The Federal Circuit’s recent ruling in MaxPower Semiconductor Inc. et al v. Rohm Semiconductor USA, LLC highlights the interplay between the liberal federal policy favoring arbitration agreements and the Patent Trial and Appeal Board’s (“PTAB”) authority as an agency tribunal having a broad role to protect the public interest in
Stephanie A. Diehl
Lessons from Wengui v. Clark Hill: Structuring a Two Track Cyber Investigation
As the D.C. District Court in Wengui v. Clark Hill recently commented, “[m]alicious cyberattacks have unfortunately become a routine part of our modern digital world. So have the lawsuits that follow them….” The court’s decision in that case has added another data point to developing jurisprudence of the cyberattack landscape, specifically concerning the discoverability of post-breach forensics reports.
District Court Affirms Order Requiring Production of Cyber-Investigation Report after Considering Totality of Circumstances
As we previously reported, the Magistrate Judge in In re: Capital One Customer Data Security Breach Litigation, found that a forensic report that Capital One had claimed was protected by the privilege and work product doctrines needed to be produced because Capital One had not met its burden under the dual-purpose doctrine to show that the report was protected. In re: Capital One Customer Data Sec. Breach Litig. (“Magistrate’s Order”). The forensic report at issue (the “Report”) related to a 2019 data breach where a hacker purportedly accessed and stole highly sensitive customer information from Capital One’s online cloud environment (the “Breach”). Capital One hired outside counsel to investigate the Breach and to help the company prepare for anticipated litigation and regulatory inquiries. To assist counsel’s investigation, outside counsel engaged a cybersecurity consultant (“Consultant”). As developed in the Magistrate’s Order, Capital One had used this same Consultant prior to the Breach in the normal course of its business.
Maintaining Privilege and Work Product Protections in Dual Purpose (Legal and Business) Investigations
Requires More than Merely Adding Counsel’s Name to a Forensic Report.
Technical investigations conducted following cyber-incidents often have both legal and ordinary-course business purposes. In certain jurisdictions, reports generated as a result of such investigations can be protected from discovery by privilege and work product protections– despite certain non-legal use – under the “dual purpose” doctrine when “consider[ing] the totality of the circumstances . . . it can fairly be said that the document was created because of anticipated litigation and would not have been created in substantially similar form but for the prospect of litigation.” California Earthquake Auth. v. Metro. West Sec. LLC. However, as a recent opinion illustrates, dual purpose-type privilege claims may not be upheld if challenged in the absence of proper precautions. In re: Capital One Customer Data Sec. Breach Litig., MDL No. 1:19-md-02915, D.I. 490, Slip. Op. (E.D. Va. May 26, 2020) (“Slip Op.”).