The shield of attorney-client privilege that protects breach forensics reports from becoming a liability during litigation isn't absolute. As a result, companies and their firms may have to take a much more strategic approach to how these reports are structured.
One of the common first steps that any business takes in the aftermath of a cyber incident is to commission a data breach incident report from an outside provider. The findings contained within those write-ups can often provide companies with a road map for correcting the offending weaknesses in their system. But a recent order from a judge in the U.S. District Court for the District of Columbia reinforces the notion that forensic reports can become a legal liability as well.
The ongoing case of Guo Wengui v. Clark Hill found plaintiff Guo Wengui moving to compel (https://casetext.com/case/guo-wengui-v-clark-hill-plc) the law firm to produce “all reports of its forensic investigation into the cyberattack” that led to his personal information being disseminated. While the Clark Hill argued that the report was protected by attorney-client privilege, U.S. District Judge James Boasberg ordered for the document to be turned over last month.
While Boasberg’s decision highlights the vulnerability of breach forensic reports to discovery, lawyers are split on just how loudly to sound the alarm. Stephen Lilley, a partner at Mayer Brown, pointed out that attorney-client privilege has always had its nuances and limitations, even when it comes to breach forensic reports.
“The wrong way to think about this, ‘Hey I’ve got my lawyer involved ,and that’s why everything we do is protected...’ The facts of a cybersecurity incident are never going to be subject to privilege,” Lilley said.
Instead, whether or not a cyber forensics report qualifies for attorney-client privilege may hinge on why the report was commissioned in the first place. In his written opinion (https://casetext.com/case/guo-wengui-v-clark-hill-plc), Boasberg argued that Clark Hill would have commissioned the cyber incident report in the course of normal business proceedings, regardless if litigation had arisen or not—which means that it fails the test for work product protection.
Behnam Dayanim, a partner at Paul Hastings, foresees that line of reasoning becoming more common. “I think the it reflects a growing trend and it is concerning. The courts are showing they are clearly looking more closely at claims of work product or attorney-client protection when it comes to these kinds of forensic reports. And companies need to think carefully about whether they really need these reports and what goes into them,” he said.
But businesses and law firms won’t necessarily be throwing away the idea of conducting breach forensic reports altogether. Jarno Vanto, a partner at Crowell & Moring, argued the there are too many other stakeholders involved in a company’s cybersecurity operation who depend on those documents following a breach.
“I don’t think that [businesses] are going to not order those reports because, for example, there’s pressure coming from insurers to determine what happened,” he said.
But if companies can’t stop producing breach forensic reports altogether, they may settle for narrowing the scope of the content. Dayanim at Paul Hastings noted that it’s not uncommon for forensic reports to be extremely comprehensive, including a variety of findings the are often not directly necessary or relevant to the matter at hand.
If firms or their clients aren’t confident that those reports will remain privileged, they may be inclined to take a more deliberate approach. “Companies and their counsel will think very carefully about when a report is needed and what the scope of that report should be,” Dayanim said.
There may also be more of an effort to root the development of breach forensic reports in litigation from the jump in an attempt to build a stronger argument for attorney-client privilege. For instance, instead of simply CC’ing an attorney on an email chain, some type of substantive legal analysis may actually be incorporated into the body of the document.
“Where there’s discussion of findings, there could be also a discussion about the regulatory requirements alongside those findings or what the regulatory implications of those findings might be. That makes the report become more legal in nature and it would make it harder for a court to say later ‘no, this report is not privileged,’” Dayanim said.
However, it’s not a given that companies will be facing widespread pressure to hand over their breach forensics reports any time soon. Vanto at Crowell & Moring believes that courts will likely continue to issue conflicting rulings on the subject for some time before a more definitive outcome is reached.
“This is an issue that will very likely be heard by the Supreme Court at some point given that the potential differences in rulings at the state level,” he said.
Reprinted with permission from the February 10, 2021 edition of Legaltech News © 2021 ALM Properties, Inc. All rights reserved. Further duplication without permission is prohibited.