Companies often turn to lawyers to investigate cybersecurity incidents, whether in anticipation of litigation or to provide advice on mitigating the root causes of an incident. In either situation, a company will benefit from probing and critical assessments that may only be done well when these are likely to be kept confidential under the legal doctrines of attorney-client privilege or work-product protection. An important, and often overlooked fact, is that reports produced by cybersecurity vendors, especially those who are commissioned by the company for primarily non-legal purposes, are likely to be treated like any other business record and hence subject to disclosure in litigation.
Courts have been grappling with the question of what constitutes a privileged report in the cybersecurity context—while the general trend has been favorable to reports produced at the direction of legal counsel, there are exceptions. These exceptions often highlight the need for such reports to be handled in a particular manner to be considered privileged. One approach that some courts have sanctioned is a two-track investigation—each tracked investigation focusing on the same facts but one that provides guidance to the business for remediation purposes and another that provides information to counsel to help guide the client in responding to the legal issues. Even this approach has limits as to the extent of privilege when the underlying justification is weak or a waiver has occurred, as a recent D.C. federal court ruling demonstrates.
In Wengui v. Clark Hill, PLC, et al., the D.C. federal court held that privilege did not apply when it was likely that investigation analysis would have occurred irrespective of the prospect of litigation and was widely disclosed to third parties.
The suit involves an allegation by Guo Wengui, a high-profile Chinese dissident, who sued his lawyers for failing to protect his data when the law firm experienced an alleged cyberattack. In discovery, Mr. Wengui sought a forensic cybersecurity report that the law firm's outside counsel commissioned as part of its internal investigation. The law firm objected, claiming the report was privileged because it had been commissioned “for the sole purpose of assisting [counsel] in gathering information necessary to render timely legal advice.” The law firm also argued that the report and the associated confidential investigation would not have been carried out but for the prospect of litigation and, thus, it was protected work product.
The court disagreed and pointedly noted that the “papered” arrangement alone did not make the consultant's report privileged. After reviewing the report, the court found for example, that the cybersecurity consultant's report was the only one made and that it included extensive non-legal advice on remediation to preserve “business continuity.”
The court also noted the law firm had shared the report with its IT team and the FBI for purposes other than preparing for litigation or obtaining legal advice. This conclusion suggests that the court viewed these activities as either waiving privilege or suggestive that the report was not considered protective, or the information would have been more closely held. Consequently, the court found that “Clark Hill's true objective was gleaning [the cybersecurity consultant's] expertise in cybersecurity, not in obtaining legal advice from its lawyer,” and ordered the law firm to produce the forensic report.
Helpfully, the court distinguished its decision from other cases where cybersecurity consultant reports have been determined to be privileged. The court emphasized that privilege in the cybersecurity context should be examined under the same framework as other assertions of privilege. Specifically, privilege may apply to cybersecurity investigation reports, i.e. expert reports, when the party claiming privilege actually conducts two separate investigations with distinct purposes, and one involves a legal counseling objective. Secondly, the party should refrain from disclosing the privileged information from the investigation to third parties.
A critical review of the root causes of a cybersecurity incident is an important element in responding to cyber incidents and, in the more damaging incidents, to help the company prepare its legal defenses. To be able to receive such advice without being concerned it will be used against the company in litigation, requires more than just “papering” the engagement. It requires keeping the purpose of the communications focused on legal advice from the lawyer to the client and avoiding straying from that path. That also means when there is information to be shared with the company's IT team or information to be shared with law enforcement or with an outside accountant, this should be done in close consultation with the company's lawyers to ensure that only non-privileged data is being shared. It is particularly important to avoid adopting practices of adding a lawyer to the communication in the mistaken perception that that alone provides privilege. More helpful is developing an understanding early on that communications and conclusions should be centered on legal counsel, which should practice responsible discipline in the sharing of information.
Originally Published by Ice Miller, January 2021
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.