Investigations and forensic reports relating to a cybersecurity breach may not always be protected by the attorney-client privilege or work product protection.  Companies seeking such reports after a data breach must take caution to protect them from a possible waiver of privilege in the event of subsequent litigation relating to a data breach. The following recent cases highlight the potential waiver of privilege in light of the preparation of a forensic report.

1. In re Capital One Consumer Data Security Breach Litigation, 2020 WL 3470261 (E.D. Va. June 25, 2020)
   • After a data breach occurred, Capital One retained a law firm that later entered into an agreement with Mandiant for various cyber-related services (including incident remediation), which required that Mandiant provide deliverables to the firm, rather than to Capitol One.  In re Capital One Consumer Data Security Breach Litigation, 2020 WL 2731238, at *1 (E.D. Va. June 25, 2020).  Plaintiffs sought release of the report created by Mandiant (regarding the factors leading to the breach), arguing that it was prepared for business and regulatory purposes and therefore was not privileged, while Capital One argued that the report was privileged because it was prepared in anticipation of litigation.  Ibid.  The Court determined that Capital One did not carry its burden of establishing that the report was protected by the attorney work-product doctrine and ordered that Capital One produce the report.  Id. at *7.  In its reasoning, the Court stated that the fact that there is litigation does not, by itself, provide prepared materials with work-product protection.  Ibid.  The work-product protection applies when a party faces a claim following an event that may result in litigation, and the work product would not have been prepared in a substantially similar form but for the prospect of that litigation. Ibid.
2. In re Dominion Dental Services USA, Inc. Data Breach Litigation, 429 F.Supp.3d 190 (E.D. Va. Dec. 19, 2019)
   • Plaintiffs filed a motion to compel Dominion to produce a report created by Mandiant, a cybersecurity firm.  In re Dominion Dental Services USA, Inc. Data Breach Litigation, 429 F.Supp.3d 190, 191 (E.D.Va., 2019).  Dominion claimed that the report was created to inform legal counsel and create a litigation strategy, and thus was privileged and protected by the attorney work-product doctrine.  Ibid.  The court stated that Dominion had not met its burden of demonstrating that the materials were protected work-product and held that the materials were not privileged because (1) Mandiant had a relationship with Dominion prior to the breach, and which anticipated services in the event of a breach occurring; and (2) Dominion used the materials for non-litigation purposes.  Id. at 194-195.
3. Wengui v. Clark Hill, PLC, 2021 WL 106417 (D.D.C. Jan. 12, 2021)
   • Plaintiff moved to compel Defendant, a law firm, to produce a forensic report generated by a consultant retained by the firm’s outside counsel after a data breach.  Wengui v. Clark Hill, PLC, 2021 WL 106417, at *1 (D.D.C. Jan. 12, 2021).  The court determined that the report and associated materials were neither protected work product nor attorney-client privileged because the firm failed to show that the report would not have been created in the ordinary course of business, irrespective of litigation.  Id. at *5-6.  Of note, the court also stated that the attorney-client privilege did not apply because the firm’s true objective was gleaning the cybersecurity firm’s expertise, not in obtaining legal advice.  Id. at *5.

What You Should Do

In light of these recent court decisions, companies must take measures to maintain the attorney-client privilege or work-product doctrine to the fullest extent possible.  Companies should keep in mind the objective of seeking and preparing forensic reports following a cyber breach, the use of such reports, and the relationship between the company and the vendor used to prepare the report.

Lessons Learned

• Failure to distinguish the parameters of retaining an outside consultant for the creation of a breach report can increase the risk of this report not being covered within the work-product doctrine.
• Retainers for vendors used in preparing a breach report should be categorized as a legal expense.
• Only share the data breach report for legal purposes, and share the report with as few individuals in the organization as possible.
• Proceed with caution when using a data breach report outside of litigation purposes.

How Newmeyer Dillion Can Help

Newmeyer Dillion can assist with advising on any cyber-litigation or pre-litigation need. Our attorneys are available for consultation by contacting our office at 949-854-7000.