On January 12, 2021, the U.S. District Court for the District of Columbia granted a motion to compel production of allegedly privileged cybersecurity documents in Guo Wengui v. Clark Hill, PLC, 1:19-cv-03195.  In doing so, the Court determined that the Defendant’s cybersecurity assessment was neither covered by work product protection nor attorney client privilege because the Defendant law firm would have investigated the breach in the same way as a business function.

Factual Circumstances

 In August 2017, the Plaintiff, a Chinese national and dissident, retained Defendant, a DC law firm, to assist him in seeking U.S. asylum.  The Plaintiff allegedly warned Defendant that he could be the subject of persistent cyberattacks and provided Defendant with highly sensitive and confidential information about his political activities.  In September 2017, Defendant was victim to a cyberattack, exposing Plaintiff’s confidential information including his complete asylum application, which was subsequently published on social media.  Defendant terminated their representation of Plaintiff shortly after the cyberattack.

Plaintiff filed suit against his own lawyers in September 2019, seeking compensatory monetary damages of at least $50M and punitive damages against Defendant.  During fact discovery, Plaintiff sought production of an allegedly privileged cybersecurity assessment, as well as information related to Defendant’s other clients affected by the same cyberattack.

No Protection for a Cybersecurity Assessment Conducted for Business Purposes

The Court determined that the disputed cybersecurity assessment was not subject to work product protection because it was neither prepared for litigation defense nor relied upon to render legal advice.

The Court reiterated that work product protection covered documents “prepared in anticipation of litigation” and but not documents that “would have been created ‘in substantially similar form’ regardless of the litigation.”  Applying these principles, the Court decided that Defendant would have investigated the cyberattack’s cause, irrespective of potential litigation, because law firms remediate data breaches as a necessary business function.

The Court rejected Defendant’s argument that the disputed cybersecurity assessment was protected because it was prepared to assist outside counsel in providing legal advice.  More specifically, Defendant asserted that it initiated two parallel cyber assessments. The first report was prepared by vendor eSentire for the Defendant’s business needs, including remediation (the “eSentire Report”). Defendant had already produced this report in litigation. The report in question, however, was the second report. The Defendant alleged that the second report was protected under the work product doctrine because it was prepared by vendor Duff & Phelps on behalf of outside counsel to provide legal advice to Defendant (the “Phelps Report”).  The Court found Defendant’s two-track investigation to be unsupported. Because the eSentire Report lacked the same detailed findings of the Phelps Report about the cause of the breach and proposed remediation, the Court determined that Defendant had primarily relied upon the Phelps Report to investigate the root vulnerabilities exploited in the cyberattack.

Moreover, Defendant shared the Phelps Report beyond counsel, including with Defendant’s leadership and IT teams for non-litigation purposes, which distinguished this from other decisions that upheld work product protection where defendants withheld allegedly protected cybersecurity assessments from their incident response teams. For similar reasons, the Court rejected arguments that the Phelps Report was protected by attorney client privilege under the Kovel doctrine[1] because Defendant was primarily seeking expertise of the cybersecurity security firm for business purposes and not the legal advice of outside counsel. The court cited to the recommendations for remediation that were contained in the Phelps Report, but not the eSentire Report, as evidence that Defendant was relying upon the Phelps Report for remediation purposes.

The Court distinguished the Defendant’s posture from that of Target in In re Target Corp. Customer Data Sec. Breach Litig.[2] Unlike Defendant, Target’s investigation for the purpose of legal advice was separate and distinct from any business purpose. In addition, Target’s report was not circulated beyond counsel and did not focus on remediation or other business purposes as the Phelps Report did.

Redactions Sufficient to Cover Privilege and Confidentiality of Other Law Firm Clients

The Court determined that Defendant’s concerns about privilege and confidentiality of its other clients did not outweigh the interests of fact discovery, and stated that appropriate redactions and tailored interrogatory responses could safeguard the privilege and confidentiality. The Court noted that Plaintiff’s requests for information about others impacted by the cyberattack were relevant to the sufficiency and reasonableness of Defendant’s cybersecurity when the attack occurred.

Takeaways

Although not binding upon other trial courts, the Guo decision provides additional guidance on what factors courts may use to make privilege determinations in future cybersecurity cases. Guo suggests that courts may begin to scrutinize more closely the purpose and dissemination of cybersecurity assessments. Even when assessments are prepared on behalf of outside counsel and conducted in parallel with other business assessments, court might still dissect the content, use, and sharing of the respective reports.  In order to bolster work product and attorney client privilege protection, Companies would be wise to conduct cybersecurity assessments at the direction of legal counsel—separate from any other business purposes—and keep a close hold on such assessments, sharing them only with counsel and other parties necessary for the provision of legal advice.

[1] Linde Thomson Langworthy Kohn & Van Dyke, P.C. v. Resolution Tr. Corp., 5 F.3d 1508, 1514–15 (D.C. Cir. 1993)

[2] In re Target Corp. Customer Data Sec. Breach Litig., MDL No. 14-2522, 2015 WL 6777384, at *2–3 (D. Minn. Oct. 23, 2015)