Protecting Privileged Forensic Reports

Imagine that after experiencing a data breach and taking all the necessary steps, including retaining a forensic vendor to conduct an investigation, your organization is named as a defendant in a class action lawsuit arising from the breach. To make matters worse, plaintiffs’ attorneys are seeking to compel the production of the forensic report prepared by your vendor.

It has become increasingly difficult for companies to protect forensic reports prepared in connection with a data breach. Despite their sensitive nature, these reports are frequently sought by plaintiffs’ attorneys in cyber-related litigation because they can provide a roadmap for their claims. Recent case law reveals that many courts are finding ways to compel the production of these reports.

The U.S. District Court for the District of Columbia was the latest court to hand down such a ruling in Guo Wengui v. Clark Hill, PLC. On January 12, 2021, the court ordered Clark Hill to produce the forensic report prepared by its forensic vendor at the direction of legal counsel. The court concluded that the report would have been created for business reasons irrespective of the litigation and thus failed the test relied upon to decide whether a document is protected by the work-product doctrine. 

Clark Hill did not meet its burden in demonstrating that the report would not have been created regardless of ongoing litigation, considering that forensic investigation reports following a data incident are necessary to respond to such incidents. The court found that the forensic vendor’s role “was far broader than merely assisting outside counsel in preparation for litigation” and, as such, the report could not be protected under the work-product doctrine. 

Previously, the U.S. District Court for the Eastern District of Virginia, overseeing multi-district litigation following the 2019 Capital One data breach, rejected claims that Capital One’s forensic report was protected based on similar reasoning. Despite having prepared two separate reports, distributing the report only to mostly legal staff, paying for the report primarily from the legal budget, and signing an engagement letter by its attorneys, the court found that Capital One failed to distinguish the forensic report from one that would have been prepared for business purposes, regardless of impending litigation.

In the court’s eyes, the original agreement between Capital One and its on-retainer cybersecurity vendor had only been “effectively transferred” to counsel after the breach, but it functioned the same as an operational investigation. Other factors considered were payments initially paid from the existing retainer and subsequently attributed to the legal budget, and disclosure of the report to an outside auditor and various regulators.

These and numerous similar decisions in recent years have chipped away at preserving privilege over forensic reports. Therefore, we recommend the following steps to best ensure protection by attorney-client privilege or the work-product doctrine: 

• Create two separate reports. Investigation teams should create one report reflecting a post-breach mitigation investigation, and one reflecting a post-breach analysis in preparation for litigation. If using one vendor, precautions should be taken to ensure that the court does not consider the transfer to counsel to be on paper only. Consider creating separate teams for mitigation and litigation, keeping the investigations completely separate with different responsibilities, preparing separate engagement letters, and paying for such services exclusively with the legal budget. Companies may need to look outside their standard IT vendors and retain another vendor in preparation for litigation.
• Avoid putting analysis into the mitigation investigation report. When preparing the non-privileged investigation report for purposes of mitigation, companies should ensure that no analysis or interpretation is included. This report should reflect facts and technical information only. Discussion of next steps, effects of the breach, and characterizations of the attack that may occur in the mitigation investigation should remain in oral format until findings are solidified, at which point such findings should be presented either in the legal investigation report or in a privileged attorney letter. On the other hand, vendors and companies should be sure that non-privileged investigation reports include the measures and approaches the company took for the protection of data. 
• Restrict access to the reports. Avoid sharing the legal investigation report to the fullest extent possible. Sharing only the non-privileged mitigation report will also help demonstrate that the investigative report was created for purposes of litigation and not for regulatory or business purposes, thus overcoming any “because of” or similar test imposed by federal courts. 

The preparation of forensic reports is a continually evolving area. Before making decisions about the vendors you will retain, how you will structure those relationships, whether forensic reports will be prepared, and who will have access to those reports, you should seek advice from legal counsel experienced in dealing with these issues. Extreme care must be given to these dynamics to ensure that you are able to maintain the privileged nature of your forensic reports.