Background
The Wengui case arose from a cyberattack on a law firm (the defendant). The attackers allegedly obtained and then disseminated a former client’s (the plaintiff’s) confidential information on the internet. The underlying allegations tell a dramatic story involving the plaintiff’s escape from China. The plaintiff sought the defendant’s representation in political asylum proceedings. The plaintiff warned the defendant that the defendant’s information security systems would be at risk if the defendant accepted the plaintiff’s case. Sure enough, the defendant subsequently suffered a cyberattack, allegedly the result of a retaliatory act of state-sponsored cyber espionage that resulted in the theft of the plaintiff’s personal information and subsequent dissemination of that information on the internet.
The defendant engaged outside litigation counsel to help prepare for litigation that it anticipated from the attack. Outside litigation counsel, in turn, engaged a security-consulting firm to conduct a forensic investigation. It is not clear whether the defendant’s litigation counsel was also hired to provide legal advice regarding the defendant’s rights and obligations under applicable data breach notification laws, data security laws, and contracts with third parties.
The Plaintiff’s Requests
The plaintiff requested “all reports of [the defendant’s] forensic investigation into the cyberattack.” Id. at *1 (citation omitted). The defendant refused to provide the reports, asserting attorney-client privilege and the attorney work-product protection doctrine because the security firm was allegedly hired to assist outside litigation counsel “to prepare for litigation stemming from the attack.” Id. (citation omitted).
In addition to requesting the forensic reports, the plaintiff served interrogatories seeking the defendant’s understanding of why the attack occurred. The defendant refused to provide a response on the ground that “its ‘understanding’ of the progression of the . . . incident is based solely on the advice of outside counsel and consultants retained by outside counsel” and therefore is privileged. Id. at *3 (citation omitted).
Lastly, the plaintiff sought “information or documents related to [the defendant’s] clients other than Plaintiff” who may have been affected by the cyberattack. Id. at *1 (citation omitted). The defendant argued that this information was irrelevant and privileged.
The court rejected the defendant’s attorney-client privilege and work-product protection assertions. It allowed the plaintiff to obtain everything he requested, including information about the defendant’s other clients.
Court Ruling on Work-Product Doctrine
Regarding the attorney work-product doctrine, the court ruled that the defendant failed to show that the forensic report would not have otherwise been created in the ordinary course of business irrespective of litigation. The court stated that it was “more likely than not, if not ‘highly likely[,] that [the defendant] would have conducted [an] investigation’ into the attack’s cause, nature, and effect ‘irrespective of the prospect of litigation.’” Id. at *2 (quoting United States v. ISS Marine Servs., 905 F. Supp. 2d 121, 137 (D.D.C. 2012)). The court noted that “substantially the same [document] would have been prepared in any event . . . as part of the ordinary course of [Defendant’s] business.” Id. (quoting United States v. Adlman, 134 F.3d 1194, 1204 (2d Cir. 1998)).
The defendant had argued that the forensic report was only one-half of a two-tracked investigation: on one track, the defendant’s usual cybersecurity vendor investigated and remediated the attack to preserve business continuity. The defendant did not assert privilege or work product over documents relating to that “ordinary-course investigation” work. Id. at *3 (citation omitted). On the second track, a forensic vendor was engaged by the defendant’s outside counsel for the sole purpose of gathering information necessary for outside counsel to render legal advice. It was work product created in this second track that the defendant claimed was protected by the attorney work-product doctrine.
The court rejected the defendant’s “two-track” argument. Id. Essentially the court ruled that while the defendant’s argument would be correct in theory (i.e., if, in fact, the work had been performed as the defendant described), the work was not performed that way here. In reaching that conclusion, the court noted the following:
- There was a lack of any sworn statement from the ordinary-course vendor (the first track) supporting the defendant’s assertion that the ordinary-course vendor’s investigation was performed for business continuity purposes.
- The defendant’s own interrogatory response said that “its understanding of the progression of the [attack] is based solely on the advice of outside counsel and consultants retained by outside counsel,” so how could that information have been the responsibility of the ordinary-course vendor? Id. at *3 (citation omitted).
- The ordinary-course vendor never produced any findings or a report like the one prepared by the forensic firm engaged by outside counsel.
- Perhaps most significantly, the forensic firm’s work picked up where the ordinary-course vendor’s work ended, so the two were not in fact parallel tracks.
- The defendant’s internal emails referred to the forensic firm engaged by outside counsel as “the incident response team.” Id. at *4 (citation omitted).
- The forensic firm’s report was shared with various members of the defendant’s leadership, the defendant’s IT team, and the FBI, not just in-house counsel, which demonstrated that the purpose of the report was not for outside litigation counsel’s purposes.
- The forensic firm’s report was used to assist the defendant with management of “any” issues, “including” potential litigation. Id. (citation omitted).
- Although the defendant “papered the arrangement using its attorneys,” that approach appeared to have been designed to help shield material from disclosure. Id.
It is possible that if only one or a few of these factors existed, the result may have been different, but the fact that “the [R]eport was used for a range of non-litigation purposes” reinforced the court’s determination that the document was not prepared in anticipation of litigation and therefore was not protected from discovery as attorney work product. Id. (quoting In re Dominion Dental Servs. USA, Inc. Data Breach Litig., 429 F. Supp. 3d 190, 194 (E.D. Va. 2019)).
Court Ruling on Attorney-Client Privilege
Next, the court turned to the defendant’s argument that the attorney-client privilege protected the forensic reports from discovery. Attorney-client privilege is intended to protect a confidential communication between attorney and client where the communication is made for the purpose of obtaining or providing legal advice to a client. The privilege extends to reports of third parties made at the request of the attorney or the client where the purpose of the report was to put in usable form information obtained from the client, i.e., a report by an accountant who makes a client’s tax/financial information digestible for the attorney. However, where the advice sought is the accountant’s rather than the lawyer’s, no privilege exists.
Applying those principles here, the court held that the record showed that the defendant’s true objective was gleaning the forensic firm’s expertise in cybersecurity, not obtaining legal advice from its outside counsel. The report provided detailed findings on how the defendant should tighten its cybersecurity, and the defendant shared the report with its IT staff and the FBI. Because the court decided privilege did not apply, it never reached the question of whether such privilege was waived when the defendant shared the report with the FBI.
The court ruled that the forensic report “and associated materials” were not privileged and needed to be disclosed, and the related interrogatories needed to be answered. Id. at *6.
Court Ruling on Information About Defendant’s Other Clients
Lastly, the court addressed the plaintiff’s request for production seeking all documents reflecting that the attack resulted in a third party obtaining information, data, or material regarding any client of the defendant other than the plaintiff. The defendant objected to this request as irrelevant and privileged. The court nevertheless granted the plaintiff’s motion to compel, ruling that the information was relevant to the central issue of the reasonableness of the defendant’s cybersecurity and that “appropriate redactions can assuage any privilege or privacy concerns” relating to other clients. Id.
This conclusion is somewhat concerning because it could effectively require the defendant (a law firm) to provide the identity of its other clients to the plaintiff. The court said that the law “does not protect from disclosure the identity of the client . . . and the general purpose of the work performed”; however, the court did add that there is protection if a client’s identity is sufficiently intertwined with the client’s confidences. Id. (quoting Cause of Action Inst. v. U.S. Dep’t of Justice, 330 F. Supp. 3d 336, 350 (D.D.C. 2018)). In Wenguie, the court noted that it did not have enough information from the defendant to determine if the identity of the other clients should be redacted.
Current State of the Law: Forensic Reports, Privilege, and Work Product
For a comprehensive analysis of the application of attorney-client privilege and the work-product doctrine to cybersecurity information, I highly recommend that the reader dive into the fantastic commentary on that issue published by The Sedona Conference’s Working Group on Privacy and Data Security Liability. It is, far and away, the best piece of legal writing on the subject, and a second edition may be in the works.
To be sure, there has been a trend with recent cases like Wengui, where courts are skeptical about the work-product doctrine and attorney-client privilege applying to forensic reports following a cybersecurity incident, let alone the application of those doctrines to proactive risk-assessment reports where no cybersecurity incident has occurred. Wengui, 2021 WL 106417; see also In re Dominion Dental Servs. USA, Inc. Data Breach Litig., 429 F. Supp. 3d 190; In re Capital One Consumer Data Sec. Breach Litig., No. 19-2915, 2020 WL 2731238 (E.D. Va. May 26, 2020). But the cases are mixed, and I believe that the outcome in any given case will be greatly impacted by the luck in the judge that you draw and that judge’s philosophy relating to the application of privilege and work product.
Nevertheless, to maximize the likelihood that the work-product doctrine or attorney-client privilege will apply to a forensic firm’s report following a cybersecurity incident, the courts (and good cybersecurity counsel) will consider the following factors:
- How was the forensic vendor engaged? Through counsel or by the client? What was the scope of work envisioned in the vendor’s statement of work? At whose direction was the forensic firm performing its work and for what purpose? How is the forensic vendor paid (by a company’s business unit or its legal department)?
- What protocols were in place to protect confidentiality and ensure direct communication between counsel and the forensic firm? Was there a formal description of rules by which the client and forensic firm should abide to maintain confidentiality and privilege? Who had access to, and an ability to direct, the forensic firm?
- What procedures were in place with respect to the forensic firm’s deliverable? To whom was it provided? How were drafts developed and reviewed? How and with whom was the report shared? How was it used to provide legal advice to the client?
- To what extent did counsel use a shotgun approach to privilege or work product, trying to apply the doctrines to engagements with data-restoration firms, mailing and call center services, and credit-monitoring services? The overuse of the doctrines would create skepticism that they applied in the forensic context.
- Was there a parallel investigation for business purposes, like the In re Target Corp. Customer Data Security Breach Litigation approach? Wenguie, 2021 WL 106417, at *3 (citing In re Target, MDL No. 14-2522, 2015 WL 6777384, at *2–3 (D. Minn. Oct. 23, 2015)). This factor is tricky because companies cannot realistically be expected to afford the expense or the business interruption associated with a second, parallel investigation into the same incident. A better approach is reviewing the way in which the scope of the work was defined and performed (ensuring the work is more so for the purpose of giving legal advice rather than for business, IT, or information security needs). At the very least, two reports (one for legal counsel and the other for the business) may be an option to consider.
These are high-level observations, and readers should review The Sedona Conference commentary for a more fulsome analysis. Best of all, consult a lawyer who understands the legal and technical implications of these issues.
In the meantime, it will be interesting to see what happens over the next couple of years: Will the application of privilege or work product to cybersecurity information remain, or will it be completely eviscerated?
Al Saikali is a partner at Shook, Hardy & Bacon, LLP, in Miami, Florida.
