A recent decision from the United States District Court for the District of Columbia emphasized that neither attorney-client privilege nor work product protection will shield a report provided by a third party retained by counsel where the report provides non-legal advice.**
Guo Wengui v. Clark Hill, PLC, arose from the cybersecurity breach of a law firm’s database on September 12, 2017. After confidential information about him was publicly disseminated, a client (Wengui) sued the law firm (Clark Hill) claiming that it failed to take sufficient precautions to protect his data. Immediately after learning about the breach, Clark Hill ordered an investigation into what had occurred. It employed its regular cyber security provider, eSentire, to investigate and remediate, as appropriate. The purported purpose of eSentire’s work was for “business continuity.”
Two days later, on September 14, 2017, while the breach may still have been ongoing, Clark Hill hired a law firm, Musick, Peeler & Garrett (“MP&G”), to provide legal advice relating to the incident. MP&G hired an independent cyber security firm, Duff & Phelps, to assist MP&G in providing legal advice to Clark Hill and to prepare for anticipated litigation. Duff & Phelps went on site on September 14, 2017. It ultimately produced a full investigative report which included “specific remediation advice.” The General Counsel of Clark Hill, Edward Hood, reviewed the report. Hood then shared the report with “select members of the leadership and IT team” at Clark Hill. Clark Hill also shared the report with the Federal Bureau of Investigation (“FBI”) in connection with the FBI’s investigation of the incident.
Litigation was, in fact, filed in September 2019. During the course of discovery, the client requested “all reports of [Clark Hills’s] forensic investigation into the cyberattack.” The client also served interrogatories asking Clark Hill to state the facts or reasons why the attack occurred. Clark Hill responded to the document production requests by providing (among other things) documents from eSentire. Notably, the partial production did not include any formal report or any specific findings from eSentire on the cause of the breach.
Clark Hill objected to producing other responsive documents and to answering the interrogatories, claiming that the information from Duff & Phelps was protected by the attorney-client privilege and work product protection. It maintained that its understanding of the cause of the attack came solely from the investigation performed by Duff & Phelps, which was ordered by MP&G to provide legal advice and in anticipation of litigation.
Plaintiff disagreed and filed a motion for sanctions. On January 21, 2021, the court granted the motion for sanctions, finding that the attorney-client privilege and the work product protection doctrine did not apply to the requested information.
Generally, the attorney-client privilege applies to "a confidential communication between attorney and client if that communication was made for the purpose of obtaining or providing legal advice to the client." The Duff & Phelps report was not a communication between attorney and client. Courts have recognized, however, that certain documents prepared by third parties may be covered by the privilege if the document was prepared to help facilitate the provision of legal advice by, for example, explaining technical materials or acting in the capacity of a translator. The courts have cautioned that this principle must be narrowly applied – if the advice sought by the client is really the advice of the third party, and not the lawyer, no privilege would exist.
The Wengui court readily concluded that the advice in the Duff & Phelps report was cybersecurity advice, and not legal advice, and therefore not protected by the attorney-client privilege.
Work Product Doctrine
In federal court, the work product protection doctrine shields from discovery certain materials prepared in anticipation of litigation. Under Federal Rule of Civil Procedure 26(b), "[o]rdinarily, a party may not discover documents and tangible things that are prepared in anticipation of litigation . . . by or for another party or its representative (including the other party's attorney, consultant, . . . or agent)." The Wengui court then applied the “because of” standard in order to determine whether a document was "prepared in anticipation of litigation." The "because of" test asks "whether, in light of the nature of the document and the factual situation in the particular case, the document can fairly be said to have been prepared or obtained because of the prospect of litigation." As the court further explained, "[w]here a document would have been created 'in substantially similar form' regardless of the litigation," it fails that test, meaning that "work product protection is not available."
The Wengui court found it “highly likely” that Clark Hill would have investigated the cause of the cybersecurity breach and steps to remediate it whether or not the firm was anticipating litigation. The court favorably cited other decisions which held that investigating a cyber breach is a necessary business function. After the court’s in camera review of the report, the court concluded that “substantially the same” document would have been prepared in the normal course of business.