Once upon a time, when outside counsel hired a forensics firm to prepare a post-data breach report, the contents of that report remained confidential under the work product doctrine or attorney-client privilege. In the wake of recent court decisions, however, the story has taken an unexpected twist.
Spoiler alert: Happy endings are favoring plaintiffs.
Cyber incidents are no longer a question of if, but when. Prudence dictates that companies prepare for (and mitigate the potential effects of) an eventual cyberattack with the help of cybersecurity experts. These experts are integral to any post-breach investigation and remediation.
The expert’s report, however, may reveal deficiencies in a company’s cyber defenses, which in turn may provide ammunition for plaintiffs’ counsel in ensuing litigation.
Since companies subjected to a breach often initiate a forensics investigation as a matter of course, courts are holding that reports summarizing the results of the investigation are not prepared in anticipation of litigation and therefore not shielded from discovery under Fed. R. Civ. P. 26.
What Does the Contract Say?
Notably, courts are examining the terms of the contract underlying the investigation as part of their assessment of whether a given report was prepared in anticipation of litigation.
Most recently, for example, the Middle District of Pennsylvania held that a report was not privileged based on the terms of the statement of work (SOW). According to the SOW, the forensics firm was hired “to determine whether unauthorized activity … resulted in the compromise of sensitive data,” and, if so, “to determine the scope of such a compromise.” Such language, said the court, demonstrated that the defendant did not have “a unilateral belief that litigation would result” because the defendant did not yet know whether a breach had occurred (In re Rutter’s Data Sec. Breach Litig., 2021 BL 275161 (M.D. Pa. 2021)).
While some companies may be tempted to amend an existing SOW by adding language such as “under the direction of Counsel,” such an amendment, in and of itself, is unlikely to shield the report from disclosure. If the underlying list of deliverables focuses on business purposes―including items like incident response support, digital forensics support, and advanced threat actor support―an addendum referring to counsel will not alone transform the report into attorney work-product. See, for example, In re Dominion Dental Servs. USA, Inc. Data Breach Litig., 429 F. Supp. 3d 190 (E.D. Va. 2019) and In re Premera Blue Cross Customer Data Sec. Breach Litig., 296 F. Supp. 3d 1230 (D. Or. 2017).
Michelle Visser, a partner with Orrick Herrington & Sutcliffe LLP, told me that if a report is being prepared at the direction of counsel, it would make sense for the report itself to describe how counsel will use it. “Adding a short introduction that explains―at least at a high level―how counsel intends to use the report is one way to strengthen your argument in a later privilege dispute,” Visser said.
Who’s Paying for the Report?
Beyond the text of the underlying contract, courts have also taken into account who’s paying the freight. If payments to the forensics firm are classified as business expenses rather than legal expenses, the court may be less inclined to find that the report was prepared in anticipation of litigation.
In a case from the Eastern District of Virginia, the court examined a long-standing relationship between Capital One and Mandiant for incident response services. Payments to Mandiant were originally classified as “business critical” expenses, which included a retainer that entitled Capital One to 285 hours of services from Mandiant (In re Capital One Consumer Data Sec. Breach Litig., 2020 BL 195019 (E.D. Va. 2020)).
After Capital One suffered a breach, the company hired outside counsel, who in turn hired Mandiant to investigate the breach, but the parties’ letter agreement included the same payment terms as set forth in the preexisting agreement with Capital One. That meant that Mandiant was initially paid out of the retainer. Only after the retainer was exhausted were Mandiant’s services re-designated as legal expenses.
The court held that Mandiant’s report was not protected work product, finding it “significant” that Mandiant was paid from the “business critical” retainer.
In hindsight, Capital One might have been better off had counsel hired a different cybersecurity firm following the breach. However, for companies wishing to use the same trusted partner, Visser noted that there are ways to structure the contract to reduce the risk that the pre-existing agreement may be used to defeat a privilege claim.
How Is the Report Being Used?
If forensic reports are used for non-litigation purposes, the reports cannot be fairly described as prepared in anticipation of litigation.
In Wengui v. Clark Hill, PLC, 338 F.R.D. 7 (D.D.C. 2021), outside litigation counsel had hired a cybersecurity firm to assist in their representation of Clark Hill, but the forensics report was shared with members of Clark Hill’s leadership and IT team to assist with their management of various “issues.” The report was also shared with the FBI as part of that agency’s separate criminal investigation. Given the range of non-litigation uses, the court concluded that the report was not prepared in anticipation of litigation.
Nor was it protected by the attorney-client privilege, which can attach to reports of third parties made at the request of an attorney. According to the court, the true objective of the report was to glean the firm’s expertise in cybersecurity, not legal advice. Indeed, the report itself contained specific recommendations on how Clark Hill should tighten its cybersecurity measures.
What Is Your Likelihood of Litigation?
Notwithstanding the prevalence of data breach lawsuits, not every cyber incident amounts to a “breach” triggering notice obligations under state law and class action complaints from plaintiffs’ counsel. So privilege is not always an issue.
Still, it’s best to adopt simple practices—like revising the terms of vendor contracts and establishing protocols for the sharing of investigative reports—to help secure a happy ending for your client in the event of a discovery dispute.
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT in order to access the hyperlinked content or click here to view the web version of this article.