Clifford Chance

A law firm was recently ordered to disclose a forensic investigation report prepared following a data breach, despite the report being prepared at the instruction of outside counsel.

Plaintiffs often file civil suits in the wake of data breaches and, during discovery, they often seek disclosure of investigative reports prepared by forensic experts that detail the cause and scope of the breach. These reports can have a significant impact on the course of civil litigation because they may describe whether the victim of the breach employed best practices and adhered to industry standards with regard to cyber security.

A number of courts have now grappled with the issue of whether these reports are shielded from disclosure by the attorney work product doctrine, which broadly can protect from disclosure documents prepared by attorneys or their agents in anticipation of litigation. Courts will consider a number of factors when making this determination, but will commonly have to decide whether the report was created specifically for the purposes of litigation or if the report would have been created in the ordinary course of business, regardless of the prospect of litigation.

In this case, a former client of a law firm, Clark Hill, sued the firm after it was hacked and the client's personal information was publicly disclosed. The plaintiff sought disclosure of the investigation reports prepared by forensic experts hired by Clark Hill (through outside counsel). The court held that the report did not constitute work product, finding that:

• An investigation report into the breach was a necessary business function, and a report similar to the one at issue would likely have been created absent the threat of litigation.
• The report had been shared with Clark Hill leadership and IT personnel as well as with the FBI.
• The court rejected Clark Hill's argument that it had engaged two forensic security firms to conduct a dual-track investigation, one for business purposes and the other in anticipation of litigation. The court acknowledged that Clark Hill had retained outside counsel and a new security firm to investigate and advise on the breach, but ultimately held that Clark Hill had "papered the arrangement" to prevent disclosure of the report.

The court also rejected Clark Hill's argument that the report was protected by attorney-client privilege, finding that Clark Hill's objective was to obtain the forensic expert's cybersecurity expertise, not legal advice from its outside counsel.

This decision adds to a growing list of Courts that have ordered disclosure of investigative reports prepared in the wake of data breaches. Previously, production of similar forensic reports was ordered in litigation involving the Premera Blue Cross and Capital One data breaches. However, courts held that forensic reports regarding the Target and Experian data breaches were protected work product.

Key Takeaways:

• Consider a dual-track investigation. When responding to a very large data breach, companies should consider hiring a separate cyber security firm to work under the direction of counsel to conduct an investigation in anticipation of litigation, while separately engaging their existing cyber security service provider to prepare a report that will not be protected from disclosure and that can be used for purposes of responding to incident. The court analyzing the Target forensic report accepted that Target had created multiple investigative teams with the intention of creating one forensic report for business purposes and another to enable legal counsel to provide advice in relation to litigation, holding that the latter was protected work product. Although Clark Hill argued that they had put in place a similar dual-track investigation, the court found that they had in fact engaged a new consultant to create a report instead of their normal cyber security service provider.
• Limit the circulation of the report. An investigative report prepared for legal purposes should only be shared with a core group of legal personnel and senior managers tasked with advising the company on its response to the breach. Courts in both the Capital One and Clark Hill decisions pointed to the fact that the reports were circulated widely when determining they were not protected work product.
• Narrowly craft the scope of the report. In most instances, it will not be practical to conduct a dual-track investigation and companies should prepare for the possibility that any forensic report may be subject to disclosure in subsequent litigation. Therefore, it is advisable to ensure that the forensic report does not contain extraneous information that could be damaging in subsequent litigation, such as a discussion of compliance failures or an assessment of employee conduct.