Home
All Resources
Consilio Advanced Learning Institute

Can Cyber Breach Investigation Reports Be Protected Work Product?

Written by admin

Updated: Oct 06, 2022

Authors

Matthew Verga, Esq.

Director of Education

About Author

Matthew Verga is an attorney, consultant, and eDiscovery expert proficient at leveraging his legal experience, his technical knowledge, and his communication skills to make complex eDiscovery topics accessible to diverse audiences. A fifteen-year industry veteran, Matthew has worked across every phase of the EDRM and at every level, from the project trenches to enterprise program design. As Director of Education for Consilio, he leverages this background to produce engaging educational content to empower practitioners at all levels with knowledge they can use to improve their projects, their careers, and their organizations.

More from the author

In the recent cases of In re Capital One and Wengui, courts consider whether and when a cybersecurity vendor’s breach investigation report can be protected work product

As we have noted before, cyberattacks are a growing area of concern, both inside and outside of the legal industry, and “cyberattacks in 2020 were particularly crippling because of how much more legal professionals relied on email and internet-based access to maintain operations.” With so many breaches occurring and so many breach investigations being conducted, it is important to consider the discoverability of reports and other materials generated by those investigations. As two recent cases demonstrate, it can be difficult to satisfy the requirements for work product protection of such reports.

In re Capital One

In the case of In re Capital One Consumer Data Sec. Breach Litig., MDL No. 1:19md2915 (AJT/JFA) (E.D. Va. May. 26, 2020), before the March 2019 data breach that gave rise to the litigation, the defendant had previously entered into a Master Services Agreement and a series of Statements of Work with a service provider for cybersecurity incident response services, including:

. . . computer security incident response support; digital forensics, log, and malware analysis support; and incident remediation assistance and . . . a detailed final report covering the engagement activities, results and recommendations for remediation in a written detailed technical document.

The cost of the retainer was treated internally as a “Business Critical” expense rather than a “Legal” one.

After the breach was discovered in July 2019, the defendant retained a law firm “to provide legal advice in connection with the data breach incident,” and that law firm then signed a “Letter Agreement” with the defendant and their service provider, for the service provider to perform work “at the direction of counsel” under the same terms as it had been providing services to the defendant, with “deliverables . . . provided to counsel instead of” the defendant.

The service provider completed its initial report by early September, which was initially provided to the law firm, which later provided it to the defendant’s legal department and Board of Directors. The report was also provided to certain regulators and to the defendant’s accounting firm. The service provider was paid for this initial work out the retainer previously paid by the defendant.  Subsequent work by the service provider was also paid for by the defendant. A few months later, the defendant internally re-designated those expenditures “as legal expenses and deducted against [the] legal department’s budget.”

In spring 2020, the plaintiffs moved to compel the production of the service provider’s report, and the defendant opposed this motion on the grounds that the report was “entitled to protection under the work product doctrine.”

The Magistrate Judge’s Analysis

The Magistrate Judge summarized the federal rules and cases related to work product protection, which establish a two-prong standard that:

. . . work product protection applies when the party faces an actual claim or a potential claim following an actual event or series of events that reasonably could result in litigation and the work product would not have been prepared in substantially similar form but for the prospect of that litigation.  [internal citation and footnote omitted]

The Magistrate Judge found that there was clearly anticipation of litigation in this case, satisfying the first prong and making the dispositive issue “whether the [] Report would have been prepared in substantially similar form but for the prospect of that litigation.”

Ultimately, because the services provided pursuant to the Letter Agreement with the law firm were the same as those contracted for already under the previously existing agreement with the defendant, and because the report was also used for important regulatory and business purposes, the Magistrate Judge concluded that the same report would have been generated in the same form and for the same uses regardless of the law firm’s involvement in the process. Thus, it did not pass the “but for” test articulated by the applicable case law. “The retention of outside counsel does not, by itself, turn a document into work product.”

The District Judge’s Review

Subsequently, in June, the District Judge conducted a de novo review and came to the same conclusion as had the Magistrate Judge:

There appears to be no dispute as to the Magistrate’s finding concerning the first prong and, after de novo review, the Court concludes, after considering the totality of the evidence, that the Magistrate Judge properly applied the second prong in concluding that the Report did not enjoy work product protection.

Wengui

More recently, in the case of Wengui v. Clark Hill PLC, et al., No. 1:2019cv03195 (D.D.C. January 12, 2021), the plaintiff “moved to compel [the defendant], his former law firm, to produce ‘all reports of its forensic investigation into the cyberattack’ that led to the public dissemination of [the plaintiff’s] confidential information.” The defendant turned over its “internally generated materials,” but argued that the documents generated by its “external security-consulting firm” were “covered by both the attorney-client and work-product privileges.”

The defendant explained that the consulting firm in question was not its usual cybersecurity vendor and was retained, not by them, but by their outside litigation counsel to prepare for the coming litigation. They argued that the vendor’s report was one-half of a two-track investigation: one track run by the defendant’s usual vendor focused on “business continuity” and “remediation,” and one track run by their outside counsel’s vendor “for the sole purpose of assisting [the firm] in gathering information necessary to render timely legal advice.”

The defendant’s interrogatory responses and produced documents, however, made it clear that the defendant was actually relying on their outside counsel’s vendor for everything: “. . . there is no evidence that [the defendant’s usual vendor] ever produced any findings, let alone a comprehensive report like the one produced by [their outside counsel’s vendor].”  “The record instead suggests that . . . two days after the cyberattack began, [the defendant] turned to [their outside counsel’s vendor] instead of, rather than separate from or in addition to,” their usual vendor [emphasis in original]. Moreover, “the Report was shared not just with outside and in-house counsel, but also with ‘select members of [the defendant’s] leadership and IT team,’” as well as the FBI, and it was utilized for purposes beyond just preparation for litigation.

After reviewing the same two-pronged standard as in the prior case, the District Judge concluded that the defendant had “not met its burden to show that the Report, or a substantially similar document, ‘would [not] have been created in the ordinary course of business irrespective of litigation’” [citation omitted].

Key Takeaways

To be considered a protected work product in federal courts, a breach investigation report (a) must have been prepared in anticipation of litigation, and (b) the report must be something that would not have been prepared in substantially similar form but for the prospect of that litigation. Sharing such a report with non-lawyers, relying upon it for business or regulatory purposes as well as legal ones, or having it prepared by an existing vendor under an existing contract will all undermine attempts to satisfy this two-prong test.

In the recent cases of In re Capital One and Wengui, courts consider whether and when a cybersecurity vendor’s breach investigation report can be protected work product

As we have noted before, cyberattacks are a growing area of concern, both inside and outside of the legal industry, and “cyberattacks in 2020 were particularly crippling because of how much more legal professionals relied on email and internet-based access to maintain operations.” With so many breaches occurring and so many breach investigations being conducted, it is important to consider the discoverability of reports and other materials generated by those investigations. As two recent cases demonstrate, it can be difficult to satisfy the requirements for work product protection of such reports.

In re Capital One

In the case of In re Capital One Consumer Data Sec. Breach Litig., MDL No. 1:19md2915 (AJT/JFA) (E.D. Va. May. 26, 2020), before the March 2019 data breach that gave rise to the litigation, the defendant had previously entered into a Master Services Agreement and a series of Statements of Work with a service provider for cybersecurity incident response services, including:

. . . computer security incident response support; digital forensics, log, and malware analysis support; and incident remediation assistance and . . . a detailed final report covering the engagement activities, results and recommendations for remediation in a written detailed technical document.

The cost of the retainer was treated internally as a “Business Critical” expense rather than a “Legal” one.

After the breach was discovered in July 2019, the defendant retained a law firm “to provide legal advice in connection with the data breach incident,” and that law firm then signed a “Letter Agreement” with the defendant and their service provider, for the service provider to perform work “at the direction of counsel” under the same terms as it had been providing services to the defendant, with “deliverables . . . provided to counsel instead of” the defendant.

The service provider completed its initial report by early September, which was initially provided to the law firm, which later provided it to the defendant’s legal department and Board of Directors. The report was also provided to certain regulators and to the defendant’s accounting firm. The service provider was paid for this initial work out the retainer previously paid by the defendant.  Subsequent work by the service provider was also paid for by the defendant. A few months later, the defendant internally re-designated those expenditures “as legal expenses and deducted against [the] legal department’s budget.”

In spring 2020, the plaintiffs moved to compel the production of the service provider’s report, and the defendant opposed this motion on the grounds that the report was “entitled to protection under the work product doctrine.”

The Magistrate Judge’s Analysis

The Magistrate Judge summarized the federal rules and cases related to work product protection, which establish a two-prong standard that:

. . . work product protection applies when the party faces an actual claim or a potential claim following an actual event or series of events that reasonably could result in litigation and the work product would not have been prepared in substantially similar form but for the prospect of that litigation.  [internal citation and footnote omitted]

The Magistrate Judge found that there was clearly anticipation of litigation in this case, satisfying the first prong and making the dispositive issue “whether the [] Report would have been prepared in substantially similar form but for the prospect of that litigation.”

Ultimately, because the services provided pursuant to the Letter Agreement with the law firm were the same as those contracted for already under the previously existing agreement with the defendant, and because the report was also used for important regulatory and business purposes, the Magistrate Judge concluded that the same report would have been generated in the same form and for the same uses regardless of the law firm’s involvement in the process. Thus, it did not pass the “but for” test articulated by the applicable case law. “The retention of outside counsel does not, by itself, turn a document into work product.”

The District Judge’s Review

Subsequently, in June, the District Judge conducted a de novo review and came to the same conclusion as had the Magistrate Judge:

There appears to be no dispute as to the Magistrate’s finding concerning the first prong and, after de novo review, the Court concludes, after considering the totality of the evidence, that the Magistrate Judge properly applied the second prong in concluding that the Report did not enjoy work product protection.

Wengui

More recently, in the case of Wengui v. Clark Hill PLC, et al., No. 1:2019cv03195 (D.D.C. January 12, 2021), the plaintiff “moved to compel [the defendant], his former law firm, to produce ‘all reports of its forensic investigation into the cyberattack’ that led to the public dissemination of [the plaintiff’s] confidential information.” The defendant turned over its “internally generated materials,” but argued that the documents generated by its “external security-consulting firm” were “covered by both the attorney-client and work-product privileges.”

The defendant explained that the consulting firm in question was not its usual cybersecurity vendor and was retained, not by them, but by their outside litigation counsel to prepare for the coming litigation. They argued that the vendor’s report was one-half of a two-track investigation: one track run by the defendant’s usual vendor focused on “business continuity” and “remediation,” and one track run by their outside counsel’s vendor “for the sole purpose of assisting [the firm] in gathering information necessary to render timely legal advice.”

The defendant’s interrogatory responses and produced documents, however, made it clear that the defendant was actually relying on their outside counsel’s vendor for everything: “. . . there is no evidence that [the defendant’s usual vendor] ever produced any findings, let alone a comprehensive report like the one produced by [their outside counsel’s vendor].”  “The record instead suggests that . . . two days after the cyberattack began, [the defendant] turned to [their outside counsel’s vendor] instead of, rather than separate from or in addition to,” their usual vendor [emphasis in original]. Moreover, “the Report was shared not just with outside and in-house counsel, but also with ‘select members of [the defendant’s] leadership and IT team,’” as well as the FBI, and it was utilized for purposes beyond just preparation for litigation.

After reviewing the same two-pronged standard as in the prior case, the District Judge concluded that the defendant had “not met its burden to show that the Report, or a substantially similar document, ‘would [not] have been created in the ordinary course of business irrespective of litigation’” [citation omitted].

Key Takeaways

To be considered a protected work product in federal courts, a breach investigation report (a) must have been prepared in anticipation of litigation, and (b) the report must be something that would not have been prepared in substantially similar form but for the prospect of that litigation. Sharing such a report with non-lawyers, relying upon it for business or regulatory purposes as well as legal ones, or having it prepared by an existing vendor under an existing contract will all undermine attempts to satisfy this two-prong test.

Fill out the form below to download the complete insight.

Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard Island and McDonald Islands
Holy See (Vatican City State)
Honduras
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Sign up for Consilio updates

Discover, learn and grow with the latest insights from Consilio
Thank you! Your submission has been received!
By clicking Subscribe you are confirming that you agree with our Privacy Policy
Oops! Something went wrong while submitting the form.