On January 12, 2021, a U.S. district judge for the District of Columbia issued an opinion in Wengui v. Clark Hill, PLC1 granting the plaintiff's motion to compel production of a data breach forensic report and other materials prepared by a third-party forensic consultant. The court ordered production of the forensic report even though the consultant was operating under the direction and control of outside counsel and under an agreement entered into after the discovery of the underlying data breach. The court found that Clark Hill had not established that the forensic report was protected from production by either the attorney-client privilege or work product doctrine, noting that Clark Hill's understanding of the incident seemed to be based solely on the forensic consultant investigation, which would have occurred in the ordinary course of business, and Clark Hill's purpose in hiring the forensic consultant was to obtain cybersecurity expertise, not legal advice.
The Clark Hill opinion is notable because not only does it follow a string of recent opinions that have found data breach forensic reports not to be entitled to work product protection,2 it also goes one step further to find that a data breach forensic report is not protected by attorney-client privilege. In this instance, the court applied a narrow interpretation of the Kovel doctrine and found that the company's true objective in engaging the forensic firm (that produced the report) was to obtain cybersecurity expertise, not legal advice.
The following is a summary of the Clark Hill opinion followed by some considerations for companies seeking to apply the lessons of the opinion to future data breach investigations, including the importance of (1) drawing clear lines between ordinary-course investigations to solely understand the nature and scope of the incident and an investigation for legal purposes; and (2) carefully considering the scope, purpose, and audience of any third-party written reports prepared at the direction of counsel. We conclude with suggested best practices for protecting attorney-client privilege and the work product doctrine during the investigation of a security incident.
Part One: The Background for the Motion to Compel
Plaintiff Guo Wengui is a Chinese dissident who hired Clark Hill to represent him as he applied for asylum in the United States.3 Clark Hill was hacked shortly after being engaged by Wengui, in what was allegedly a targeted attack by the Chinese government, and Wengui's asylum application was disclosed online.4 Clark Hill ended its engagement with Wengui following the cyber-attack, citing considerations under the Rules of Professional Conduct.5 Wengui then filed suit against Clark Hill, alleging breach of fiduciary duty, breach of contract, and negligence.6 Among other allegations, he alleges that the cyber-attack demonstrates that Clark Hill did not adequately protect his information.7
The plaintiff moved to compel Clark Hill to produce "all reports of its forensic investigation into the cyberattack" that led to the disclosure of his information, including the forensic report.8 Clark Hill maintains that it turned over all relevant internally generated materials and that the other documents sought by the plaintiff produced by the forensic consultant are covered by both the attorney-client privilege and work product doctrine.9 Clark Hill also declined to answer the plaintiff's interrogatories seeking "Clark Hill's understanding of the facts or reasons why" the attack occurred, arguing that its understanding of the incident was based on the advice of outside counsel and consultants retained by outside counsel, and is therefore privileged.10
The plaintiff raised several arguments in support of his motion to compel, including:
- Clark Hill is engaged in "mass withholding" of all information concerning the cyberattack.
- The attorney work product doctrine confers no protection on Clark Hill's forensic investigation of the cyber-attack because Clark Hill would have investigated the cyberattack even if it were at no risk of being sued.
- The forensic consultant report is not attorney-client privileged because Clark Hill's "primary purpose" was not to obtain a legal opinion, and Clark Hill cannot persuade the court that it would not have investigated the cyber-attack at all "but for" its seeking of legal advice.
- Clark Hill should not be allowed to avoid its obligations to disclose underlying facts by communicating them to an attorney or having an attorney direct the investigation.
- Clark Hill has waived its narrower claim of privilege with the forensic consultant report, particularly because it has failed to particularize its claims of privilege by providing a privilege log.
After briefing, the court concluded that the forensic consultant report was not work product and not attorney-client privileged and ordered its production.11
1. Wengui v. Clark Hill, PLC, No. 1:19-cv-03195 (D.D.C. Jan 12, 2021) ("Mem. Op.").
2. See In re Capital One Consumer Data Sec. Breach Litig., No. 1:19-md-02915 (AJT/JFA), 2020 U.S. Dist. LEXIS 91736 (E.D. Va. May 26, 2020); In Re Premera Blue Cross Customer Data Sec. Breach Litig., 296 F. Supp. 3d 1230 (D. Or. 2017); In re Dominion Dental Servs. United States, 429 F. Supp. 3d 190 (E.D. Va. 2019).
3. Wengui v. Clark Hill, PLC, 440 F. Supp. 3d 30, 33-34 (D.D.C. 2020).
4. Id. at 34.
5. Id. at 34-35.
6. Id. at 35.
7. Id. at 38.
8. Mem. Op. at 1-2.
9. Id. at 2.
11. Id. at 18.
Originally published February 26, 2021
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.