Privacy & Information Security Law Blog

On January 12, 2021, in Wengui v. Clark Hill, PLC, et al., the United States District Court for the District of Columbia rejected a law firm defendant’s assertions of the attorney-client privilege and work product doctrine for forensic reporting and other related information associated with its outside counsel’s data breach investigation.

The plaintiff, a Chinese businessperson and prominent political dissident, had retained the defendant law firm to assist him with an asylum petition. A hacker, who the parties believed was associated with the Chinese government, breached the law firm’s computer servers, obtained the plaintiff’s confidential information and then exposed the confidential information on the Internet. The plaintiff sued, alleging various claims including breach of fiduciary duty.

The plaintiff moved to compel production of all the defendant’s forensic investigative reports about the cyberattack. The law firm responded that it had already produced all relevant internally generated materials. However, a security consulting firm, retained by the defendant’s outside litigation counsel, generated other documents sought by the plaintiff. The defendant argued that the attorney-client privilege and work product doctrine shielded these externally prepared materials from disclosure. The parties also disagreed on whether the defendants should provide more complete interrogatory answers regarding its breach investigation and whether it should respond to discovery regarding other victims of the breach. The court sided with the plaintiff on all issues.

Work Product Doctrine

The court found that the law firm defendant failed to show that the forensic report would not have been created in the ordinary course of business irrespective of the litigation. The court rejected the defendant’s argument that the report was merely one half of a two-track investigation, with one track being an ordinary-course investigation and remediation of the attack, and the second track assisting the law firm’s outside litigation counsel in gathering information to render timely legal advice. Distinguishing the two-track approach used in the Target customer data breach litigation, the evidence showed the defendant turned to its legal track “instead of, rather than separate from or in addition to” its ordinary-course investigation. The evidence also showed that the defendant used the forensic reporting for a range of non-litigation purposes, which further weakened the work product assertion. The court added that having outside litigation counsel retain the forensic firm was not sufficient to secure the work product protection.

Attorney-Client Privilege

The court also held that the attorney-client privilege did not apply, largely because the defendant’s true objective in the forensic reporting was to glean cybersecurity expertise (mainly for remediation) rather than to receive legal advice from its outside litigation counsel. Similar to the prior reasoning that distinguished the two-track Target approach for the work product analysis, the court did not find sufficient evidence for the existence of two separate tracks, again noting that the materials were widely shared for non-legal purposes, and taking issue with the large amount of remediation-specific advice.

The court cited to, but did not otherwise discuss, the United States Court of Appeals for the D.C. Circuit’s 2014 and 2015 opinions about the application of the attorney-client privilege and work-product protection in corporate internal investigations. The D.C. Circuit has previously held that blended reasons for a corporate internal investigation do not invalidate the privilege, as long providing legal advice was a “significant purpose” of the investigation.

Impacted Information of Other Defendant Firm Clients

The court also found that information about the cyberattack’s effect on other of the defendant’s clients was discoverable for two reasons. First, the information was relevant because it would inform the sufficiency and reasonableness of the defendant’s cybersecurity posture during the time of the incident. Second, any claim that other clients’ privileged information would be compromised if disclosed could be addressed with appropriate document redactions and tailored interrogatory answers.