In this column on corporate employment issues, Philip M. Berkowitz, discusses the application of the work product doctrine to internal investigations.
By Philip Berkowitz | September 09, 2020
A recent district court case from the Eastern District of Virginia assessing the application of the work product doctrine to internal investigations has set corporate legal departments atwitter, because of the court’s rejection of the doctrine in a set of circumstances familiar to legal departments and their counsel—an internal investigation of alleged corporate wrongdoing that carried with it the threat of significant shareholder litigation.
The decision, In re Capital One Consumer Data Security Breach Litigation, 2020 WL 3470261 (E.D. Va. June 25, 2020) (hereinafter Capital One), provides valuable lessons on how best to assure application of the doctrine.
And another recent case from the Southern District of New York, McGowan v. JPMorgan Bank, N.A., 2020 WL 1974109 (S.D.N.Y. April 24, 2020), also provides valuable lessons.
First, some background.
Before carrying out an internal investigation of alleged wrongdoing, employers need to be aware of, and guard against, unwanted discovery of the investigation’s results.
Plaintiffs’ counsel often set their sights on discovering the fruits of internal investigations, including the underlying interview notes and other raw materials created when carrying out the investigation, in the hope that they can bolster their claims, either by demonstrating that the employer’s investigation was inadequate or by using damaging evidence the investigation may have uncovered.
If internal or external counsel carries out or directs the investigation, then the investigation may be protected by the attorney-client privilege under Upjohn v. United States. But to be privileged, the investigation must be carried out for the purpose of obtaining and providing legal advice.
The privilege will not protect the investigation from discovery if no legal advice is sought or provided; if the attorney is consulted merely for business advice; if the confidential nature of the investigation is not conveyed to the participants; if the attorney is merely kept informed of the investigation rather than tasked with directing it; if obtaining legal advice is not the predominant purpose of the investigation; or if the privilege is waived.
Even if the attorney-client privilege does not shield the fruits of the investigation from disclosure, the work product doctrine may do so, if the investigation was carried out in anticipation of litigation, whether by or for a party or its representative.
In at least one important manner, the work product doctrine’s scope is broader in the Second Circuit than in other circuits. In United States v. Adlman, 134 F.3d 1194 (2d Cir. 1998), the court held that the doctrine will protect a document against disclosure even if it was created for both litigation and non-litigation purposes, if indeed it was prepared because of litigation. Adlman rejected more restrictive tests interpreting “in anticipation of litigation” to exclude documents which, although prepared because of expected litigation, are intended to inform a business decision influenced by the prospects of the litigation. Thus, in the Second Circuit, the doctrine will protect against disclosure of documents prepared “because of” existing or expected litigation, even if not necessarily to “assist in” litigation.
The work product doctrine is not an absolute shield against disclosure, of course. Even if the document is prepared in anticipation of litigation, the adverse party may obtain the documents if the party shows “substantial need” for disclosure and inability to obtain its equivalent by other means. However, even where the party seeking disclosure has made such a showing (as Adlman observed), the rule directs that “the court shall protect against disclosure of the mental impressions, conclusions, opinions, or legal theories of [a party or its representative] concerning the litigation.”
Nevertheless, the court in Adlman emphasized that the “because of” formulation it adopted will not protect documents “that are prepared in the ordinary course of business or that would have been created in essentially similar form irrespective of the litigation.”
‘Capital One’ Decision
Against this backdrop comes Capital One. There, the defendant bank experienced, in March 2019, a major data breach, resulting in an unauthorized person gaining access to consumers’ personal information. Consumers filed several class actions. The bank had an existing relationship with a cybersecurity firm to support it in the event of a data breach or security incident.
The bank had originally retained the firm in March 2015, and had a Scope of Work (SOW) agreement in place in place to provide incident response services, including computer security incident response support, digital forensics, log, and malware analysis support, and incident remediation assistance.
The SOW required the cybersecurity firm to provide a final report covering the issues, and if one were necessary, a written technical document outlining the results, along with recommendations for remediation. The bank paid the firm for this work from a fund denominated as for “business critical” expenses.
Following the March 2019 data breach, the bank’s external counsel engaged the same cybersecurity firm, but entered into a new letter agreement with them. The new letter agreement essentially mirrored the services that the cybersecurity firm would normally provide to the Bank under the SOW. However, unlike the SOW, the new agreement provided that all work was to be conducted at the direction of outside counsel to assist counsel in planning a defense to litigation it anticipated might arise out of the data breach, and that any deliverables were to be produced directly to counsel.
The plaintiffs sought discovery of the forensic report, and the bank argued that the work-product doctrine precluded discovery of the report. The court rejected the bank’s argument, though, while making several observations about why the work-product doctrine did not protect against disclosure:
- While outside counsel entered into a new agreement with the cybersecurity firm, the agreement duplicated the SOW already in place between the bank and the firm in terms of the services that would be provided. Thus, the bank failed to demonstrate that the firm would not have performed substantially similar services in the absence of litigation.
- There was no evidence indicating that counsel had any role in creating the report or that counsel influenced its preparation so to assist it in defending possible litigation.
- The only difference in the cybersecurity firm’s work post-breach was that it was carried out at the direction of counsel, but this did not alter the business purpose of the work.
- The bank had paid for the report from its existing retainer with the firm, rather than budgeting it as a legal expense.
- The bank’s counsel forwarded the cybersecurity firm’s report to many individuals at the Bank, with apparently limited if any consideration as to whether they had a role in formulating the legal strategy—counsel sent it to approximately 50 employees, to a “corporate governance office general email box,” to the bank’s Board of Directors, to four different regulators, and to the bank’s accountants.
Thus, while the result is perhaps alarming, Capital One does not in any sense erode the work product doctrine, but it provides valuable lessons as to how best to structure a third-party investigation and preserve the work doctrine’s protection.
Another recent case, this one more locally placed, is also instructive. In McGowan v. JPMorgan Bank, the plaintiff, an employee of the defendant bank, claimed that she was a victim of unlawful discrimination in violation of New York laws. She first filed a complaint internally with the bank’s Human Resources Department, which commenced an internal investigation.
Thereafter, the employee’s attorney emailed the bank informing them that she represented the employee, and in response, the bank’s in-house counsel carried out what the employer claimed was a privileged investigation into her claims, for the purpose of rendering legal advice and responding to her allegations.
The plaintiff sought discovery of the investigation files. The bank conceded that the first investigation was not privileged or protected by the work-product doctrine. In light of that concession, the plaintiff argued that the subsequent investigation could not be protected.
But Magistrate Judge Gorenstein held that the character of the investigation changed once counsel were involved, from one that may not have been for the purpose of mounting a legal defense, to one that was in fact for that purpose. Thus, the court rejected the plaintiff’s application for discovery of the investigation files conducted by counsel.
‘At Issue’ Waiver
The JPMorgan court also considered the important and often overlooked doctrine of “at issue” waiver. Under that doctrine, if the defendant takes the position that the otherwise-privileged investigation establishes its good faith regarding the legality of its actions, then it waives the privilege. The court rejected the plaintiff’s argument that the defendant’s mere denials and affirmative defenses in its answer, to the effect that the defendant had acted in good faith, constituted a waiver. However, the court ordered the defendant “to state now whether it intends to offer evidence of the nature of the investigation as any part of the defense …”
These cases teach the following:
- When retaining third-party forensic investigators, the client should direct outside counsel to engage and coordinate the relationships.
- If counsel retains a consultant, allocate retainers and payments to the legal budget.
- Counsel should retain a firm other than one the employer normally engages for routine forensic or, for example, cybersecurity assistance.
- The retention agreement between counsel and the vendor should:
- explicitly provide that the retention is necessary to help the law firm prepare for litigation and provide the employer with legal advice;
- identify the services that counsel expects the consultant to perform; and
- state how the report will assist counsel in preparing for litigation and providing legal advice;
- provide that the consultant will not provide a written report unless counsel specifically requests it.
- Counsel’s agreement with the vendor should not include unrelated work, such as remediation under preexisting SOWs.
- If the employer decides, after consulting with counsel, to use the same vendor for both business/remediation and litigation-related services, it is critical to isolate the litigation-related services that the vendor provides and to describe them in a separate SOW that makes clear how the scope and purpose of the litigation-related work differ from remediation work or preexisting SOWs.
- The employer should inform counsel of any ongoing or contemplated investigation into the particular incident, in the event counsel wishes to either coordinate the investigations or suspend any related, non-privileged investigation.
- The report should be utilized solely by counsel for litigation purposes.
- Again, prior to authorizing a written report, counsel should understand what it will say, and whether the consultant needs to provide one.
- The employer and counsel should limit any report’s distribution to only those who need it for litigation-related purposes, such as in-house counsel, the board of directors, and possibly a small group of employees who need to understand the matter so they may assist counsel in the assessment of potential claims and defenses.
- The employer should not provide the report to third parties or to the team responsible for incident response.
- The employer and counsel should provide clear direction to recipients of the report that it is privileged, confidential, and that they should not disseminate it further.
Philip M. Berkowitz is a shareholder of Littler Mendelson and co-chair of the firm’s U.S. international employment law and financial services practices.
Read the full article here:
Reprinted with permission from the September 9, 2020 edition of the New York Law Journal©
2020 ALM Media Properties, LLC. All rights reserved.