Leonard v. McMenamins: Further watering down of privilege for forensic reports
Following a cybersecurity incident, an impacted company generally hires, through outside counsel, a cybersecurity firm to conduct a forensic investigation and determine the scope of the cybersecurity incident. After the investigation, the cybersecurity firm typically prepares a report outlining its findings, including what the unauthorized actor did while in the network. While some courts consider forensic reports as work product or attorney-client privileged, other courts, including the District Court for the Western District of Washington, hold otherwise.
On December 6, 2023, the District Court for the Western District of Washington ruled that a cybersecurity consultant’s investigative report was protected under neither the work-product doctrine nor attorney-client privilege. Instead, the court determined that the report was for business purposes rather than in anticipation of litigation.
Case Overview
In Leonard v. McMenamins, Defendant McMenamins, Inc. (McMenamins) suffered a ransomware attack, whereby cybercriminals stole McMenamins’ data containing the personally identifiable information (PII) of present and former employees. 2023 WL 8447918, at *1 (W.D. Wash. Dec. 6, 2023). McMenamins retained Stoel Rives LLP (Stoel Rives) as response counsel for the ransomware incident. In turn, Stoel Rives engaged Stroz Friedberg Inc. (Stroz Friedberg), a third-party cybersecurity firm, on behalf of McMenamins to provide consulting, technical, and investigative services for the ransomware incident. At the end of its investigation, Stroz Friedberg prepared an investigative report (McMenamins Investigation Report) for McMenamins.
In January 2022, current and former employees of McMenamins (collectively, Plaintiffs) filed a class action lawsuit against McMenamins in the United States District Court for the Western District of Washington. Plaintiffs sued under various causes of actions, including negligence, breach of contract, breach of implied contract, unjust enrichment, and breach of fiduciary duty. During discovery, Plaintiffs filed two motions to compel in response to McMenamins’ responses to their discovery requests. Plaintiffs’ motions sought, in part, to: (1) overrule McMenamins’ privilege objections to its discovery requests and (2) ask the court to hold that McMenamins’ attorney-client privileges do not apply to the Stroz Friedberg materials and communications. McMenamins opposed, arguing, in part, that: (1) the report was protected under the attorney-client privilege and work product doctrine and (2) any related communications were similarly protected under attorney-client privilege.
While briefing the motions, the parties attached redacted copies of the Stroz Friedberg engagement letter, SOWs, and forensic report. Plaintiffs also provided a copy of McMenamins’ complete privilege log, but none of the redacted Stroz Friedberg documents were listed on the log. After a motions hearing, and without objection from either party, the court ordered McMenamins to produce the Stroz Friedberg engagement letter, SOWs, and investigative report for in-camera review. Accordingly, McMenamins provided the court the engagement letter, the second SOW, and the two investigative reports for in camera review.
Court’s Decision and Analysis
Ultimately, the court granted Plaintiffs’ motion to compel, ordering McMenamins to produce the Stroz Friedberg engagement letter, full investigative report, SOWs, and related communications. These materials, according to the court, were neither work product nor attorney-client privileged.
Rule 26 of the Federal Rules of Civil Procedure codifies the work-product privilege. Under this doctrine, “a party may not discover documents and tangible things that are prepared in anticipation of litigation or for trial by or for another party or its representative (including the other party’s attorney, consultant, surety, indemnitor, insurer, or agent).” Fed. R. Civ. P. 26(b)(3)(A). In sum, the doctrine protects documents prepared by or on behalf of attorneys in anticipation of litigation. In evaluating whether the Stroz Friedberg report qualified as a protected work product, the court considered a variety of factors, including:
- Whether the report provides factual information to the impacted entity (and others);
- Whether the report constitutes the only investigation and analysis of the data breach;
- The types of services provided by the consultant;
- The relationship between the consultant and the impacted entity; and
- Whether the report would have been prepared in a substantially similar form absent the anticipation of litigation.
In light of the above factors and the court’s in camera review, the court determined that the Stroz Friedberg report was not work product. First, the report contained only factual information. According to the court, there was no evidence that the report provided legal advice; instead, it contained business discussions, remediation, and investigative services. The report itself acknowledged that Stroz Friedberg engaged in various internal business discussions. Secondly, the court recognized that Stoel Rives’ engagement of Stroz Friedberg was intentionally “designed to” shield any materials from disclosure. According to the court, the SOWs described that Stroz Friedberg was to assist with restoration services—not providing legal advice. The report, engagement letter, and SOWs demonstrated to the court that Stroz Friedberg prepared the report for a “business purpose, unrelated to anticipated or pending litigation.” Lastly, the court found that Plaintiffs had a “substantial need” for the Stroz Friedberg materials because the report was the only internal investigation available. McMenamins failed to show “any meaningful investigation” of the ransomware incident apart from the Stroz Friedberg report.
The court further held that attorney-client privilege did not apply for similar reasons: “the report does not provide legal advice.” The fact that the report was created at the request of counsel, by a third party engaged to assist counsel in providing legal advice, was of no import to the court. As such, the court ordered McMenamins to produce the disputed Stroz Friedberg materials.
Several courts have agreed with the District Court for the Western District of Washington’s approach. See In re Dominion Dental Servs. USA, Inc. Data Breach Litig., 429 F. Supp. 3d 190 (E.D. Va. 2019) (holding that a report prepared by a cybersecurity firm was not protected by work-product doctrine); Guo Wengui v. Clark Hill, PLC, 338 F.R.D. 7 (D.D.C. 2021) (holding that report produced by external security-consulting firm was not protected by work-product doctrine).
What This Decision Means To You
Plaintiffs are increasingly filing class actions against organizations that have suffered data breaches. These complainants are requesting a broad range of documents in discovery related to the investigation, including the forensic report, as the report provides a roadmap for their claims. As such, cybersecurity assessments and incident response efforts require careful consideration. As demonstrated in the above case, these measures bring potential brand and reputation issues, regulatory enforcement and compliance risks, possible litigation, and other challenges that may affect preparedness and response efforts. The court’s decision demonstrates how important it is for companies to engage experienced privacy counsel to lead cybersecurity initiatives, especially with framing incident response agreements. Cybersecurity consultants and counsel must be mindful of these issues before engagement.
For more information about maintaining privilege over forensic reports or updates on data privacy law from McDonald Hopkins, please subscribe to receive our publications or view the links below for recent updates on other state data privacy legislative updates. In addition, if you have questions about your company’s compliance with cyber-regulations, concerns about vulnerability to a ransomware attack or other breach, or if you want to learn more about proactive cybersecurity defense, contact Spencer or Arriana at spollock@mcdonaldhopkins.com or asajjad@mcdonaldhopkins.com or a member of McDonald Hopkins' national data privacy and cybersecurity team.