Last week, a federal court held that a forensic report prepared in the wake of a data breach at a law firm was not protected by the work product privilege and had to be produced in discovery.  See Wengui v. Clark Hill, 2021 U.S. Dist. LEXIS 5395 (D.D.C. Jan. 12, 20201).  As the court explained, for many entities, “discovering how [a cyber] breach occurred [is] a necessary business function regardless of litigation or regulatory inquiries.”  Id. at *6 (emphasis added).  Nor did attorney-client privilege shield the forensic report.  This was because, according to the court, attorney-client privilege must be “applied narrowly,” to prevent its scope from encompassing “all manner of services” that should not be excluded from litigation.

CPW’s Colin Jennings and Ericka Johnson published a must-read article in Law360 today discussing the opinion and what it means for data breach investigations going forward.  In 3 Ways To Shield Cyber Reports After Clark Hill Breach Ruling, they explain “[t]he discoverability of a forensic report is a very significant issue because it will generally detail the critical vulnerabilities in a company’s information technology environment that enabled the cyberattack, often identifying areas in which a company’s IT defense were not compliant with best practices, regulators and/or industry standards — in other words potential evidence of negligence or recklessness that would not otherwise exist but for the forensic report . . .
While it is beneficial to counsel to anticipate and defend against potential causes of action, plaintiffs like Wengui will seek to discover forensic reports as evidence to substantiate their claims. Therefore, forensic reports have become hotly contested during breach litigation, leading to evolving best practices to protect a report from becoming discoverable.  In determining whether a forensic report is privileged, courts will look to the totality of circumstances to determine whether a forensic report was truly created in anticipation of litigation. As the next case to weigh in on the best practices to establish privilege over a forensic report, Wengui provides three key takeaways.”