In a recent post, we addressed the role a forensic investigation plays in a company’s response to a data security incident. We noted that to maximize the likelihood that a forensic firm’s work will be covered by the work-product doctrine or attorney-client privilege, the engagement letter should include outside counsel and the forensic firm should conduct its investigation at the direction of counsel. At a minimum, the engagement letter should specify that the forensic firm has been engaged to assist counsel in providing legal advice and, when appropriate, should specify that the forensic firm is assisting counsel in anticipation of litigation. Since that post, a new court decision has shed additional light on the factors affecting whether the work-product doctrine will protect a forensic firm’s work from discovery.

In In re Experian Data Breach Litigation, Case No. 8:15-cv-01592-AG-DFM (C.D. Cal. May 18, 2017), the court denied a motion to compel discovery of a forensic firm’s report and related documents, holding that the materials were protected by the work-product doctrine. In Experian, the defendant retained outside counsel shortly after learning of an incident (but before any litigation commenced), and the outside counsel then retained the forensic firm to investigate the incident.

The court considered several facts to be significant in determining that the work-product doctrine applied. As already noted, the forensic firm was retained by outside counsel at a time when it was reasonable to anticipate litigation over the data breach. Additionally, the forensic firm’s report was shared only with outside and in-house counsel, not with the company’s broader incident response team. The company also submitted declarations establishing that the scope of the forensic firm’s engagement was limited to assisting the company’s counsel.

In light of these facts, the court concluded that the company satisfied its burden of establishing that the forensic firm’s report and related documents were created for the purpose of assisting counsel in providing legal advice in anticipation of litigation and therefore were protected by the work-product doctrine. (The company also argued that the documents were covered by the attorney-client privilege, but the court did not reach this argument in its decision.)

The court rejected the plaintiffs’ argument that the work-product doctrine did not apply because the company may have had additional reasons (besides assisting legal counsel) for hiring a forensic firm to investigate the incident. The court noted that under applicable law, “a document doesn’t need to be prepared exclusively for use in litigation” for the work-product doctrine to apply.

The court also rejected the argument that the forensic firm’s prior work for the company – performed directly for the company before the security incident occurred and before outside counsel was retained in connection with the security incident – prevented the work-product doctrine from applying to the forensic firm’s later work related to investigating the incident. The court concluded that the work related to investigating the incident was separate from the earlier work and that only the work related to the security incident was covered by the work-product doctrine.

In perhaps the most interesting part of the decision, the court rejected the argument that an exception to the work-product doctrine applied because the plaintiffs had a substantial need for the forensic firm’s work product. The plaintiffs argued they needed the forensics firm’s report and related documents because without access to the company’s live, operational systems, networks and servers, the plaintiffs’ own experts could not re-create the forensic firm’s investigation. The court rejected this argument, based on evidence that, in fact, the forensic firm had analyzed only forensic server images, which could be produced to the plaintiffs and analyzed by the plaintiffs’ own experts.

On this point, the court’s decision is similar to the court’s reasoning in In re Target Corporation Customer Data Security Breach Litigation, Case No. 0:14-md-02522-PAM (D. Minn. Oct. 23, 2015), which held that certain documents created by a forensics firm were protected by the work-product doctrine. In Target, the court also concluded that the plaintiffs’ claimed need for the forensics firm’s report and related documents did not overcome the work-product doctrine because the company had “produced documents and other tangible things, including forensic images, from which Plaintiffs can learn how the data breach occurred and about Target’s response to the breach.”

In light of the way these courts have analyzed the work-product doctrine and as we discussed in our earlier post, companies and their counsel should carefully document that a forensic firm’s engagement is at the direction of counsel. In addition, companies, their counsel and their forensic firms should anticipate the “substantial need” argument by giving thought to whether there are source materials (e.g., forensic images) that can be preserved and produced in lieu of the forensic firm’s work product.