Error - No Privilege Found: District Court Compels Production of Data Breach Report

The Middle District of Pennsylvania recently rejected arguments that a report created in response to a data breach was protected as work-product and/or under attorney-client privilege because:
On
  • The report’s Statement of Work appeared limited to factual inquiries and the corporate deponent stated that it did not anticipate litigation at the time of the underlying investigation; and
  • the cybersecurity consultant who prepared the report was not acting as an attorney, at the direction of an attorney, nor providing information to an attorney to assist with providing legal advice.

Background

In March 2020, a class action lawsuit was filed against a gas station and convenience store operator Rutter’s Inc. claiming that Rutter’s failed to adequately prevent and respond to an alleged breach exposing its customers’ financial data. During discovery, it was learned that third-party cybersecurity consultant Kroll Cyber Security LLC was hired to “conduct forensic analyses on Rutter’s card environment and determine the character and scope of the incident” and prepare an investigative report summarizing the same. Notably, Rutter’s and Kroll “understood Kroll’s work to be privileged.” In addition, even though Kroll was hired by Rutter’s outside counsel, Rutter’s paid Kroll directly.

In June 2021, the plaintiffs filed a motion to compel the production of the report and related communications between Kroll and Rutter’s. In response, Rutter’s asserted that the report and communications were protected as work product and under the attorney-client privilege. The Magistrate Judge rejected both arguments, and ordered the report and communications to be produced.

The Order

Work Product Doctrine. For the work-product doctrine to apply, the subject document “must be prepared in anticipation of litigation,” meaning “[a]iding in identifiable or impending litigation must [be] the primary motivating purposes behind the creation of the document” (internal citations omitted). To meet this burden, “the party which ordered or prepared the document [must prove it] had a unilateral belief that litigation [would] result” and that this belief was “objectively reasonable” (internal citations omitted). 

In this case, the Judge found that the primary purpose behind the investigative report was not to prepare for the prospect of litigation because during its corporate deposition, Rutter’s stated that “litigation was not contemplated at the time the [investigative] report was prepared” and the report “would have [been] prepared…regardless of whether or not lawsuits were [later] filed.” In addition, the contract Statement of Work identified the purpose of the underlying investigation to be “to determine whether data was compromised, and the scope of such compromise if it occurred.” The Judge found that “[w]ithout knowing whether or not the data breach had occurred, [Rutter’s] cannot be said to have unilaterally believed that litigation would result.” Thus, the Judge concluded that the report and related communications were not protected work product.

Attorney-Client Privilege. The attorney-client privilege attaches to “(1) communication (2) made between privileged persons (3) in confidence (4) for the purposes of obtaining or providing legal assistance for the client" (internal citations omitted). Notably, the privilege does not attach to the communication of facts. Here, the Judge found that the investigative report and related communications were largely discussions of fact, as contemplated by the Statement of Work. Although the entirety of Kroll’s role in working with Rutter’s IT personnel was not determined to be inherently factual, the Judge nonetheless found that this could not be “deemed to be gaining or providing legal assistance, as neither Kroll nor Rutter’s IT personnel are [legal professionals] and this service involves…no mention of attorney involvement.” Indeed, the report was provided to Rutter’s IT personnel and not to outside counsel for Rutter’s. Thus, the Judge concluded that the report and related communications were not protected by attorney-client privilege.

Takeaway

As this case demonstrates, privileges and protections, like the work-product doctrine and attorney-client privilege, are strictly applied and narrowly construed. As the number of data breaches continue to rise, and regulatory responses rise with them, companies should be prepared not only to respond to such breaches, but should also be aware of the requirements to ensure the documents produced during this response are adequately protected and of the risks associated with disclosure of any such documents. The Arent Fox data privacy team can assist clients with addressing these issues in the midst of a potential data breach.

Contacts

Continue Reading