Here’s a common scenario:  You discover a potential compliance issue and worry about being sued.  You hire outside counsel to help prepare for litigation.  Trial counsel in turn hires a consulting firm for the express purpose of helping in its litigation efforts by preparing a report addressing how the breach happened, its effects, and how to prevent another breach.  Nothing too unusual, right?

Here’s the catch:  if “the Report, or a substantially similar document, would have been created in the ordinary course of business irrespective of litigation” it may not be privileged after all.  Applying this rule, a federal court in Washington, D.C. just held that a Report prepared for trial counsel as well as the Report’s associated materials are not privileged and must be produced to plaintiffs.  See Wengui v. Clark Hill, 2021 U.S. Dist. LEXIS 5395 (D.D.C. Jan. 12, 20201).  While Wengui involves a cyber breach, its reasoning applies to any compliance-related investigation.

Read on below.

After Clark Hill discovered a cyber breach, it contacted its cybersecurity vendor to investigate and remediate the attack to preserve business continuity.  Clark Hill separately retained counsel in anticipation of litigation and counsel, in turn, engaged a separate team from a different consultant “to inform counsel about the breach so that [counsel] could provide legal advice and prepare to defend [Clark Hill] in litigation.”  Id. at *9.  As expected, litigation ensued.  During discovery, Clark Hill produced the documents related to its cybersecurity vendor’s work, but claimed the Report prepared for counsel was classic attorney work-product.  Clark Hill also argued the Report was subject to the attorney-client privilege.

The district court disagreed.  Carefully examining the record, and after conducting an in camera review of the Report, the court determined the Report was in fact an “ordinary course” incident report and ordered its production to plaintiffs.  As the court explained, for many entities, “discovering how [a cyber] breach occurred [is] a necessary business function regardless of litigation or regulatory inquiries.”  Id. at *6 (emphasis added).

In asserting that work-product privilege extended to the Report, Clark Hill argued the Report was shielded from disclosure because it was the result of one part of a “two-tracked investigation” of the cyberattack.  As Clark Hill explained, in the wake of the breach it:

(1) Retained its “usual cybersecurity vendor” to “investigate and remediate the attack” for purposes of business continuity; and

(2) On an entirely separate track, had its outside litigation counsel retain a security consulting firm “for the sole purpose of assisting [the firm] in gathering information necessary to render timely legal advice.”

Id. at *8 (emphasis added).  Clark Hill argued this was congruent with the approach followed in the well-publicized Target data breach litigation, whereby the “latter investigation and report would apparently not have existed but for the prospect of litigation, even as the other report would have been prepared ‘in the ordinary course of business.’”

The court concluded that this so-called two-track story “finds little support in the record.”  These facts were persuasive to the court in reaching this determination:

  • Clark Hill offered no “sworn statement” that the firm’s cybersecurity vendor conducted a separate “investigation” for the purpose of ascertaining the root cause of the data breach or responding thereto;
  • Clark Hill’s interrogatory answers stated that its understanding of “the progression” of the cyberattack was “based solely on the advice of outside counsel and consultants retained by outside counsel”;
  • There was no evidence that the firm’s cybersecurity vendor ever produced any findings (let alone a comprehensive report) regarding the data breach; and
  • Emails suggested that two days after the cyberattack began Clark Hill turned to the security consulting firm “instead of, rather than separate from or in addition to” the regular cybersecurity vendor to do the necessary investigative work.

Id. at *8-12 (emphasis in original).

It did not help Clark Hill’s argument that the Report was not just shared with outside and in-house counsel, but also with Clark Hill’s leadership and IT teams, as well as the FBI.  As the court observed, “[t]he Report was probably shared this widely … because it ‘was the one place where [Clark Hill] recorded the facts’ of what had transpired.”  Id. at *12.

All compliance officers and outside counsel should heed this observation from the court:  “Although Clark Hill papered the arrangement using its attorneys, that approach ‘appears to [have been] designed to help shield material from disclosure’ and is not sufficient in itself to provide work-product protection.”  Id. at *13 (emphasis added).

The court also rejected Clark Hill’s assertion that the attorney-client privilege shielded the Report regarding the data breach from disclosure.  The court explained that attorney-client privilege must be “applied narrowly,” to prevent its scope from encompassing “all manner of services” that should not be excluded from litigation.

Finally, the court also ordered Clark Hill to respond to written discovery concerning information about the scope of the cyberattack and its impact (if any) on firm clients other than plaintiff.  According to the court, this information was relevant as it pertained to a central issue in the case—the adequacy of Clark Hill’s cybersecurity.  For example, the court noted, if the attack largely targeted plaintiff’s personal information, it might suggest that Clark Hill should have taken additional “special precautions” in regards to plaintiff’s data.  Moreover, the court also found that Clark Hill generally “represents those individuals, and the fact of representation itself” does not qualify as attorney-client privilege.  This was because Clark Hill had not shown that in any particular instance a client’s identity was intertwined with the client’s confidences.

The Wengui decision underscores that while reports prepared for and at the request of counsel in anticipation of litigation can of course be privileged, compliance officers and counsel must be scrupulous to avoid blurring the lines between “ordinary course” reports and reports genuinely prepared for trial counsel for the purposes of assisting counsel in litigation.

For more developments concerning data privacy litigation as they occur in real time, stay tuned.  CPW will be there.