A Third Federal Court Orders Production of Data Incident Forensic Report and Related Communications Over Privilege Objections
One developing area of the law that send shivers down the spine of data privacy litigators is a growing number of federal courts holding that the attorney-client and work-product privilege do not apply to forensic reports and related communications regarding a data incident. Knowledge of the circumstances involved in the Capital One and Clark Hill litigations—where it was held privilege did not apply—is essential at this point given the high stakes at play. Yesterday another federal court ordered production of materials prepared in the wake of a data incident. In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220 (E.D. Pa. July 22, 2021). The case has widespread implications outside the realm of data privacy litigation. While this case involves a cyber breach, its reasoning applies to any compliance-related investigation. Read on to learn more.
First, the facts. CPW has already covered the background of the data incident at issue in In re Rutter’s Data Sec. Breach Litig., which concerned a possible breach involving payment cards information at the point-of-sale (POS) devices used by defendants. As relevant here, Rutter’s received two alerts on May 29, 2019, which “detail[ed] the execution of suspicious scripts and indications of the use of potentially compromised credentials.” In response, Rutter’s hired outside counsel, BakerHostetler, “to advise Rutter’s on any potential notification obligations.” BakerHostetler in turn hired a third-party security firm “to conduct forensic analyses on Rutter’s card environment and determine the character and scope of the incident.”
Plaintiffs learned about this investigation during the Fed. R. Civ. P. 30(b)(6) deposition of Rutter’s Vice President of Technology. Following that deposition, Plaintiffs in the data incident litigation sought production of the security firm’s written report and related communications. Rutter’s objected, citing the work product doctrine and attorney-client privilege.
The work product doctrine applies to “documents and tangible things … prepared in anticipation of litigation or for trial by or for another party or by or for that other party’s representative.” However, Rule 26(b)(3) of the Federal Rules of Civil Procedure specifies that “for the work product doctrine to apply, the document must be prepared ‘in anticipation of litigation.’” Additionally, the Third Circuit Court of Appeals has specified that aiding in “identifiable” or “impending” litigation must have been the “primary motivating purpose behind the creation of the document.” (emphasis supplied). This involves a two-step inquiry: (1) whether the party which ordered or prepared the document had a “unilateral belief” that litigation would result and (2) the anticipation of litigation must be objectively reasonable.
Applying this precedent, the court held that the work product privilege did not protect the security firm’s report and related communications from disclosure in discovery. This was because:
As set forth in the Statement of Work (“SOW”) in which the security firm was retained, “[t]he purpose of the investigation was to determine whether data was compromised, and the scope of such compromise if it occurred.” (emphasis in original). As such, Rutter’s “cannot be said to have unilaterally believed [as required by Third Circuit precedent] that litigation would” (emphasis in original).
This conclusion was additionally underscored by the testimony of Rutter’s corporate designee (who signed the agreement with the security firm involved).
The corporate designee testified that: (1) he was not “contemplating” forthcoming lawsuits as a result of the data incident the time the security firm was performing its work, (2) he was unaware of anyone else at Rutter’s contemplating such lawsuits and (3) (likely most damaging) the security firm “would have . . . done this work and prepared its incident response investigation regardless of whether or not lawsuits were filed.” (emphasis supplied).
Additionally, the court noted that there was no evidence that BakerHostetler received the report before Rutter’s once the security firm’s work was completed.
Rutter’s fared no better with its assertion of attorney-client privilege as precluding production of the materials Plaintiff’s sought.
Under Third Circuit precedent, attorney-client privilege attaches to: (1) a communication (2) made between privileged persons (3) in confidence (4) for the purpose of obtaining or providing legal assistance for the client. Moreover, communication is privileged only if its “primary purpose” is to gain or provide legal assistance. The attorney-client privilege “does not protect the communication of facts.” (emphasis supplied).
Here, the court rejected Rutter’s assertion of attorney-client privilege because Rutter’s “does not carry its burden of establishing that the [security firm’s report] and related communications between [the security firm and Rutter’s had a primary purpose of providing or obtaining legal assistance”. The court made the following factual findings:
The SOW at issue showed that the security firm was merely retained to “collect data,” monitor IT equipment, and determine whether the IT equipment had been compromised.
The court’s review of the record revealed that the security firm’s report and related communications “were either factual in nature or, where advice and tactics were involved, did not include legal input.” (emphasis supplied).
This case is a sobering reminder that while reports prepared for and at the request of counsel in anticipation of litigation can of course be privileged, compliance officers and counsel must be scrupulous to avoid blurring the lines between “ordinary course” factual reports and reports genuinely prepared for trial counsel for the purposes of assisting counsel in litigation. And as was the case here, the testimony given by a 30(b)(6) representative can be highly significant, if not dispositive, for a court when assessing assertions of privilege.
For more developments concerning data privacy litigation as they occur in real-time, stay tuned. CPW will be there.