Last year’s decision in In re: Capital One Customer Data Security Breach Litigation, E.D. Va., No. 1:19-md-02915, drew widespread attention for its holding compelling the disclosure of a post-security incident report prepared by a forensic consultant. The court’s order signaled a departure from other courts, which have protected reports from disclosure based on either the attorney-client privilege or the attorney work product doctrine. In January 2021, a decision from the U.S. District Court for the District of Columbia joined the Eastern District of Virginia in denying attorney-client privilege and work product protection over an incident response engagement, and compelling the defendant (a law firm) to hand over its incident response report, among other materials. As in the Capital One decision, in Guo Wengui v. Clark Hill, PLC, et al., 2021 WL 106417 (D.D.C. 2021), the court ruled that the defendant failed to satisfy its burden of showing that the incident response report was prepared solely in anticipation of litigation. The court concluded that the law firm would have asked for the report for business reasons, not just for litigation, as evidenced by its sharing of the response report with the FBI as well as the firm’s leadership and internal IT team.
The Wengui decision underscores the advice we’ve previously shared, even before the Capital One decision, centering on the following two core principles (among others):
The Wengui decision is also another reminder that there is never any guarantee that an incident response report will be protected from disclosure. We caution you to prepare a response accordingly and tread carefully, which may include consideration of whether a written report is even necessary.
For more information on this topic, you can view our webinar describing the steps we recommend you take to maximize the case for attorney-client privilege and work product protection in this context.