A “Two-Tracked” Investigation
Shortly after the representation commenced, the firm suffered a cyberattack and data breach, and the plaintiff’s private and confidential information was published online. The firm withdrew its representation, explaining that its attorneys and employees had become witnesses to the plaintiff’s pending asylum case. The plaintiff then brought the malpractice claim, which is currently pending in the U.S. District Court for the District of Columbia.
During discovery, the plaintiff asked the firm for “all reports of its forensic investigation into the cyberattack.” The firm had produced documents from its usual cybersecurity vendor, eSentire. However, two days into the cyberattack, the firm had retained outside counsel in anticipation of potential litigation arising from the breach. In turn, the outside firm hired a separate outside cybersecurity vendor, Duff & Phelps.
Based on this “two-tracked” investigation conducted by the respective cybersecurity vendors, the firm argued that the investigation performed by Duff & Phelps through outside counsel was not discoverable. The firm refused to produce documents and reports from Duff & Phelps, citing work-product protection and attorney-client privilege. Duff & Phelps, the firm argued, had been retained “for the sole purpose of assisting [outside counsel] in gathering information necessary to render timely legal advice.”
In ruling on the plaintiff’s motion to compel, the district court started from the premise that “[f]or many organizations, surely among them law firms that handle sensitive materials, discovering how a cyber breach occurred is a necessary business function regardless of litigation or regulatory inquiries.” The court then delved into the record to determine whether the firm’s “two-tracked” investigation argument—one for business purposes, one for litigation—held water. “[T]wo days after the cyberattack began, [the firm] turned to Duff & Phelps instead of, rather than separate from or in addition to, eSentire, to do the necessary investigative work,” the court noted. Indeed, “at precisely the time [the firm turned to Duff & Phelps] the ‘trail essentially goes cold’ as to eSentire’s work.”
“The problem for the defense here is that its two-track story finds little support in the record,” stated the court. “On the contrary, Defendant’s own interrogatory answers state that ‘its understanding of the progression of the September 12, 2017 cyber-incident is based solely on the advice of outside counsel and consultants retained by outside counsel.’” In other words, the firm had conducted only half of its alleged two-tracked investigation. No independent and thorough investigation had been conducted by eSentire.
Moreover, the Duff & Phelps report was shared not only with in-house counsel at the firm but also with select members of firm leadership and information technology teams, as well as the Federal Bureau of Investigation. Further, the Duff & Phelps report was the only place where the facts of the incident had been recorded, had been used for a range of non-litigation purposes, and included recommendations for remediation. Accordingly, the court determined that neither the work-product doctrine nor attorney-client privilege applied.
What Not to Do
“The facts are bad here,” states Tiffany A. Rowe, Washington, DC, cochair of the Litigation Section’s Professional Liability Litigation Committee. “Had there been sufficient evidence showing that eSentire and Duff & Phelps were engaged in simultaneous and distinct investigations, Clark Hill would have had a much stronger argument over the work-product protection,” she adds.
“The most important step would have been to delineate and to fully conduct the two-track investigation,” echoes Kenneth M. Klemm, New Orleans, LA, cochair of the Section’s Trial Evidence Committee. “The decision appears to be correct based on the record before the court,” he observes, “because the firm could not show that it had conducted an investigation concurrently for a business purpose.” Similarly, the firm could not claim attorney-client privilege “because it could not show that the primary purpose of the consultant’s cybersecurity report to be related to obtaining legal advice.”
Privilege Cannot Be Created Through Words Alone
The substance matters, declares Rowe. “Don’t rely on words printed in the engagement letter,” she advises. “Stating that Duff & Phelps was retained ‘in anticipation of litigation’ cannot create the privilege” without more, she notes. Rowe suggests that the firm should have followed through and actually performed dual, parallel investigations: “Clark Hill’s factual argument that there was a ‘two-tracked’ investigation certainly could have been a successful one,” she suggests. “It is actually surprising to think that Clark Hill would have called off the investigation of their usual cybersecurity vendor, eSentire,” she opines.
“Simply put, if the firm’s usual information technology vendor had conducted a comprehensive investigation limited to facts and the relationship of the vendor hired by the outside law firm had been made clearer, the court’s decision may have been different,” agrees Klemm. “The separate investigation by the firm’s usual outside information technology consultant should have been more comprehensive but limited to the facts of what occurred,” he advises. “Here, it did not appear that the firm’s outside information technology consultant even provided a report that could be produced,” observes Klemm.
A law firm or business subject to reputational fallout due to a data breach might think twice about having to air its dirty laundry in the form of a thorough investigation of its cybersecurity failings. “The decision certainly could make law firms resistant to conducting full investigations into cyberattacks,” cautions Klemm. “On the other hand, if a firm implements appropriate precautions, it should be possible to protect documents and information,” he adds. “The key,” counsels Klemm, “will be to implement these precautions from the start and to ensure that the firm clearly delineates the purposes for which it retains other law firms and vendors to investigate and to respond to a cyberattack.”
“Basic principles of work-product and attorney-client communication privileges apply, and their requirements are not formalities because they make or break the protection,” Rowe cautions. “Don’t multipurpose legal advice,” she stresses. This opinion, rather than encouraging a head-in-the-sand approach, “should reinforce the care with which companies, outside counsel, and consultants should approach their engagements,” she concludes.