Protecting Forensic Reports in Data Breach Cases: Lessons Learned from Recent Decisions

A recent decision of the U.S. District Court for the District of Columbia further erodes a defendant’s claim of privilege with respect to expert reports related to data breaches.  However, it also provides important considerations to victims of a breach who wish to promote maximum candor from their consultants by asserting the work product privilege.

In Wengui v. Clark Hill, PLC, decided January 12, 2021, the plaintiff sued his former law firm for failing to adequately protect his personal information from a breach likely perpetrated by the Chinese government.  Following the breach, the defendant law firm retained outside counsel, which then hired a security consultant — Duff & Phelps ­— to perform an investigation.  Employing the “because of” test which asks whether a document would have been created “in substantially similar form” even without litigation, the Court ruled that the materials produced by Duff & Phelps were not protected from disclosure in discovery by the work product doctrine.

How the “Because of” Test Negates Privilege

The Court’s decision advances a prominent trend amongst federal courts, notably in the Fourth Circuit.  The Fourth Circuit decided the 2019 matter of In re Dominion Dental Services United States based on its version of the “because of” test: whether the document was prepared “because of the prospect of litigation.”  There, the court ruled that materials prepared by a consultant following a breach were not privileged because (1) the consultant had a relationship with the defendant pre-dating the breach, and which anticipated services in the event of a breach; and (2) the defendant used the materials for non-litigation purposes, including public relations.

Similarly, in In re Capital One Consumer Data Sec. Breach Litig., the relationship between the defendant and its security consultant pre-existed the breach of the defendant’s system.  In response to the breach the defendant retained outside counsel, which agreed to a Statement of Work with the consultant and the defendant.  The scope of the Statement of Work was the same as that which already existed between the defendant and the consultant, but the new agreement provided that the consultant would work at the direction of, and produced deliverables to, outside counsel.  The court ruled that the consultant’s work product was discoverable.  The defendant, it found, failed to show that the scope of work performed by the consultant working under the direction of outside counsel “was any different than the scope of work for incident response services set forth in the existing [Statement of Work] and that it would not have been performed without the prospect of litigation.”

The defendant in the Wengui case attempted to address these shortcomings by using a “two-tracked” approach, in which it retained its usual security consultant — eSentire — to investigate and remediate the breach, and retained a second security consultant (Duff & Phelps), through outside counsel, to gather information “necessary to render timely legal advice.”  Essentially, the Court found that the defendant had adopted the trappings, but not the substance, of its “two-tracked” approach.  It found that “two days after the cyberattack began [defendant] turned to Duff & Phelps instead of, rather than separate from or in addition to, eSentire, to do the necessary investigative work.”  Internally, the defendant referred to Duff & Phelps as its “incident response team.”  Additionally, outside counsel shared Duff & Phelps’ work product with in-house counsel and members of the defendant’s IT group and leadership, as well as with the FBI.  Because Duff & Phelps’ work product was “used for a range of non-litigation purposes…it cannot be fairly described as prepared in anticipation of litigation.”

Protecting Your Breach Documents

The Wengui case is notable because it appears to tacitly embrace the “two-tracked” approach that the defendant advocated but failed to follow.  Wengui and its Fourth Circuit predecessors therefore provide a critical blueprint to victims of a breach who wish to promote maximum candor from their consultants by asserting the work product privilege.  To maximize the potential for successful assertion of the work product privilege, victims of a breach should consider doing the following:

• Retain a consultant to perform an investigation of, and to remediate, the breach (“Breach Consultant”). This consultant may be someone with whom you have an existing relationship.  Operate under the assumption that the work of this consultant will not be privileged.
• Retain outside counsel to provide legal advice, and ensure that outside counsel will work with a qualified security consultant.
• Outside counsel will retain a second consultant to provide the technological opinions necessary for outside counsel to provide legal advice (“Legal Consultant”). Ensure that outside counsel will limit the statement of work between it and the Legal Consultant only to analyze the breach and provide advice to outside counsel.  You should have no existing relationship with the Legal Consultant.
• Make sure each consultant stays in their lane. Breach Consultant should offer no legal opinion whatsoever, including whether the breach was enabled by the failure to comply with any applicable law or regulation.
• Be careful with disseminating the Legal Consultant’s work product. The safest approach is to have outside counsel offer advice based on the work product of the Legal Consultant without disseminating the work product itself.

Breaches will continue to be a risk for any entity with valuable information and an internet connection. You should guard against this risk by working with a qualified technology consultant to ensure you are taking reasonable precautions against this unfortunate reality.  In the event of a breach, however, it is important to follow the steps above to ensure that your legal strategy rests on the candid opinions of a qualified expert.