Last week, on October 23, 2015, U.S. Magistrate Judge Jeffrey J. Keyes denied a class of banks’ motion that Target produce documents generated during its internal investigation of the massive 2013 holiday season data breach.1 This decision highlights the need for corporations to carefully structure their post-breach investigations in order to claim attorney-client privilege over the investigation and any resulting documents.
The Court’s ruling was the result of a long-standing discovery dispute between the parties over documents created during two separate investigations conducted by Target. Target maintained numerous entries on its privilege log relating to these documents, that Target claimed were either attorney-client privileged or work product.2 The banks, which were granted class certification last month, argued that the documents at issue could not be cloaked with privilege where Target would have had to investigate and fix the data breach “regardless of any litigation.” The banks claimed that even though the investigative probes were launched at the direction of Target’s counsel, discussions with its counsel should still be made available because they related to Target’s handling of regular business functions. Target countered that it had essentially set up a two-tracked investigation to respond to the breach. The first track consisted of a non-privileged investigation by Verizon on behalf of numerous credit card companies. Its purpose was for Target to understand and appropriately respond to the breach. The second track involved a probe by a separate team from Verizon in conjunction with Target’s internal task force.
Target argued that documents related to the second track were privileged. Target claimed the second track investigation “was not involved in an ordinary-course-of business investigation.”3 Rather, Target asserted that the second Verizon probe was conducted at the request of Target’s internal counsel to educate Target’s attorneys so that they could provide informed legal advice with respect to the breach.4
Following an in camera review of a majority of the disputed privilege log entries, Judge Keyes struck down the banks’ motion. Judge Keyes found:
Target demonstrated, through the declaration of [Chief Legal Officer] Timothy Baer, that the work of the Data Breach Task Force was focused not on remediation of the breach, as Plaintiffs contend, but on informing Target’s inhouse and outside counsel about the breach so that Target’s attorneys could provide the company with legal advice and prepare to defend the company in litigation that was already pending and was reasonably expected to follow.5
Judge Keyes further found that the work-product doctrine applied to two additional entries, where the Banks did not prove a substantial need for the materials. “Plaintiffs have not demonstrated that without these work-product protected materials, they have been deprived of any information about how the breach occurred or how Target conducted its non-privileged or work-product protected investigation,” Judge Keyes ruled. “Target has produced documents and other tangible things, including forensic images, from which Plaintiffs can learn how the data breach occurred and about Target’s response to the breach.”6
Judge Keyes’s ruling included only a single exception to his sweeping denial of the banks’ request, ordering the production of several e-mail updates from Target’s CEO to its board of directors in the aftermath of the breach.
Practical Considerations
In responding to a data breach, organizations should structure their breach response investigation artfully to ensure all aspects of the investigation (and the documents created as a result) maintain the attorney-client privilege. As soon as a breach occurs, organizations should engage legal counsel to develop a strategy to deal with the various risks. Counsel should identify documents, as well as communicate to employees, that each data breach investigation is meant to be legally privileged because the investigation is in anticipation of litigation and directed by counsel.
Because investigation-related documents created for business purposes are not protected, hiring outside counsel to advise and oversee the investigations further bolsters the fact that the investigation is tied to legal instruction and advice. With respect to the data-breach investigation itself, organizations might want to follow a bifurcated approach, similar to that used by Target, to maintain the work-product privilege. An organization’s internal counsel should instinctively retain a forensics or security firm post-breach to conduct a forensic investigation of the cyber-attack in the ordinary course. Organizations should be cognizant that this investigation, and the reports and documents created, are likely discoverable as they would be created as a by-product of a routine investigation.
By having the organization’s outside counsel hire a separate forensics team, however, the work-product privileged can be preserved. This separate forensic team should be engaged to provide consulting and technical services – pursuant to a carefully drafted engagement letter – for the purpose of assisting internal and outside counsel in rendering legal advice to the organization about the cyber-attack and the forensic investigation report. Structuring it this way is essential because were in-house counsel to hire this forensics team, privilege might not attach. When outside counsel hires the forensic team, the privilege is preserved because factual investigations of data breaches fall comfortably within the protection of the attorney-client privilege – which extends to counsel’s communications with agents and experts who are retained by counsel for the purpose of providing legal advice. The work-product privilege would also attach to the forensic team’s work under counsel’s direction.
By dual-tracking an investigation, information relevant to how the breach occurred and the response taken can be discovered in litigation, while the organization’s legal advice
and strategy remains privileged.
1 In re: Target Corp. Customer Data Security Breach Litigation, No. 0:14-md-02522 (D. Minn. Oct. 23, 2015).
2 Id. at 2.
3 Id. at 3.
4 Id.
5 Id. at 6 (internal citations omitted).
6 Id. at 7.