Following a major cyberattack or data breach, it’s not uncommon for the victim to order a forensic report. These reports are incredibly useful because they allow the commissioner of the report to analyze the causes and effects of the incident. In many cases, forensic reports are covered by the work product doctrine, however, recent court rulings suggest the tides may be turning.
In this article, we’re going to review the current regulations for maintaining privilege in forensic reporting, and we’ll share some of the cases responsible for the precedent. Let’s get started!
Order of Operations
In 2019, forensic reporting made headlines as a result of the Capital One data breach – an incident that allowed an unauthorized person to access personal customer information. Shortly after, the company received a third-party forensic report detailing the various technical problems that contributed to the successful attack. When the company announced the data breach, they were met with numerous lawsuits.
Counsel for the plaintiffs moved to compel the production of the third-party forensic report, while Capital One argued that their report should be protected by the work product doctrine. Unfortunately for the bank, the court determined that privilege did not apply due to the specific order of agreements/contracts.
At the beginning of the year, Capital One entered a retainer agreement with their cybersecurity company, Mandiant. After the actual data breach, the bank then retained a law firm for legal services. Months later, the law firm signed its own agreement with Mandiant. This agreement stated that future work would be performed at the direction of counsel, and they would receive all deliverables instead of Capital One.
The court ruled that privilege did not apply to the forensic report because it was completed under the original retainer agreement, in which the bank directly engaged and paid Mandiant for their work. In order to ensure the report was protected, Capital One should have retained their law firm prior to the breach and instructed Mandiant to work at counsel’s direction. This would have been sufficient to trigger attorney-client privilege and attorney work product doctrine.
Law Firm v. Law Firm
Based on the Capital One decision, we know that forensic reports only qualify for privilege when ordered directly by counsel. But what happens when counsel itself is the victim of the cyber-attack? In January 2021, the case of Wengui v. Clark Hill raised this very question before the United States District Court for the District of Columbia.
The plaintiff, Guo Wengui, was a former employee of Clark Hill and filed suit over the publication of his personal information. Soon after, he issued a discovery request for “all forensic investigation reports about the cyberattack,” and in particular, a report prepared by Duff & Phelps. In fact, Clark Hill had commissioned two forensic reports, although only one report was produced during discovery. The law firm argued that the second report fell under attorney-client privilege and was thus protected by the work product doctrine.
Ultimately, the court rejected the defendant’s argument and held that the documents were not privileged. In reaching this conclusion, the court considered multiple factors, such as the dissemination of the report to the FBI and the fact that it contained advice to manage issues beyond potential litigation. After considering all the evidence, the report “cannot be fairly described as prepared in anticipation of litigation.”
Final Thoughts
Over the years, transparency has become more and more important to consumers. Many legal professionals expect these changing attitudes will lead to more judicial scrutiny of privilege assertions over forensics reporting. For that reason, companies should always consider whether a given forensic report would provide benefits that outweigh the risks from disclosure. As the law evolves, we must find a balance between protecting confidentiality and delivering the transparency consumers deserve.
Thanks for reading! If you enjoyed this article, let us know on social media! Please don’t hesitate to contact us with any questions or concerns. At First Legal, we’re here for you from File Thru Trial™!
