Attorneys are generally mindful of placing too much faith in the work-product doctrine, especially in view of its uneven application in different jurisdictions across the country. The risk of discoverability of third-party forensics reports following a data breach presents a prime example of this concern.
In January 2021, the District Court for the District of Columbia ordered the production of a post-breach forensics report that was prepared by a third-party investigator retained by outside counsel. [See Guo Wengui v. Clark Hill, PLC, Case No. 1:19-cv-03195, Docket No. 49, at *2 (D.D.C. Jan. 12, 2021)]. The law firm Clark Hill was hacked after it assisted a high-profile political dissident applying for asylum in the United States. After the hack, the law firm terminated representation with the client, who sued Clark Hill for the data breach and alleged malpractice.
In investigating the incident, Clark Hill used the “two-track” Experian approach (discussed below): Its usual cybersecurity vendor conducted an investigation and outside counsel retained a separate forensics investigator, Duff & Phelps. However, the facts suggested that the cybersecurity vendor discontinued its investigation after Duff & Phelps was retained.
Because the Duff & Phelps report was shared with high-ranking members of Clark Hill, its in-house counsel, part of the Clark Hill information technology team, and the FBI, the district court concluded that the Duff & Phelps post-breach report was not protected work product. Notably, Clark Hill represented that its understanding of the breach was “based solely on the advice of outside counsel and consultants retained by outside counsel.” Nonetheless, the district court determined that the two-track investigative approach employed by Clark Hill was an insufficient shield that did not trigger the protection of the work-product doctrine.
Generally speaking, the law provides that documents and tangible things prepared in anticipation of litigation may not be discoverable. Many jurisdictions have interpreted this rule to mean that documents prepared because of litigation may not be discovered. In order to address this issue, courts typically ask whether the document would have been substantially similar in form if it were not produced under the prospect of litigation. For example:
• The court in Sandra T.E. v. Berwyn Sch. Dist. 100, 600 F.3d 612, 622 (7th Cir. 2010) stated that “there is a distinction between precautionary documents ‘developed in the ordinary course of business’ for the ‘remote prospect of litigation’ and documents prepared because ‘some articulable claim, likely to lead to litigation, has arisen.’” [Quoting Logan v. Commercial Union Ins. Co., 96 F.3d 971, 976-77 (7th Cir. 1996)].
• In In re Grand Jury Subpoena, 357 F.3d 900, 908 (9th Cir. 2004), the court stated that “[t]he ‘because of’ standard does not consider whether litigation was a primary or secondary motive behind the creation of a document. Rather, it considers the totality of the circumstances and affords protection when it can fairly be said that the ‘document was created because of anticipated litigation, and would not have been created in substantially similar form but for the prospect of that litigation[.]’” [Quoting United States v. Adlman, 134 F.3d 1194 (2d Cir. 1998)].
• In Nat’l Union Fire Ins. Co. of Pittsburgh, Pa. v. Murray Sheet Metal Co., 967 F.2d 980, 984 (4th Cir. 1992), the court stated that “[t]he document must be prepared because of the prospect of litigation when the preparer faces an actual claim or a potential claim following an actual event or series of events that reasonably could result in litigation. Thus, we have held that materials prepared in the ordinary course of business or pursuant to regulatory requirements or for other non-litigation purposes are not documents prepared in anticipation of litigation within the meaning of Rule 26(b)(3).”
Interpretations in Various Jurisdictions
While the Clark Hill case is the latest example of a legal decision in this area, there are still many jurisdictions that have yet to address the issue. Those that have addressed it, such as the 7th Circuit, rely heavily upon interpreting the “in anticipation of litigation” standard and recognize that the occurrence of litigation does not afford protection to investigative reports prepared in the regular course of business. This view is based on:
• Hollinger Int’l Inc. v. Hollinger Inc., 230 F.R.D. 508, 512 (N.D. Ill. 2005), which held that a transaction report prepared by a special committee was protected work product because the report was prepared in anticipation of litigation after the company received letters and SEC filings.
• EFCG, Inc. v. AEC Advisors, LLC, 2020 U.S. Dist. LEXIS 203175 (S.D.N.Y. Oct. 30, 2020), which held that some emails from a long-standing IT company were not protected work product because they were not in connection with the legal forensic work, and that other emails from the same company were properly redacted to protect work performed in anticipation of litigation.
• Total RX Care, LLC v. Great Northern Ins. Co., 318 F.R.D. 587, 602 (N.D. Tex. 2017), which held that Great Northern had not met its burden in asserting that 20 documents were prepared in anticipation of litigation and thus compelled the production of those documents.
It is, of course, likely that these jurisdictions will consider other district court opinions when this issue arises. The Eastern District of Virginia issued its opinion last year. In that case, Capital One had the foresight to retain a digital forensics investigator, Mandiant, for “incident response services.” In the event of a data breach, Mandiant would investigate and prepare a data-breach report. In In re Capital One Consumer Data Sec. Breach Litig., 2020 U.S. Dist. LEXIS 91736, Capital One was sued following a 2019 data breach. In light of Capital One’s pre-existing contract with Mandiant to provide breach-response services, Capital One’s outside counsel entered into an agreement with Mandiant to honor its contract with Capital One. In an effort to trigger the protection of the work-product doctrine, outside counsel required Mandiant to complete its work at the direction of counsel, and Mandiant was required to provide its report directly to outside counsel. Outside counsel later sent the report to Capital One, under the protection of the attorney-client privilege.
Despite these efforts by outside counsel, the magistrate judge determined that the report was not protected by the work-product doctrine because the report could have been prepared and would have been substantially the same regardless of litigation. The magistrate judge emphasized that there was a long-standing relationship between Mandiant and Capital One, and that this relationship was not formed due to the threat of litigation.
The magistrate further highlighted the fact that Mandiant’s incident-response services were critical for business operations and regulation, and therefore more germane to Capital One’s business interests than the legal consequences of a data breach. However, while the work-product doctrine did not protect Mandiant’s final report, any communications concerning the generation of that report were not discoverable. The magistrate judge’s order was upheld on review.
Alternatively, in a case involving similar facts and the same forensic investigator, the Central District of California concluded that a data-breach report was protected by the work-product doctrine. In In re Experian Data Breach Litig., 2017 U.S. Dist. LEXIS 162891, at *23 (C.D. Cal. May 18, 2017), Experian contracted with Mandiant to prepare a security report that was unrelated to a data-breach incident. Experian subsequently directed its outside counsel to hire Mandiant to prepare a breach report following a 2015 data breach, and the district court concluded that this report was protected by the work-product doctrine.
Mandiant’s 2015 report was never given to Experian, which prevented Experian from using that report for business or regulatory purposes unrelated to litigation. So, in order for the Experian approach to work, the investigator’s post-breach report should not be produced to the company that is victimized by the data breach.
The District of Oregon declined to afford protection to such reports. In In re Premera Blue Cross Customer Data Sec. Breach Litig., 296 F. Supp. 3d 1230, 1245-46 (D. Or. 2017), Premera contracted with Mandiant to inspect its data management system. During the course of the inspection, Mandiant discovered malware in the system. Premera converted its existing agreement to require that Mandiant report directly to outside counsel. The district court focused on the fact that the scope of Mandiant’s work did not change after discovery of the data breach. The district court required production of the report but clarified that any sections related to communication with the outside counsel in anticipation of litigation may be redacted.
In light of the case law in this area, there are steps that counsel can take in an attempt to maximize the likelihood that the work-product doctrine will afford protection to forensics reports. For example, while a corporation may identify a forensics investigator prior to a breach, it is advisable to wait until after a breach—when litigation is reasonably anticipated—to formally engage that investigator. A corporation may also choose to use a forensics investigator following a breach that is different from a company retained to provide pre-breach consulting services.
In the event of a breach, a corporation should require its outside counsel to retain and direct the investigator, and, if possible, the investigator’s report should not be shared with the victimized corporation to avoid the possibility that the report will be used for business or regulatory purposes. While there is certainly no guarantee that the work-product doctrine will protect the report in the event of litigation, these steps should help increase the likelihood of protection.