District Court (D.C.) Says Law Firm’s Investigation into Cybersecurity Breach Not Protected from Discovery by Privilege; Orders Production of Effect of Hack on Law Firm’s Other Clients

In Wengui v. Clark Hill, Civil Action No. 19-3195 (JEB), 2021 U.S. Dist. LEXIS 5395 (D.D.C. Jan. 12, 2021), Judge B0asberg ordered production of internal investigation reports regarding a cybersecurity breach, which were not protected by the attorney client or work product privileges.

Malicious cyberattacks have unfortunately become a routine part of our modern digital world. So have the lawsuits that follow them, alleging, as this one does, that the hacked institution failed to take sufficient precautions to protect the plaintiff’s data. During such litigation, disputes frequently arise over whether documents generated by the defendant in the wake of a data breach — e.g., forensic reports, analyses, and internal communications — are privileged or instead must be turned over in discovery. See, e.g., In re Dominion Dental Servs. USA, Inc. Data Breach Litig., 429 F. Supp. 3d 190, 193-94 (E.D. Va. 2019) (citing cases). This Court now adds its thoughts to the accumulating caselaw. Plaintiff Guo Wengui has moved to compel Defendant Clark Hill, PLC, his former law firm, to produce “all reports of its forensic investigation into the cyberattack” that led to the public dissemination of Mr. Guo’s confidential information. See ECF No. 25-1 (Mot.) at 3; see generally Guo Wengui v. Clark Hill, PLC, 440 F. Supp. 3d 30 (D.D.C. 2020) (discussing Plaintiff’s allegations). He also asks that the Court mandate that Defendant provide more complete answers to certain interrogatories regarding its investigation into the hack. See Mot. at 3. Clark Hill rejoins that it has turned over all relevant internally generated materials and that the other documents Plaintiff seeks, which were produced by external security-consulting firm Duff & Phelps, are covered by both the attorney-client and work-product privileges. See ECF No. 30-1 (Opp.) at 2. The firm points out that it did not hire Duff & Phelps; instead, the consultants were retained by Defendant’s outside litigation counsel Musick, Peeler & Garrett to assist in MPG’s representation of Clark Hill and to help “prepare for litigation stemming from the attack.” Id. The firm also refuses to answer Plaintiff’s interrogatories seeking “Clark Hill’s understanding of the facts or reasons why” the attack occurred, claiming that “its ‘understanding’ of the progression of the . . . incident is based solely on the advice of outside counsel and consultants retained by outside counsel” and is therefore privileged. See ECF No. 29-4 (Defendant’s Third Supplemental Interrogatory Responses) at 13-14; see also id. at 19 (declining to answer interrogatory regarding effect of attack “to the extent it calls for knowledge that Clark Hill obtained as a result of its consultations with outside counsel and consultants retained by outside counsel”). Separately, Clark Hill also maintains that it cannot respond to Guo’s additional requests for “information or documents related to [its] clients other than Plaintiff” who may (or may not) have been affected by the hack at issue, on the grounds that such information is both irrelevant and privileged. See Opp. at 22-24. For the reasons that follow, the Court finds that the Duff & Phelps Report and associated materials are neither protected work product nor attorney-client privileged. It also concludes that Clark Hill must provide the documents requested by Plaintiff regarding the cyberattack’s effect on other firm clients, subject to appropriate redactions. The Court, accordingly, will grant Plaintiff’s Motion to Compel.

The Court ordered discovery of the effect of discovery on the Firm’s other clients.

Defendant separately resists Plaintiff’s discovery requests for information relating to the effect of the cyberattack on firm clients other than Guo himself. See Opp. at 22-24. For instance, Plaintiff has served a request for production seeking “[a]ll documents reflecting that the ‘hacking’ . . . resulted in a third party’s obtaining . . . information, data, or material regarding any Clark Hill client other than or in addition to plaintiff.” ECF No. 29-18 (March 11 RFP), ¶ 18. Clark Hill claims that this sort of information is both irrelevant and privileged. See Opp. at 22-23. Here, too, the Court will grant Plaintiff’s Motion to Compel: the information is clearly relevant, and appropriate redactions can assuage any privilege or privacy concerns. As to relevance, the scope of the attack is directly germane to a central issue in the case — namely, in Defendant’s own words, “the sufficiency and reasonableness of Clark Hill’s cybersecurity in September 2017.” Id. at 23. One easily conjured example: if the attack was largely focused on Plaintiff, that might suggest that a reasonable custodian of his documents should have been aware that he in particular was a target and should thus have taken appropriate special precautions. If the attack, conversely, was more of a fishing expedition aimed at a wide swath of the firm’s closely held information, that might suggest the opposite. Or perhaps, if the attack was indeed broad, one could argue that a reasonably prudent custodian should have detected it sooner. In short, the sort of information Plaintiff seeks is directly relevant; and even if it were not, there is a “reasonable likelihood that allowing discovery of the[se] documents will lead to discovery of [other] evidence [that is] relevant,” which renders them discoverable under Rule 26. Food Lion, Inc. v. United Food & Commercial Workers Int’l Union, AFL-CIO-CLC, 103 F.3d 1007, 1013 (D.C. Cir. 1997). The firm also contends that it cannot fully answer interrogatories or turn over documents relating to the hack’s effect on its other clients because doing so would reveal that it represents those individuals, and the fact of representation itself is attorney-client privileged. See Opp. at 3, 24. That does not quite state [*20]  the law accurately. As this Court has previously explained, “Under the general rule, the attorney-client privilege does not protect from disclosure the identity of the client . . . and the general purpose of the work performed.” Cause of Action Inst. v. U.S. Dep’t of Justice, 330 F. Supp. 3d 336, 350 (D.D.C. 2018) (citation and internal quotation marks omitted). On the other hand, “when a client’s identity is sufficiently intertwined with the client’s confidences,” the privilege does apply. Id. (cleaned up and citations omitted). At this point, Defendant (which bears the burden to demonstrate that the privilege applies) has given the Court no way of knowing whether the latter situation is applicable to any documents at issue. That said, however, privilege is not the only consideration here. Discovery must be both “relevant” and “proportional to the needs of the case,” Fed. R. Civ. P. 26(b)(1), and the Court doubts that the precise identity of any Clark Hill client is relevant to the issues here. To the extent that it is, its germaneness is likely weak enough to be outweighed by the clients’ privacy interests. See Henson v. Turn, Inc., No. 15-1497, 2018 WL 5281629, at *5 (N.D. Cal. Oct. 22, 2018) (“Courts and commentators have recognized that privacy interests can be a consideration in evaluating proportionality . . . .”). It thus seems to the Court that Defendant can fully safeguard the identity of its clients and any of their confidences, if applicable, with appropriate redactions in responsive documents and with tailored interrogatory answers. There is no basis, however, for its blanket refusal to respond to Plaintiff’s requests for production, and the Court will grant the Motion to Compel that discovery subject to appropriate redactions.