Lessons Learned from Target’s Data Breach Discovery Win
A thousand questions immediately flood any lawyer’s mind when they first hear that their client may have been affected by a data breach. How did it happen? What data were affected? Was there any personal information affected, what type, and how much? When did it happen? How much time passed before we discovered it? These are a few of the questions that must be answered—and answered fast—before you can advise your client on the many time-sensitive, high-stakes legal obligations that arise from a data breach.
It is increasingly common that lawyers need technical experts to gather and provide the information necessary to answer these questions. Whenever that is the case, there is an argument to be made that attorney-client privilege should attach to the communications associated with the work that these experts perform, including written reports that communicate the results of interviews, forensic exams, and similar investigatory activities. It also may be reasonable to anticipate that a legal dispute will arise from the data breach, in which case materials produced by technical experts may be protected by the work-product doctrine. But neither privilege is absolute, so an organization must take proper precautions during the investigation and response to help shield the materials from discovery by opposing counsel in the event of litigation.
Class action litigation arising from Target’s massive 2013 data breach provides a valuable lesson in what those precautions should look like. According to Target, after learning that the company may have experienced a breach, Target’s chief legal officer initiated an investigation to provide information to a “Data Breach Task Force” specifically intended to enable in-house and outside counsel to advise Target on its legal obligations. A class of financial institution plaintiffs sought discovery of the Data Breach Task Force investigation as part of their bid to recover significant monetary losses suffered from the breach. Target asserted attorney-client privilege and work product protection in defense of the request. The trial court largely agreed with Target, ruling that most of the information sought by the plaintiffs was protected from discovery.
The court’s order reveals several strategies for prevailing on a future privilege claim to protect breach response documentation:
Plan now to execute these strategies effectively later. As will become apparent from the tips that follow, it is essential to lay the groundwork for privilege in the infant stages of your breach response. For example, if your response team engages an investigative partner before you or your outside counsel are fully engaged, you will have lost several valuable opportunities to capitalize on an approach that may keep that response team’s work product from being disclosed in litigation months or years down the road.
Appearances matter. Investigatory materials prepared to aid counsel should note on their face that they are privileged and that they were prepared for and delivered to counsel. That’s the basic approach any lawyer can articulate. But we suggest going further; actually recount counsel’s involvement and that he or she directed that the investigatory work was necessary. Documents should also recount that they were requested for legal advice. These types of precautions will strengthen your privilege argument when, as in the Target case, the court conducts an in-camera review of the materials in question rather than simply considering the parties’ legal arguments and assertions about the materials.
But appearances are not all that matter. Your breach response teams need to understand why their work is privileged because evidence of their understanding may be critical when privilege is asserted. Simply knowing that a lawyer told them to mark materials as privileged is not adequate. They should be able to recount that their work was necessary to facilitate legal advice. In Target’s case, the chief legal officer was able to represent to the court that the work was, in fact, conducted to support the work of counsel, and that understanding was held by all who supported the Data Breach Task Force. The court appears to have relied heavily on that representation in reaching its conclusions. Ideally, had it been necessary, other members of the response teams would have been equally well-positioned to assert their understanding as to why the privilege attached.
Don’t just involve counsel—entrench counsel, and do it immediately. Obviously, the investigatory work in question actually has to have been intended to support legal advice for privilege to attach, so the first step is engaging counsel BEFORE the investigation is fully formed. It is not a safe strategy to carry out the investigation, at some point later engage counsel to advise on the breach, and then assert that the (already-concluded) investigative work was somehow designed to support the legal advice you hadn’t even requested yet. If third parties are necessary to conduct the investigation, counsel should heavily advise on the scope and approach of their work at the beginning and throughout the investigation. Ideally counsel also will be a party to the engagement. The Target court noted that one of Target’s outside counsel was a party to an engagement letter with the investigating provider, suggesting that a tri-party (vendor–client–lawyer) engagement or side engagement letter by counsel is compelling. (Note also that the client did not need to be excluded as a contracting party; outside counsel had not separately and independently engaged the third party.) The contractual document should actually recount that supporting counsel is a core purpose of the engagement. Any documents conveying results should recount the same and also be directed to counsel.
Consider segregating investigations and/or investigatory reports designed to aid counsel from those intended to further other breach-related activities, such as remediation. Running two separate investigations may not always be feasible, but keep in mind that courts may be skeptical of attempts to protect every stitch of information pertaining to a breach investigation by asserting legal privilege. And when a payment card breach occurs, it may be a necessity to bifurcate if privilege will be asserted over any portion. The mandatory investigation required by the payment card industry is a contractual obligation; attempting to also privilege that investigation poses challenges since opposing counsel will argue that the investigation would have been pursued anyway due to the payment card requirements and regardless of any need for legal counsel. The Target court’s order describes Target’s two-track approach to investigating the breach (one designed to address payment card requirements and the other designed to aid counsel) and relied on that strategy in support of the privilege argument. The court also cited a declaration of outside counsel that the two investigative teams did not communicate about the attorney-directed investigation. Even if an investigation is not required by payment card operating rules or other legal obligations, segregating results for counsel is also important because privilege is not absolute. If a party can show a compelling need for the information that cannot be satisfied other than through disclosure of the materials sought, a court may order disclosure. Therefore, a smart strategy may be to assume that some factual information will or should be disclosed, and bifurcate conclusions and predictions designed to aid counsel from the factual results and remediation efforts are more readily disclosed. The Target court found that the privileged material it reviewed was focused on obtaining legal advice and preparation of defense, not remediation of the breach, which cut against the plaintiffs’ argument that the material would have been generated by necessity when responding to the breach and not only due to the need for legal advice. The court also noted that the plaintiffs had access to pertinent information about the response through documents that were already disclosed.
Email + Lawyer + Request for Advice = Privilege. Email – Lawyer – Request for Advice = No Privilege. It’s basic privilege math. If the communication does not include or facilitate a request for advice, and there is no lawyer anywhere in sight, your assertion of attorney-client privilege will likely fail. The only records that the Target court found not subject to privilege were email updates from Target's CEO to its board of directors. The court stated, “Nothing in the record supports a claim for attorney-client privilege for these communications as they do not involve any confidential communications between attorney and client, contain requests for or discussion necessary to obtain legal advice, nor include the provision of legal advice.” Target may have obtained a favorable outcome if counsel had been the sender and/or requests for meetings with the board had recounted the need to include a lawyer and receive legal advice.
Again, legal privileges are never absolute. These strategies are intended to clarify a few points that often positively influence assertions of privilege, but they do not guaranty success. However, keeping these approaches top-of-mind at the outset of a breach response, or even including them in your practice breach response drills, is good exercise to help ensure your privilege defense remains fit throughout the (hopefully) controlled chaos of a data breach.