As seen in the New York Law Journal
The COVID-related increase in the number of employees working remotely has created an unexpected consequence: heightened risk of cyberattacks as employees are logging on to office networks through personal computers which may not be as secure as office environments. Inasmuch as it often takes six months or more for the unprotected business to realize that it has been violated, many of the intrusions which have already occurred have yet to surface, likely leading to a spate of ancillary litigation during 2022.
When a lawsuit related to such an intrusion inevitably occurs, counsel’s first call will likely be to a cybersecurity company that can provide potential expert witness services on the “5Ws” (who, what, where, when and why) concerning the attack. Oftentimes, the violated company may not have cybersecurity services in place prior to the intrusion, and the retention of the expert will originate with counsel. But what occurs when a cybersecurity vendor is already in place at the time the attack occurred prior to counsel’s retention? How can counsel coordinate with a vendor to prepare for trial and gain a technical understanding—which is cloaked by privilege—such that the corresponding reports are shielded from disclosure?
Qualifying for the benefits of the Work Product Doctrine is essential to ensure that documents and communications remain shielded from disclosure during discovery. However, courts generally disfavor assertions of evidentiary privileges because they shield evidence from the truth-seeking process; as such, these privileges are confined to the narrowest limits. Thus, proper formalities must be implemented to avoid the waiver of the protections afforded by the Work Product Doctrine.
The ‘Capital One’ Litigation
In a relatively recent decision from the U.S. District Court, Eastern District of Virginia, In re Capital One Consumer Data Security Breach Litigation, 2020 WL 2731238 (E.D. Va. May 26, 2020), aff’d 2020 WL 3470261 (E.D. Va. June 25, 2020), the court stressed the necessity of adhering to formalities to afford a party the benefit of the Work Product Doctrine. Beginning in 2015, Capital One entered into a Master Services Agreement with FireEye Inc. d/b/a Mandiant (Mandiant) to provide cybersecurity services to Capital One. Thereafter, Capital One would enter into periodic “Statements of Work” providing for incident response services in the event such services were needed. On Jan. 7, 2019, the relevant Statement of Work was entered into for incident response services in the following areas: computer security incident response support; digital forensics, log, and malware analysis support; and incident remediation assistance. Mandiant would provide a detailed report covering the engagement activities, including results and recommendations for remediation in a written detailed technical document. Significantly, the retainer for such agreement was designated as a “Business Critical” expense, not a “Legal” expense.
Two months later during March 2019, a data breach occurred when an unauthorized individual gained access to personal information for Capital One’s customers. In response, Capital One retained counsel to provide legal advice related to the data breach and both Capital One and counsel entered into a Letter Agreement with Mandiant to provide services and advice concerning “computer security incident response; digital forensics, log, and malware analysis; and incident remediation.” The payment terms were identical to those contained in the January 7, 2019 Statement of Work and the parties agreed in the Letter Agreement to abide by the same terms as the 2015 Master Services Agreement and the aforementioned Statement of Work; however, Mandiant would now work at the direction of Capital One’s counsel.
On July 29, 2019, Capital One issued a public statement regarding the data breach and a litany of lawsuits against Capital One soon followed. Mandiant performed services outlined in the Letter Agreement; prepared a report detailing the circumstances surrounding the breach; and issued its report on Sept. 4, 2019. Payment was made to Mandiant from the retainer provided to it in accordance with the January 2019 Statement of Work; after it was exhausted, Mandiant was paid directly by Capital One through the budget for the cyber department. In December 2019, these expenses were re-designated as legal expenses. The Mandiant Report was initially sent to its counsel, which then provided the report to Capital One’s Legal Department, Board of Directors, 50 Capital One Employees, four regulators and the accounting firm Ernst & Young.
Analysis
The Capital One litigation adversary filed a motion to compel production of the Mandiant Report. Based on the foregoing facts, the court found that the Mandiant Report was not protected from disclosure by application of the Work Product Doctrine. The court began its discussion noting that it was “well-established that courts generally disfavor assertions of evidentiary privileges because they shield evidence from the truth-seeking process; as such, they are to be narrowly and strictly construed so that they are confined to the narrowest possible limits consistent with the logic of its principle” and turned to Federal Rule of Evidence 502 which defines the work-product protection as “the protection that applicable law provides for tangible material (or its intangible equivalent) prepared in anticipation of litigation or for trial.” The court also noted that the protections are not warranted by the fact that litigation existed, but the material must be prepared “because of” litigation.
The court determined that the Work Product Doctrine did not apply here because the Mandiant Report was: (1) substantially similar to the report/services commissioned prior to the prospect of litigation; (2) paid for as a “business-critical” expense and not a “legal” expense; (3) widely distributed throughout Capital One for non-legal purposes; (4) used for financial/regulatory reporting purposes (as opposed to distinctly legal purposes); and (5) created in substantially the same form even without the prospect of litigation.
The ‘Guo Wengui’ Litigation
Thereafter, in a decision from the U.S. District Court, District of Columbia, Guo Wengui v. Clark Hill, PLC, 338 F.R.D. 7 (D.D.C. Jan. 12, 2021), the court expanded on the Capital One rationale and held that even where a cybersecurity services company was retained by client’s counsel, the company’s report (which summarized an investigation of the cyber-intrusion and recommended certain remediations) was neither protected by the Work Product Doctrine nor attorney-client privilege. According to the decision, in or about 2016, plaintiff, a businessman and well-known Chinese political dissident, retained defendant to assist plaintiff in applying for political asylum in the United States. On Sept. 12, 2017, defendant’s computer system was hacked and plaintiff’s confidential information, including the contents of his asylum petition, were published and disseminated on social media. On Sept. 14, 2017, defendant hired outside counsel in anticipation of litigation related to the cyber-intrusion and, on the same day, outside counsel retained Duff & Phelps (an external security-consulting firm) for immediate “incident response” as the attack may have been ongoing. Duff & Phelps created an investigation report which summarized its investigation into the cyber-intrusion and recommendations on how defendant could improve its cybersecurity.
Plaintiff moved to compel defendant to produce “all reports of its forensic investigation into the cyberattack” that led to the public dissemination of plaintiff’s confidential information. Defendant objected to the production and claimed that the Duff & Phelps Report was protected by both attorney-client and work-product privileges.
The court held that the Duff & Phelps Report was not protected under the Work Product Doctrine where Duff & Phelps’ role appeared “broader than merely assisting outside counsel in preparation for litigation.” Defendant was unable to show that the Report, or a substantially similar document, which summarized the findings of an investigation into the cyber-intrusion would not have been created by defendant in the ordinary course of its business irrespective of litigation. Further, the Duff & Phelps Report was used for non-litigation purposes where it was shared with defendant’s IT team and the FBI. The court also held that the Duff & Phelps Report was not protected by attorney-client privilege where the Report contained non-legal advice, including “specific recommendations on how Clark Hill should tighten its cybersecurity.”
Lessons Learned
The foregoing decisions provide a roadmap for savvy counsel to guide the retention of an expert while simultaneously preserving applicable privileges from disclosure, including: implementing a Kovel retainer agreement; keeping legal expenses and business expenses separate; and distributing potential work-product materials only to those on a “need to know” basis incident to the pending litigation.
For many businesses it is not a matter of if, but when, a cyberattack will occur. Counsel for a cyber-violated business will need to serve as the point person directing the global response so to ensure not only that business-related functions are secure, but that important legal protections are not undermined as a result of the same.
If your business needs legal help, contact us for assistance.