Privilege Lessons From Clark Hill Cybersecurity Ruling

Law360
January.22.2021

Privacy & Cybersecurity Litigation partners Doug Meal and Michelle Visser, along with counsel David Cohen, authored this article for Law360 on the U.S. District Court for the District of Columbia's recent decision in Wengui v. Clark Hill PLC, No. 19-3195 (D.D.C. Jan. 12, 2021), the latest in a string of cases showing that courts will closely scrutinize claims of attorney-client privilege and work-product protection over documents and communications generated in the wake of a cybersecurity breach.

In particular, even though there are compelling legal reasons to investigate and contain a cybersecurity breach, in Clark Hill the court rejected claims of attorney-client privilege and work-product protection over a forensic investigation report and related material generated by a cybersecurity firm after a breach because it concluded the information was generated primarily for business reasons.  As explained in the article, the decision teaches that companies need to structure their breach investigations and defend motions to compel those materials in a way that makes clear the legal concerns at play as well as how those legal concerns affect the content of the forensic report and related documents.