LITIGATION
Protecting Privileged Forensic Reports By MATT WHITE AND ALEX KOSKEY
I
magine that after experiencing a data breach and taking all the necessary steps, including retaining a forensic vendor to conduct an investigation, your organization is named as a defendant in a class action lawsuit arising from the breach. To make matters worse, plaintiffs’ attorneys are seeking to compel the production of the forensic report prepared by your vendor.
14
It has become increasingly difficult for companies to protect forensic reports prepared in connection with a data breach. Despite their sensitive nature, these reports are frequently sought by plaintiffs’ attorneys in cyber-related litigation because they can provide a roadmap for their claims. Recent case law reveals that many courts are finding ways to compel the production of these reports.
TODAYSGENERALCOUNSEL.COM DECEMBER 202 1
The U.S. District Court for the District of Columbia was the latest court to hand down such a ruling in Guo Wengui v. Clark Hill, PLC. On January 12, 2021, the court ordered Clark Hill to produce the forensic report prepared by its forensic vendor at the direction of legal counsel. The court concluded that the report would have been created for business reasons irrespective of the litigation and thus failed the test relied upon to decide whether a document is protected by the work-product doctrine. Clark Hill did not meet its burden in demonstrating that the report would not have been created regardless of ongoing litigation, considering that forensic investigation reports following a data incident are necessary to respond to such incidents. The court found that the forensic vendor’s role “was far broader than merely assisting outside counsel in preparation for litigation” and, as such, the report could not be protected under the work-product doctrine. Previously, the U.S. District Court for the Eastern District of Virginia, overseeing multi-district litigation following the 2019 Capital One data breach, rejected claims that Capital One’s forensic report was protected based on similar reasoning. Despite having prepared two separate reports, distributing the report only to mostly legal staff, paying for the report primarily from the legal budget, and signing an engagement letter by its attorneys, the court found that Capital One failed to distinguish the forensic report from one that would have BACK TO CONTENTS
