Can Computer Forensics Reports be Protected by Attorney Work-Product Privilege?
The answer is maybe; if the proper steps are taken after a cybersecurity attack.
After a cybersecurity attack has occurred, when a company is in the midst of containment and recovery is beginning, hiring an attorney may not seem like a priority. But, hiring an attorney at the right time can protect the company from further attacks by litigious government or plaintiff’s attorneys.
Last year in the Capital One case, the court ordered Capital One to produce the computer forensics report prepared by Mandiant. The court determined the attorney work-product privilege did not apply for several reasons. First, the court concluded that the bank had engaged Mandiant using a non-privileged statement of work (“SOW”). The original SOW was signed before attorneys became involved with the investigation. Second, the court also determined that Mandiant was paid out of business funds and not from legal defense funds. Third, the report was also widely distributed to individuals who were not covered by attorney-client privilege. Finally, the court determined the SOW signed by counsel did not differ substantially from the original SOW signed between Mandiant and Capital One.
Earlier this year, another court in Guo Wengui determined a forensics report prepared after a cyberattack had taken place was not protected by attorney work-product privilege. The court determined that the report did not meet the so-called “because of” test. That is, the report was not prepared because of actual or anticipated litigation and thus could not be protected by privilege. The arguments persuaded the court that the forensics investigation was conducted because of a business necessity and would have been completed even if the company was not anticipating litigation.
In Re Rutter’s Data Security Breach, a third court has now ruled that a computer forensics report is not protected by privilege. In this case, the Third Circuit stated, “[t]he purpose of the investigation was to determine whether data was compromised, and the scope of such compromise if it occurred,” and not because of anticipated litigation. Thus, the report was not protected under the attorney work-product privilege.
There is a growing consensus among courts that computer forensics reports cannot be protected by the attorney work-product privilege. Using the analysis from courts in the above cases can provide a roadmap for companies to maximize the ability to claim privilege. Protection of the report may still be possible if proper precautions are taken early in the stages of the investigation, such as:
- Engaging the computer forensics firm through cyber breach counsel;
- Paying for the investigation from legal funds or through cyber breach counsel;
- Specifying that the purpose of the investigation is for litigation purposes;
- Limiting distribution of the report;
- Creating a separate non-privileged version of the report containing only facts which can be shared; and,
- Creating segmentation between the investigation of the facts and the investigation for litigation teams.
Engaging counsel early can preserve the privilege of an investigative report, but the path is becoming more difficult. All indications are that courts will not protect the facts of the investigation but will continue to protect analysis, opinions, and conclusions prepared in anticipation of litigation.
 In re: Capital One Customer Data Security Breach Litigation, E.D. Va., No. 1:19-md-02915
 Guo Wengui v. Clark Hill, PLC, et al., 2021 WL 106417 (D.D.C. 2021)
 In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220 (E.D. Pa. July 22, 2021)