In a recent opinion that provides important lessons for anyone dealing with a cyber incident, including law firms, the U.S. District Court in the District of Columbia in Wengui v. Clark Hill, PLC  2021 U.S. Dist. LEXIS 5395 (D. D.C. Cir. Jan. 12, 2021) addressed the application of the attorney client privilege and work product doctrine in the context of a data breach investigation involving a law firm. The plaintiff alleged that the law firm failed to take adequate precautions to protect his data, seeking discovery of all reports of the law firm’s forensic investigations and information regarding other clients of the law firm that were impacted by the cyberattack.

The court held that information generated in connection with an investigation of the incident was not covered by the attorney client privilege or the attorney work product doctrine, because the forensic information developed in the investigation was produced for business purposes rather than legal reasons. The court also ordered the law firm to provide documents regarding the impact on other clients of the firm, with appropriate redactions. The case provides essential lessons for anyone dealing with a cyber incident, including law firms.

Whether a forensic investigation following a data breach is protected by the attorney client privilege and the work product doctrine depends on all of the surrounding facts and circumstances. An earlier decision involving a cyber-incident at Target held that a forensic report done for legal purposes was protected. In re Target Corp. Customer Data Security Breach Litig., 2015 WL 6777384 (D. Minn. Oct. 23, 2015). In that case, Target conducted dual-track investigations: one for business purposes and one for legal purposes. In contrast, the court in Wengui ordered production of the forensic report following an in camera review, finding that the law firm’s “two-track story” had little support in the record.

The agreement between the law firm’s outside counsel and its forensic consultant described the engagement as “solely” for the purpose of litigation. However, the court determined that although the law firm hired a second separate forensic investigator, through its outside counsel, the second investigator did not complete a second investigation, but instead replaced the earlier forensic firm. In addition, the forensic report’s content, which included specific remediation advice, demonstrated that the report was “used for a range of non-litigation purposes” and was not prepared in anticipation of litigation.

The law firm’s general counsel declared under oath that the firm intended the report to be used in connection with managing any issues, including litigation, in connection with the cyber-incident. Widespread circulation of the forensic report to the firm’s management, as well as its technology teams and the FBI, showed that the report was not intended to be restricted to anticipated litigation or to obtaining advice from counsel. This undermined the firm’s argument that the report was protected by attorney client privilege.

The court also considered plaintiff’s request for information concerning the impact of other law firm clients.  The firm objected that such information was irrelevant and privileged, but the court ordered the firm to respond, with redactions to address privilege and privacy considerations.

Companies conducting a forensic investigation of a data breach incident should take note that courts will examine the surrounding circumstances when determining whether a forensic report following a data breach is protected by the work product doctrine and by attorney client privilege. Having outside counsel hire the forensic investigator is the beginning of that inquiry. Characterization of the purpose of the engagement in the contract with the forensic investigator is another important factor, but is not dispositive. The court will also examine whether there was a distinct, business-focused investigation, as well as the content and the back-end use and distribution of the report. Statements made by the company about the purpose of the investigation, including declarations regarding the reasons for and use of the work, will also factor into the court’s determination.

All of these considerations will help the court evaluate whether the company actually conducted a dual track investigation and whether the legal track report was truly meant to assist lawyers in possible litigation, or intended for business purposes.  The critical takeaway is that companies, including law firms, can indeed protect their post-breach reports from discovery in litigation using a dual track investigation, but the company must be prepared to structure their data breach investigations accordingly in order to meet their evidentiary burden.