituted non-litigation uses and demonstrated that the report was not prepared because of litigation.

A second important opinion in this context came from the U.S. District Court for the Eastern District of Virginia, which was overseeing multi-district litigation following the 2019 Capital One data breach. There, Capital One had a master services agreement with Mandiant several years before the data incident in question to which it kept adding statements of work (SOW) during the course of the relationship. Just prior to the data incident, Capital One entered into an SOW with Mandiant to perform "incident response services."

A few months later, Capital One suffered a data breach that impacted over 100 million customers. In responding to the incident, Capital One's outside counsel created a three-party agreement with Capital One and Mandiant. The three-party agreement included the same scope of work that was included in the original agreement between Capital One and Mandiant. Mandiant ultimately prepared a report from its investigation.

A lawsuit was filed against Capital One, and plaintiff's counsel sought production of the Mandiant report. Capital One claimed that the report was protected by the attorney-client privilege and/or work product. Ultimately, the judge rejected Capital One's privilege claims and ordered Capital One to produce the report.

In reaching this decision, the Court reasoned that the work performed under the three-party agreement with counsel was exactly the same as the work that would have been performed for Capital One, and therefore, wasn't done in anticipation of litigation.

The court also closely examined the fees paid by Capital One, noting that Capital One designated the fees paid to Mandiant as "business critical" and paid it out of the cyber team's budget rather than out of the legal budget. Therefore, the court concluded that it wasn't considered a legal expense by Capital One.

Finally, the court found that Capital One shared the report internally with as many as 50 employees, four regulators, auditors, and an accounting firm, and didn't place any restrictions on further sharing the report. The court held that sharing the report so broadly indicated that Capital One never intended the report to be privileged, but rather used it for normal business purposes.

These recent decisions follow numerous similar decisions in recent years that have chipped away at preserving privilege over forensic reports and highlight how fragile the attorney-client privileged and work product protections can be.

In light of these decisions, companies, vendors, and attorneys need to reconsider how they structure and prepare forensic reports in connection with data incidents to ensure privilege is preserved to the fullest extent possible.

To best ensure a forensic report will be protected by attorney-client privilege or the work-product doctrine, companies, vendors, and attorneys should consider the following best practices when preparing forensic reports in connection with data incidents:

•Outside counsel should engage vendor(s) on your behalf — Outside counsel should engage the vendor to perform the post-breach litigation investigation, direct all investigation activity, and sign the initial engagement agreement.

•Consider multiple cybersecurity vendors — Using one vendor for mitigation and another in preparation for litigation can buttress arguments that the latter is privileged.

•Consider engaging a forensic company that is not your IT vendor — Special engagements assist in demonstrating that work is not done in the ordinary course of business. Additionally, consider excluding incident response services from your standard engagements with IT service providers.

•Create two separate reports — Investigation teams should create two separate reports, one reflecting a post-breach mitigation investigation and one reflecting a post-breach analysis in preparation for litigation.

•Avoid putting analysis into the mitigation report — When preparing the non-privileged mitigation investigation report, attorneys and companies should ensure that no analysis or interpretation is included in the report. This report should reflect facts and technical information only, reserving all analysis, subjective opinions, and legal/technical recommendations and discussions. Conversations of next-steps, effects of the breach, and characterizations of the attack that may occur during the investigation should be done orally until findings are solidified, at which point such findings should be presented either within the legal investigation report or within a privileged attorney letter.

•Restrict access to the reports — Avoid sharing the legal investigation report to the fullest extent possible. Consider only sharing the investigative report on a "need to know" basis. For others outside of the legal investigation, such as vendors, regulators, or auditors, they should only be provided the non-privileged report. Sharing only the non-privileged report in this manner will help demonstrate that the investigative report was created for purposes of litigation and not for regulatory or business purposes.

In this complex and evolving area, advanced planning is critical to being able to support attorney-client privilege claims when litigation arises. Involving experienced outside counsel at the outset can assist you in structuring your incident response plan and vendor engagements to maximize your privilege claims.

