Privilege and Work Product Protection for Corporate Investigations After Clark Hill: Part III

May 12, 2021

The last two Privilege Points (Part I and Part II) addressed privilege and work product protection for corporate investigations — in light of a large law firm’s failure to protect its own internal investigation into its own data breach. Wengui v. Clark Hill, PLC, — F.R.D. —, 2021 U.S. Dist. LEXIS 5395 (D.D.C. Jan. 12, 2021).

After considering the initiation phase of corporate investigations, courts usually turn to the investigation’s course. Not surprisingly, the greater the lawyer’s role on a daily basis (directing the investigation), the higher the odds of success. Corporations usually must prove that they did something special, different, out of the ordinary. Hiring outside counsel might help satisfy that standard. Clark Hill attempted to squeeze its internal data breach investigation into the paradigmatic Target case model mentioned last week. In re Target Corp. Customer Data Breach Litig., MDL No. 14-2522 (PAM/JJK), 2015 U.S. Dist. LEXIS 151974 (D. Minn. Oct. 23, 2015). Clark Hill hired an outside law firm, which in turn hired a new consultant to conduct the data breach investigation (Duff & Phelps — not Clark Hill’s “usual cybersecurity vendor”). Wengui, 2021 U.S. Dist. LEXIS 5395, at *7. But the court found that Clark Hill fell short: “[t]he problem for the defense here is that its two-track story finds little support in the record.” Id. at *8. The court found that despite Clark Hill’s lawyer hiring a new consultant, “[f]rom the Court’s in camera review, it is clear that . . . ‘substantially the same [document] would have been prepared in any event . . . as part of the ordinary course of [Clark Hill’s] business.'” Id. at *7 (alterations in original). Courts not only look at documents created during the initiation and the course of an internal investigation, they sometimes point to factors that might not even cross lawyers’ minds. In one case, a corporation whose data consultant Mandiant discovered malware quickly hired a law firm to conduct what it claimed was a protected investigation — using Mandiant. In re Premera Blue Cross Customer Data Sec. Breach Litig., 296 F. Supp. 3d 1230 (D. Or. 2017). The court rejected the corporation’s work product claim, noting that Mandiant’s “scope of work” had not changed — Mandiant just started reporting to the law firm rather than to the corporation. Id. at 1245-46. In another case, the court even pointed to a corporation’s payment for an internal investigation out of a business rather than a litigation budget.

Having successfully survived judicial scrutiny of its investigation’s initiation, Clark Hill stumbled during the court’s examination of its investigation’s course. After reviewing investigation-related documents in camera, the court ultimately concluded that Clark Hill had not walked the walk: “[a]lthough Clark Hill papered the arrangement using its attorneys, that approach ‘appears to [have been] designed to help shield material from disclosure’ and is not sufficient in itself to provide work product protection.” Wengui, 2021 U.S. Dist. LEXIS 5395, at *13 (second alteration in original). Next week’s Privilege Point will address the third investigation phase courts examine — the investigation’s use.