American Bar Association - Wengui v. Clark Hill - Lessons Learned to Protect Privilege in the Investigation of a Cyber Breach
A recent decision from the United States District Court for the District of Columbia emphasized that neither attorney-client privilege nor work product protection will shield a report provided by a third party retained by counsel where the report provides non-legal advice.**
Guo Wengui v. Clark Hill, PLC, arose from the cybersecurity breach of a law firm's database on September 12, 2017. After confidential information about him was publicly disseminated, a client (Wengui) sued the law firm (Clark Hill) claiming that it failed to take sufficient precautions to protect his data. Immediately after learning about the breach, Clark Hill ordered an investigation into what had occurred. It employed its regular cyber security provider, eSentire, to investigate and remediate, as appropriate. The purported purpose of eSentire's work was for "business continuity."
Two days later, on September 14, 2017, while the breach may still have been ongoing, Clark Hill hired a law firm, Musick, Peeler & Garrett ("MP&G"), to provide legal advice relating to the incident. MP&G hired an independent cyber security firm, Duff & Phelps, to assist MP&G in providing legal advice to Clark Hill and to prepare for anticipated litigation. Duff & Phelps went on site on September 14, 2017. It ultimately produced a full investigative report which included "specific remediation advice." The General Counsel of Clark Hill, Edward Hood, reviewed the report. Hood then shared the report with "select members of the leadership and IT team" at Clark Hill. Clark Hill also shared the report with the Federal Bureau of Investigation ("FBI") in connection with the FBI's investigation of the incident.
Litigation was, in fact, filed in September 2019. During the course of discovery, the client requested "all reports of [Clark Hills's] forensic investigation into the cyberattack." The client also served interrogatories asking Clark Hill to state the facts or reasons why the attack occurred. Clark Hill responded to the document production requests by providing (among other things) documents from eSentire. Notably, the partial production did not include any formal report or any specific findings from eSentire on the cause of the breach.
Clark Hill objected to producing other responsive documents and to answering the interrogatories, claiming that the information from Duff & Phelps was protected by the attorney-client privilege and work product protection. It maintained that its understanding of the cause of the attack came solely from the investigation performed by Duff & Phelps, which was ordered by MP&G to provide legal advice and in anticipation of litigation.
Plaintiff disagreed and filed a motion for sanctions. On January 21, 2021, the court granted the motion for sanctions, finding that the attorney-client privilege and the work product protection doctrine did not apply to the requested information.
Generally, the attorney-client privilege applies to "a confidential communication between attorney and client if that communication was made for the purpose of obtaining or providing legal advice to the client." The Duff & Phelps report was not a communication between attorney and client. Courts have recognized, however, that certain documents prepared by third parties may be covered by the privilege if the document was prepared to help facilitate the provision of legal advice by, for example, explaining technical materials or acting in the capacity of a translator. The courts have cautioned that this principle must be narrowly applied - if the advice sought by the client is really the advice of the third party, and not the lawyer, no privilege would exist.
The Wengui court readily concluded that the advice in the Duff & Phelps report was cybersecurity advice, and not legal advice, and therefore not protected by the attorney-client privilege.
Work Product Doctrine
In federal court, the work product protection doctrine shields from discovery certain materials prepared in anticipation of litigation. Under Federal Rule of Civil Procedure 26(b), "[o]rdinarily, a party may not discover documents and tangible things that are prepared in anticipation of litigation . . . by or for another party or its representative (including the other party's attorney, consultant, . . . or agent)." The Wengui court then applied the "because of" standard in order to determine whether a document was "prepared in anticipation of litigation." The "because of" test asks "whether, in light of the nature of the document and the factual situation in the particular case, the document can fairly be said to have been prepared or obtained because of the prospect of litigation." As the court further explained, "[w]here a document would have been created 'in substantially similar form' regardless of the litigation," it fails that test, meaning that "work product protection is not available."
The Wengui court found it "highly likely" that Clark Hill would have investigated the cause of the cybersecurity breach and steps to remediate it whether or not the firm was anticipating litigation. The court favorably cited other decisions which held that investigating a cyber breach is a necessary business function. After the court's in camera review of the report, the court concluded that "substantially the same" document would have been prepared in the normal course of business.
Key Case Clearly Distinguishable
Clark Hill primarily relied on the case of In re Target Corp. Customer Data Sec. Breach Litig. to support both theories to shield production of the information. The court easily distinguished the facts in Wengui from the Target case in connection with both arguments.
With respect to the work product doctrine, the court rejected Clark Hill's view that there were two tracks to the investigation which led to the protection of the Duff & Phelps report: 1) the eSentire track allegedly being the one conducted in the normal course; and 2) the Duff & Phelps report supposedly being prepared solely to assist in the legal representation. The court found that the Duff & Phelps report was prepared instead of, rather than in addition to, the work performed by eSentire. Indeed, Duff & Phelps began its work within days of Clark Hill discovering the breach, while the breach was ongoing. eSentire never produced a report or any findings about the cause of the breach. The General Counsel of Clark Hill shared the report with a broad audience, including in-house leadership, IT and Clark Hill also shared it with the FBI in connection with the FBI's investigation. The court concluded that these non-litigation uses of the report demonstrated that the report was not prepared "because of" litigation. Merely "paper[ing]" the report through attorneys did not shield it from disclosure.
As for the attorney-client privilege, there were three distinguishing facts in Target. First, Target established that it took the "two track" approach. Second, the report that was shielded from disclosure by the court in that case was not shared with a wide audience. Third, the Target report, unlike the Duff & Phelps report, did not include specific suggestions for remediation.
What About In RE Kellogg Brown & Root, INC.?
Although the court cited In re Kellogg Brown & Root, Inc. the court did not apply its holding even though it appears directly applicable to Clark Hill's case. The In re Kellogg Brown & Root, Inc., court addressed the standard to apply in determining whether an investigative report was protected by the attorney-client privilege. There, the appellate court rejected the "but for" test in favor of "a primary purpose" test.
Kellogg Brown & Root ("KBR") received an employee tip about potential misconduct in connection with administering government contracts - specifically, inflating costs and accepting kickbacks. KBR initiated an internal investigation, led by its Law Department, as required by its Code of Business Conduct. Some, but not all, of the interviews were conducted by in-house attorneys, others were conducted by investigators at the direction of counsel. No outside counsel was retained. A report of the investigation was prepared. A KBR employee then filed a whistleblower complaint relating to the same conduct.
The plaintiff/employee sought the production of documents related to KBR's internal investigation. KBR objected on the basis of the attorney-client privilege. The lower court ordered production of the documents, but the Court of Appeals reversed. The Court of Appeals ruled that often there is not one primary purpose - legal and/or business - for a communication. The test is, rather, whether "obtaining or providing legal advice" was "a primary purpose of the communication." The Appeals Court found that the privilege applies even though interviews may be conducted by non-attorneys, if they are conducted at the direction of attorneys, and therefore by non-lawyers acting as legal agents.
Had the court in Wengui held that the report at issue included some legal advice, and applied the standard from In re Kellogg Brown & Root, would the decision have been different? Probably not. The investigation by KBR clearly was controlled by the Law Department to gain facts in order to provide advice to the company. Those interviewed were told about the purpose of the investigation and that the information would be held in confidence. The information was not shared beyond those with a need to know, and certainly not with any outside agency. And, based on the facts found by the Wengui court, learning what happened in the cybersecurity breach in order to properly remediate it was the only real purpose of the Duff & Phelps report. eSentire, the normal service provider, was not the entity tasked with determining the required remediation procedures.
Wengui emphasizes the following principles:
- The mere fact that communication is made to an attorney does not mean the communication is privileged; and
- Materials are not automatically protected by the privilege merely because they are provided to or prepared by an attorney.
Building upon those principles, here are some steps counsel can take to preserve privilege protection for investigation materials, whether prepared by counsel or a third party at the direction of counsel:
- Clearly communicate that the investigation is being performed in order to secure legal advice;
- Prepare an investigation plan;
- Perform the interviews or create the template for questions to be asked;
- Schedule regular briefings as the investigation proceeds;
- Provide analyses of the information gleaned during the investigation;
- Provide recommendations of legal steps to take as a result; and
- Limit distribution of any report to those who actually need the information as part of their job responsibilities in connection with the investigation.
Reproduced with permission from the March 6, 2021 issue of the American Bar Association's Business Law Section. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.