Guo Wengui v. Clark Hill, PLC

GUO WENGUI, Plaintiff, v. CLARK HILL, PLC, et al., Defendants.

Civil Action No. 19-3195 (JEB)

UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA

January 12, 2021

MEMORANDUM OPINION

Malicious cyberattacks have unfortunately become a routine part of our modern digital world. So have the lawsuits that follow them, alleging, as this one does, that the hacked institution failed to take sufficient precautions to protect the plaintiff's data. During such litigation, disputes frequently arise over whether documents generated by the defendant in the wake of a data breach — e.g., forensic reports, analyses, and internal communications — are privileged or instead must be turned over in discovery. See, e.g., In re Dominion Dental Servs. USA, Inc. Data Breach Litig., 429 F. Supp. 3d 190, 193-94 (E.D. Va. 2019) (citing cases). This Court now adds its thoughts to the accumulating caselaw.

Plaintiff Guo Wengui has moved to compel Defendant Clark Hill, PLC, his former law firm, to produce "all reports of its forensic investigation into the cyberattack" that led to the public dissemination of Mr. Guo's confidential information. See ECF No. 25-1 (Mot.) at 3; see generally Guo Wengui v. Clark Hill, PLC, 440 F. Supp. 3d 30 (D.D.C. 2020) (discussing Plaintiff's allegations). He also asks that the Court mandate that Defendant provide more complete answers to certain interrogatories regarding its investigation into the hack. See Mot. at 3.

Clark Hill rejoins that it has turned over all relevant internally generated materials and that the other documents Plaintiff seeks, which were produced by external security-consulting firm Duff & Phelps, are covered by both the attorney-client and work-product privileges. See ECF No. 30-1 (Opp.) at 2. The firm points out that it did not hire Duff & Phelps; instead, the consultants were retained by Defendant's outside litigation counsel Musick, Peeler & Garrett to assist in MPG's representation of Clark Hill and to help "prepare for litigation stemming from the attack." Id. The firm also refuses to answer Plaintiff's interrogatories seeking "Clark Hill's understanding of the facts or reasons why" the attack occurred, claiming that "its 'understanding' of the progression of the . . . incident is based solely on the advice of outside counsel and consultants retained by outside counsel" and is therefore privileged. See ECF No. 29-4 (Defendant's Third Supplemental Interrogatory Responses) at 13-14; see also id. at 19 (declining to answer interrogatory regarding effect of attack "to the extent it calls for knowledge that Clark Hill obtained as a result of its consultations with outside counsel and consultants retained by outside counsel").

Separately, Clark Hill also maintains that it cannot respond to Guo's additional requests for "information or documents related to [its] clients other than Plaintiff" who may (or may not) have been affected by the hack at issue, on the grounds that such information is both irrelevant and privileged. See Opp. at 22-24.

For the reasons that follow, the Court finds that the Duff & Phelps Report and associated materials are neither protected work product nor attorney-client privileged. It also concludes that Clark Hill must provide the documents requested by Plaintiff regarding the cyberattack's effect on other firm clients, subject to appropriate redactions. The Court, accordingly, will grant Plaintiff's Motion to Compel.

I. Legal Standard

Rule 37 of the Federal Rules of Civil Procedure entitles parties to "move for an order compelling an answer [or] production" if, among other things, "a party fails to answer an interrogatory submitted under Rule 33" or "fails to produce documents . . . requested under Rule 34." Both interrogatories under Rule 33 and document requests under Rule 34 "may relate to any matter that may be inquired into under Rule 26(b)." Fed. R. Civ. P. 33(a)(2); see Fed. R. Civ. P. 34(a) ("A party may serve on any other party a request within the scope of Rule 26(b) . . . ."). Rule 26(b)(1), in turn, sets the "scope of discovery . . . as follows: Parties may obtain discovery regarding any nonprivileged matter that is relevant to any party's claim or defense and proportional to the needs of the case." The main question here is whether material concerning the "matter" that Plaintiff has requested in discovery is privileged under either the work-product doctrine or the attorney-client privilege. For both, the party seeking to withhold a document — here, Clark Hill — bears the burden of showing that the privilege applies. See FTC v. TRW, Inc., 628 F.2d 207, 213 (D.C. Cir. 1980) (attorney-client privilege); United States v. ISS Marine Servs., Inc., 905 F. Supp. 2d 121, 134 (D.D.C. 2012) (work-product privilege).

II. Analysis

The Court first addresses the Duff & Phelps Report under each of the two privileges; it then analyzes whether Clark Hill must turn over documents related to the cyberattack's effect on its other clients.

A. Duff & Phelps Report

1. Work-Product Privilege

Rule 26 codifies what is known as the work-product privilege, under which, "[o]rdinarily, a party may not discover documents and tangible things that are prepared in anticipation oflitigation . . . by or for another party or its representative (including the other party's attorney, consultant, . . . or agent)." Fed R. Civ. P. 26(b)(3)(A). To determine whether a document was "prepared in anticipation of litigation," courts in this circuit apply the "because of" test, asking "whether, in light of the nature of the document and the factual situation in the particular case, the document can fairly be said to have been prepared or obtained because of the prospect of litigation." United States v. Deloitte LLP, 610 F.3d 129, 137 (D.C. Cir. 2010) (emphasis added) (citation omitted). "Where a document would have been created 'in substantially similar form' regardless of the litigation," it fails that test, meaning that "work product protection is not available." FTC v. Boehringer Ingelheim Pharms., Inc., 778 F.3d 142, 149 (D.C. Cir. 2015) (quoting Deloitte, 610 F.3d at 138). For that reason, "the privilege has no applicability to documents prepared by lawyers in the ordinary course of business or for other nonlitigation purposes." In re Sealed Case, 146 F.3d 881, 887 (D.C. Cir. 1998) (citation and internal quotation marks omitted); see also Banneker Ventures, LLC v. Graham, 253 F. Supp. 3d 64, 72 (D.D.C. 2017) ("Documents that would have been created in the ordinary course of business irrespective of litigation are not protected by the work-product doctrine.") (cleaned up); United States v. Adlman, 134 F.3d 1194, 1204 (2d Cir. 1998) ("If the district court concludes that substantially the same [document] would have been prepared in any event — as part of the ordinary course of business . . . — then the court should conclude [it] was not prepared because of . . . litigation.").

In light of the record before the Court, including the Duff & Phelps Report itself (which the Court has reviewed in camera), Clark Hill has not met its burden to show that the Report, or a substantially similar document, "would [not] have been created in the ordinary course of business irrespective of litigation." Banneker Ventures, 253 F. Supp. 3d at 72. For many organizations, surely among them law firms that handle sensitive materials, "discovering how [acyber] breach occurred [is] a necessary business function regardless of litigation or regulatory inquiries. [There is a] need[] to conduct an investigation . . . in order to figure out the problem that allowed the breach to occur so that [the organization] [can] solve that problem and ensure such a breach [cannot] happen again." Dominion Dental, 429 F. Supp. 3d at 193 (quoting In re Premera Blue Cross Customer Data Sec. Breach Litig. (Premera I), 296 F. Supp. 3d 1230, 1245-46 (D. Or. 2017)). It is therefore more likely than not, if not "highly likely[,] that [Clark Hill] would have conducted [an] investigation" into the attack's cause, nature, and effect "irrespective of the prospect of litigation." ISS Marine Servs., 905 F. Supp. 2d at 137. From the Court's in camera review, it is clear that the Duff & Phelps Report summarizes the findings of such an investigation, and that "substantially the same [document] would have been prepared in any event . . . as part of the ordinary course of [Defendant's] business." Adlman, 134 F.3d at 1204.

Defendant, notably, does not seem to quarrel with this general thesis. Instead, it offers a more nuanced position, arguing that the Report qualifies as being prepared in anticipation of litigation because it was the result of only one half of a "two-tracked investigation of the incident." Opp. at 2. On one track, Clark Hill's usual cybersecurity vendor, called eSentire, worked "to investigate and remediate the attack" so as to preserve "business continuity." Id.; see also id. at 5 ("Over the . . . several weeks [after the attack], Clark Hill engaged with . . . eSentire . . . to ascertain the nature and remediate the effects of the attack."). Clark Hill points out that it has disclosed documents related to eSentire's work. Id. at 2. On a "separate track from the eSentire work," Defendant insists, was Duff & Phelps, retained by MPG "for the sole purpose of assisting [the firm] in gathering information necessary to render timely legal advice." ECF No. 29-17 (Engagement Letter from MPG) at 1; see also ECF No. 29-16 (Engagement Letter from Duff & Phelps) at ECF p. 1.

In other words, Clark Hill claims, citing In re Target Corp. Customer Data Sec. Breach Litig., MDL No. 14-2522, 2015 WL 6777384, at *2-3 (D. Minn. Oct. 23, 2015), that it had one "ordinary-course investigation" by eSentire "set up so that [it] could learn how the breach happened and . . . respond to it appropriately" — which did not result in protected work product — while it also engaged a "separate team" to "inform[] [its] counsel about the breach so that [they] could...