Last year’s decision in In re: Capital One Customer Data Security Breach Litigation, E.D. Va., No. 1:19-md-02915, drew widespread attention for its holding compelling the disclosure of a post-security incident report prepared by a forensic consultant. The court’s order signaled a departure from other courts, which have protected reports from disclosure based on either the attorney-client privilege or the attorney work product doctrine. In January 2021, a decision from the U.S. District Court for the District of Columbia joined the Eastern District of Virginia in denying attorney-client privilege and work product protection over an incident response engagement, and compelling the defendant (a law firm) to hand over its incident response report, among other materials. As in the Capital One decision, in Guo Wengui v. Clark Hill, PLC, et al., 2021 WL 106417 (D.D.C. 2021), the court ruled that the defendant failed to satisfy its burden of showing that the incident response report was prepared solely in anticipation of litigation. The court concluded that the law firm would have asked for the report for business reasons, not just for litigation, as evidenced by its sharing of the response report with the FBI as well as the firm’s leadership and internal IT team.
The Wengui decision underscores the advice we’ve previously shared, even before the Capital One decision, centering on the following two core principles (among others):
The Wengui decision is also another reminder that there is never any guarantee that an incident response report will be protected from disclosure. We caution you to prepare a response accordingly and tread carefully, which may include consideration of whether a written report is even necessary.
For more information on this topic, you can view our webinar describing the steps we recommend you take to maximize the case for attorney-client privilege and work product protection in this context.
Disclaimer
Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.