Risk Update

Information Security, Cyber Risk & Privilege — Update on Clark Hill Cyberattack / Malpractice Suit

Beware: The Report Expressly Prepared for Trial Counsel May Not Be Privileged After All” —

  • “Here’s a common scenario: You discover a potential compliance issue and worry about being sued. You hire outside counsel to help prepare for litigation. Trial counsel in turn hires a consulting firm for the express purpose of helping in its litigation efforts by preparing a report addressing how the breach happened, its effects, and how to prevent another breach. Nothing too unusual, right?”
  • “Here’s the catch: if ‘the Report, or a substantially similar document, would have been created in the ordinary course of business irrespective of litigation’ it may not be privileged after all.”
  • “Applying this rule, a federal court in Washington, D.C. just held that a Report prepared for trial counsel as well as the Report’s associated materials are not privileged and must be produced to plaintiffs. See Wengui v. Clark Hill, 2021 U.S. Dist. LEXIS 5395 (D.D.C. Jan. 12, 20201). While Wengui involves a cyber breach, its reasoning applies to any compliance-related investigation.”
  • “During discovery, Clark Hill produced the documents related to its cybersecurity vendor’s work, but claimed the Report prepared for counsel was classic attorney work-product. Clark Hill also argued the Report was subject to the attorney-client privilege.”
  • “The district disagreed. Carefully examining the record, and after conducting an in camera review of the Report, the court determined the Report was in fact an “ordinary course” incident report and ordered its production to plaintiffs. As the court explained, for many entities, ‘discovering how [a cyber] breach occurred [is] a necessary business function regardless of litigation or regulatory inquiries.'”
  • “It did not help Clark Hill’s argument that the Report was not just shared with outside and in-house counsel, but also with Clark Hill’s leadership and IT teams, as well as the FBI. As the court observed, “[t]he Report was probably shared this widely… because it ‘was the once place where [Clark Hill] recorded the facts’ of what had transpired.'”
  • “All compliance officers and outside counsel should heed this observation from the court: ‘Although Clark Hill papered the arrangement using its attorneys, that approach ‘appears to [have been] designed to help shield material from disclosure’ and is not sufficient in itself to provide work-product protection.'”
  • “The court also rejected Clark Hill’s assertion that the attorney-client privilege shielded the Report regarding the data breach from disclosure. The court explained that attorney-client privilege must be ‘applied narrowly,’ to prevent its scope from encompassing “all manner of services” that should not be excluded from litigation.”