In-house counsel faced with a data breach encounters a difficult balancing act. On the one hand, it is critical to determine the cause of the breach and generate a plan to bolster security systems to reduce the likelihood of similar occurrences in the future. On the other hand, these same reports, usually performed by third-party consulting companies, can generate damning evidence for affected parties in ensuing litigation. Whether such reports are subject to production in litigation often turn on a handful of minutiae, such as the primary purpose for the report’s creation and whether the company maintains a clear line between business and legal functions. As a matter of practicality and necessity, that line often becomes blurred quite quickly, and several recent case decisions demonstrate the pitfalls that can result in the inadvertent production of these reports in litigation.
One of the earlier reported decisions involved Target’s successful objection to production of a data breach report on the basis of privilege in class action litigation (see In re Target Corp. Customer Data Sec. Breach Litig., No. MDL142522PAMJJK, 2015 WL 6777384 (D. Minn. Oct. 23, 2015)). Unlike many of the cases that followed, Target succeeded in protecting its data breach investigatory report from production in litigation.
Following the Target decision, the tide has turned significantly regarding the production of data breach reports in litigation. These cases all tend to have similar threads: whether, and to what extent, these reports are generated for the purpose of providing legal advice or in anticipation of litigation, and most importantly, whether the company can prove either of those prongs.
Following Target, the Eastern District of Virginia reached the opposite conclusion, foreboding a trend in favor of ordering production of such reports. In that case, a financial institution had a Master Services Agreement and retainer with an information security consulting firm to be able to quickly respond to cybersecurity incidents. The financial institution periodically entered into individual Statements of Work (SOWs) with the consulting firm pursuant to a Master Services Agreement for various projects.
After a data breach occurred in March 2019, the financial institution retained outside counsel to provide legal advice in connection with the data breach incident. The financial institution, its outside counsel, and the consulting firm then entered into a Letter Agreement pursuant to the Master Services Agreement and SOW providing that the consulting firm would provide consulting services as directed by counsel and that any reports from the consulting firm would be provided directly to outside counsel rather than to the financial institution. Notably, the financial institution initially designated these expenses as “business critical” expenses and not “legal” expenses, although they would later be recategorized and deducted from the legal budget.
When the financial institution publicly announced the data breach, litigation quickly ensued. After the litigation began, the consulting firm prepared a report analyzing the causes of the data breach and provided the report to the financial institution’s outside counsel. Meanwhile, the financial institution also conducted a separate internal investigation into the data breach. The consulting firm initially provided its written report to the financial institution’s outside counsel, which in turn provided the report to the financial institution’s legal department and board of directors. The consulting report was also apparently provided to four federal regulators, an accounting firm, and an internal “corporate governance office general email” inbox.
When a discovery dispute predictably arose over the production of that report, the financial institution asserted blanket objections of work product protection and attorney-client privilege while also stating that it would produce selective documents relating to these investigations. The court disagreed. In ordering production of the consulting firm report, the court noted the financial institution’s production of the report to regulators and an accounting firm, evidencing significant regulatory and business reasons for the investigation. The court also noted that the financial institution failed to establish which individuals had access to the “corporate governance office general email” inbox and for what purpose, as well as whether any restrictions were placed on who had access to that inbox. Lastly, the court placed significance on the fact that the financial institution had an existing SOW with the consulting firm and that the SOW was not amended to reflect the scope of the new work following the data breach, with the only difference being that the report was provided directly to outside counsel before being distributed to the financial institution and other parties.
Soon thereafter, the trend in favor of producing such reports continued. In Guo Wengui v. Clark Hill, PLC, 338 F.R.D. 7, 10 (D.D.C. 2021), the court similarly found that the evidence did not support efforts to withstand the production of the data breach investigatory report.
On Clark Hill’s work product claim, the court applied the “but for” test for analyzing claims of work product doctrine: whether the document would have otherwise been created without the anticipation of imminent litigation. After reviewing the evidence, the court held that Clark Hill failed to meet its burden that the document, or a substantially similar document, would not have been produced in the ordinary course of business.
For its part, Clark Hill argued that it employed a “two-track” approach involving two separate investigations into the breach — one investigation by an initial consulting firm to determine the cause of the breach for business purposes and one investigation by a second consulting firm for purposes of obtaining legal advice from outside counsel. Unfortunately for Clark Hill, the court determined that Clark Hill’s claim of a two-track process found little support in the record. The court noted that the sworn statements from Clark Hill did not explicitly support this claim, instead providing only an equivocal statement that the second consulting firm was not needed for “business continuity” because of the retainer of the first consulting firm. The court also cited Clark Hill’s contradictory interrogatory response, which provided that “its understanding of the progression of the September 12, 2017 cyber-incident [was] based solely on the advice of outside counsel and [the second consulting firm] retained by outside counsel,” (emphasis in original), suggesting that the first consulting firm provided no analysis to Clark Hill or outside counsel to aid in Clark Hill’s response. This conclusion was further supported by the lack of any comparable written report or findings produced by the first consulting firm. This all reflected, according to the court, that Clark Hill retained the second consulting firm to supplant the work being performed by the first firm rather than to supplement it with another function.
Finally, the court noted the recipients of the report from the second consulting firm as evidence of the reasons for its production. Clark Hill shared the report with outside and in-house counsel, “select members of Clark Hill’s leadership and IT team,” and the FBI. The court further quoted the language of a sworn statement from Clark Hill’s general counsel, which provided that the report was used to assist Clark Hill in managing “any issues” rather than those solely related to anticipated litigation.
With regard to attorney-client privilege, the court made short shrift of this objection. Although the attorney-client privilege generally only protects communications between an attorney and the client for the purpose of obtaining legal advice, the privilege can also protect reports of third parties, such as cybersecurity consultants, made at the request of the attorney or client. But the court nonetheless held that the privilege did not apply in this instance. The court began by noting that the attorney-client privilege is narrowly construed and does not apply if the analysis or advice is that of the third-party consultant rather than counsel. The court also distinguished the Target case, where privilege was upheld, by noting that Target had a “two-track approach” that did not exist in Clark Hill, as well as the facts that Target’s report was not shared as widely as Clark Hill’s report and the Target report did not center on “remediation of the breach.”
Scope of SOW and Anticipation of Imminent Litigation
In response to suspicious activity potentially indicating a data breach, Rutter’s retained outside counsel to determine whether the breach triggered any notification obligations (see In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382, 2021 WL 3733137 (M.D. Pa. July 22, 2021)). Rutter’s outside counsel quickly retained a cybersecurity firm to investigate. In connection with that investigation, the cybersecurity consultant provided Rutter’s with a written report and related communications. During the course of subsequent litigation relating to the breach, the plaintiffs learned of this investigation and sought production of the Kroll report. Rutter’s objected to the production of these documents on the basis of both work product and attorney-client privilege.
The court overruled both of these objections. First, the court analyzed the scope of the cybersecurity firm’s SOW, which stated an overarching purpose of determining whether unauthorized activity occurred and the scope of such activity. The court cited the language of the SOW and the testimony of Rutter’s corporate representative as evidence that Rutter’s was not anticipating imminent litigation at the time it requested the investigation. In addition, the report was not provided to outside counsel first, but rather directly to Rutter’s. The court then quickly dispensed with Rutter’s claim of attorney-client privilege by correctly noting that attorney-client privilege does not protect disclosure of the underlying facts.
The decisions in Target, Clark Hill, Rutter’s, and related cases provide important food for thought that companies should be considering before any data breach occurs. In-house counsel should consider the following proactive steps both before and in the wake of any data breach:
Statements of Work: In-house counsel should always consider proactively engaging cybersecurity consulting firms to prepare for quick data breach responses if and when they happen. That said, if the company decides to have a cybersecurity company on retainer and a data breach does occur, the company and the consulting firm should execute additional documentation, such as a SOW addendum, stating that the company’s outside counsel is retaining the firm, its investigation is confidential and will only be provided to counsel, and the investigation is undertaken to assist counsel in providing legal advice to the company. Companies understandably want to be prepared for data breaches by engaging consulting companies in advance and having SOWs in place to efficiently respond to such incidents if and when they occur. To the extent an existing SOW is already in place, the company should either (1) meaningfully amend the SOW to reflect the nature and purpose of the new work or (2) consider retaining a separate cybersecurity firm altogether to handle any portions of the investigation that the company wishes to protect from disclosure in any ensuing litigation. This latter option brings us to the next point: the “two-track” investigation.
Use of “Two-Track” Investigations: Companies should consider employing a two-tiered approach to investigating data breaches — one for business purposes and one for legal purposes — to stand a better chance of sustaining an objection on the basis of work product and/or attorney-client privilege. That approach must also be well-documented, as the Clark Hill case demonstrates. Mere lip service or statements of a two-tiered approach, unsupported by other evidence, is often not enough.
Contents of Data Breach Reports: It is axiomatic that while impressions of counsel and communications for the purpose of obtaining legal advice are protected by attorney-client privilege, facts are not. To the extent that facts regarding the source and/or cause of a breach are contained in a written report, the underlying facts are not privileged. And even when the work product doctrine would otherwise apply to protect underlying facts, that protection can be overcome by a showing of substantial need or an inability to obtain the same information from other sources. Companies should contractually outline the exact nature of the investigation to be conducted by the cybersecurity firm, as well as explicit instructions that the report should not assign blame to any parties or include any speculation regarding facts that are not fully supported by concrete evidence.
Sharing of Data Breach Reports: A company’s response to a data breach often involves a variety of business functions — business, legal, cybersecurity, and governance, among others. To the extent data breach reports are shared with different departments or individuals, companies should carefully document the recipients of any investigatory report(s) and the purpose for sharing that information. Investigatory reports should only be distributed on a strict need-to-know basis. These cases demonstrate that courts will consider the extent to which a report was distributed, as well as the reason for its distribution, as one factor in considering whether a report was generated for business or legal purposes. Companies should avoid having the report circulated to a listserv email inbox unless the members of that listserv are carefully documented.
Separation of Business and Legal Functions: The analysis often starts and ends here: What was the purpose for the report’s creation? If there are indicators that the report was created for business purposes, such as funding the report from a business as opposed to legal budget, or sharing the report with third parties (such as an accounting firm), courts will lean toward ordering production. Companies should be meticulous about drawing a line between the business and legal functions within the incident response teams. This delineation includes details as minute as which budget (business vs. legal) is used to pay the cybersecurity firm’s fees and ensuring that there are separate incident response teams to address the legal and business implications of the breach. Any investigatory reports generated for legal purposes should be strictly circulated to only the participants in the legal portion of the investigation.
As always with litigation, the devil is in the details. Even seemingly minor details can make the difference down the road between a court sustaining or overruling a claim of attorney-client privilege or work-product protection.
© 2022 Bradley Arant Boult Cummings LLPNational Law Review, Volume XII, Number 68