Law firm ordered to produce cyberattack report in malpractice action
On January 12, the U.S. District Court for the District of Columbia ordered a law firm to produce a forensic report generated by a consultant retained by the firm’s outside counsel in the wake of the plaintiff’s data breach, concluding that the report and associated materials were neither protected work product nor attorney-client privileged. According to the order, as part of a malpractice action in which the plaintiff, a Chinese entrepreneur, accused the law firm of failing to protect his personal information from hackers, the plaintiff moved to compel the production of “‘all reports of its forensic investigation into the cyberattack’ that led to the public dissemination of [plaintiff]’s confidential information.” The law firm opposed the motion, arguing that it already had turned over all relevant internally generated materials and any other documents were protected by attorney-client and work-product privileges. The law firm argued that the forensic report was only one half of a two-tracked investigation of the incident. On one track, the law firm’s usual cybersecurity vendor worked to investigate the attack to preserve business continuity while on a separate track, a different consultant was retained by counsel for the sole purpose of assisting the law firm in gathering information necessary to render legal advice.
The district court disagreed, concluding that the report is not covered by work-product privilege because the law firm failed to show that the report “‘would [not] have been created in the ordinary course of business irrespective of litigation.’” The court noted that the forensic report summarizes the findings of the investigation and that substantially the same document would have been prepared in any event as part of the ordinary course of the law firm’s business. While seeming to endorse the idea of a two-track investigation, the court noted that the law firm failed to provide any evidence that supported the fact that there were actually two tracks. Among other things, the court noted that the report summarizes findings into the data breach’s “cause, nature, and effect” and was used “for a range of non-litigation purposes,” including being shared with members of the law firm’s leadership and IT team and the FBI. In addition, the court noted that there was no evidence that the law firm’s usual cybersecurity vendor produced any findings, let alone a comprehensive report about the incident. Instead, the court stated that the record suggested that two days after the cyberattack began, the law firm turned to this second consulting firm instead of rather than in addition to the first consulting firm. Moreover, the court rejected the application of attorney-client privilege, concluding that the law firm’s “true objective was gleaning [the security-consulting firm]’s expertise in cybersecurity, not in ‘obtaining legal advice from [its] lawyer.’” The court noted that the report included remediation advice, indicating the security firm was “engaged for immediate ‘incident response.’” Lastly, the court noted the law firm can safely respond to the plaintiff’s interrogatories calling for information regarding other clients impacted by the cyberattack with “appropriate redactions in responsive documents” and “tailored” answers.