A federal court has held that neither the work product nor attorney-client privilege doctrines shield a cyber expert’s report from discovery.
In Guo Wengui v. Clark Hill, PLC, the defendants resisted discovery of the expert report. They pointed out that outside counsel retained the expert, and argued that this was dispositive. The court disagreed. It compelled production.
First, it noted that under the work-product privilege, a party could not discover documents or materials “prepared in anticipation of litigation”. The District of Columbia Circuit determined whether the documents were so prepared using the “because of” test. The court must determine whether the prospect of litigation prompted the preparation of the document. If the document would have been prepared in any event, work-product protection is unavailable.
The court noted that organizations handling sensitive materials had a compelling business need to determine the course of a breach “regardless of litigation or regulatory inquiries.” The defendant had a business motive to identify the cause of the breach. And prevent a repetition. IT professionals would have thus prepared a document like the expert report regardless of litigation. The expert’s role was larger than assisting counsel in potential litigation.
The court similarly found the attorney-client privilege inapplicable. The privilege protects “a confidential communication between attorney and client if that communication was made for the purpose of obtaining or providing legal advice to the client.” The expert report was not an attorney-client communication. The court also determined that the defendant’s objective was to obtain cybersecurity expertise, not legal advice.
The report contained specific recommendations on tightening cybersecurity. And experts shared the report with the defendant’s IT staff and the FBI. They shared the report to advance the investigation and avert future attacks. These actions undermined the argument that the report was prepared to obtain legal advice.
The decision is striking in rejecting the most common arguments seeking to protect cyber expert reports. As the court noted, cyberattacks have become routine. Organizations have responded with a standard response playbook. One tactic is to retain cyber experts through counsel. A review of the caselaw suggests that this card is being played with diminishing success. Entities seeking to safeguard similar reports from future discovery will have to thread the needle carefully.