A magistrate judge in the US District Court for the Middle District of Pennsylvania recently ordered Rutter’s, a convenience-store chain, to produce an investigative report prepared by a security consultant regarding a suspected data breach event, as well as all communications between the party and the company performing the investigation. In so ruling, the court held that the report and related communications were not protected from disclosure by the work product doctrine or the attorney-client privilege. See In re: Rutter’s Data Sec. Breach Litig., No. 1:20-cv-000382-JEJ-KM (M.D. Pa. July 22, 2021) (ECF No. 95).
In striking the claim of work product protection advanced by Rutter’s counsel, the court’s decision hinged on a few factors. First, the statement of work executed between the retaining law firm and the security consultant described the services with a non-litigation motivation: “The overall purpose of this investigation will be to determine whether unauthorized activity within the Rutter’s systems environment resulted in the compromise of sensitive data, and to determine the scope of such a compromise if it occurred.” Analyzing this statement, the court reasoned “[w]ithout knowing whether or not a data breach had occurred, Defendant cannot be said to have unilaterally believed that litigation would result.” The court also noted that a 30(b)(6) designee of the party testified that he was not anticipating litigation when he signed the agreement for the investigative services, nor was he aware of any other employees anticipating litigation. The court also found instructive the fact that the outside counsel who hired the security consultant was not the entity that paid the consultant—Rutter’s paid the firm directly. And no evidence was presented to show the consultant provided the report to outside counsel for an assessment of legal risk prior to delivering it to Rutter’s. Without showing that the investigation was conducted because of a reasonable anticipation of litigation, Rutter’s could not establish that the work product doctrine protected the report from disclosure.
Further, finding that the investigative report merely set forth the facts of the suspected data breach—as opposed to opinions or proposed tactics in response—the court ruled that the report and related communications with the party opposing disclosure were not protected by the attorney-client privilege. Each element of the description of services was either deemed inherently factual or involved IT personnel working alongside each other with no attorney involvement or input. Thus, the court held Rutter’s could not establish the investigative report, and communications between the consultant and Rutter’s, had the primary purpose of providing or obtaining legal assistance for Rutter’s.
The court’s ruling underscores the need to involve outside legal counsel early, as well as clearly defining the scope and purpose of any data breach investigations in order to protect the fruits of those investigations from disclosure in litigation. Courts are more likely to shield from disclosure documents related to data breach investigations that are spearheaded by outside counsel, expressly designed to assist in actual or reasonably anticipated litigation, involve legal counsel input in the work being conducted by IT personnel, and conducted in parallel with secondary investigations not intended to be used in anticipation of litigation or facilitating legal advice. See, e.g., In re: Target Corporation Customer Data Sec. Breach Litig., 2015 WL 6777384 (D. Minn. Oct. 23, 2015); In re: Capital One Consumer Data Sec. Breach Litig., MDL No. 1:19md2915 (E.D. Va.). Companies wanting to protect such investigations should recognize the importance of engaging outside counsel at the outset of any data breach or other internal investigation, and empowering counsel to exercise consistent control over the direction of the investigation and determine the recipients of any final report. Legal counsel can advise on the necessary steps to try to protect the attorney-client privilege or work product surrounding the investigation, including how to define the scope of the investigation and contemporaneously document the expectation of work protect protection, if applicable.