Another Court Says Data Breach Investigation Report Is Fair Game
In a recent ruling with important consequences for data breach litigation, a federal court in Pennsylvania ruled that Rutter’s—a Pennsylvania convenience store chain that suffered a data breach—must disclose the investigative report it commissioned from a third-party after the breach. This is a recurring issue in data breach litigation and one that has far-reaching implications for how companies respond to data breaches or other security incidents. This is also the latest entry in an evolving, and not entirely consistent, line of cases that are broadly chipping away at the attorney-client privilege and the work-product doctrine protections companies argue should apply to their investigative reports.
In re Rutter’s Data Sec. Breach Litigation concerns the possible breach of Rutter’s credit card payment processing system, which the company disclosed in February 2020. After receiving notification of the potential breach, Rutter’s hired a law firm to provide legal advice on its response. The firm in turn hired a forensic security company “to conduct forensic analyses on Rutter’s card environment and determine the character and scope of the incident.” The security company produced an investigative report describing the results of its investigation. Plaintiffs in the litigation sought to compel production of this report once they learned of it.
The court granted their request, rejecting Rutter’s arguments that the report was protected by the work-product doctrine and the attorney-client privilege. The court held that the report was not protected by the work-product doctrine because the purpose of the report was to determine whether a breach occurred and the scope of that potential breach. Thus, the court concluded that uncertainty about the existence of a breach meant that the report could not have been produced in anticipation of litigation.
In particular, the court relied almost entirely on testimony from a company representative that he was unaware of anyone at Rutter’s contemplating a lawsuit at the time the forensic company was hired or when the investigative report was compiled. The court distinguished this case from others where courts concluded that the work product doctrine applied—including the Experian and Target litigations—noting that in those other cases the likelihood of litigation was much clearer because litigation was either already pending or “was reasonably likely to follow” when the reports were prepared.
The court also took note of the fact that the investigative report in this case was delivered directly to Rutter’s and not to outside counsel, which suggested that it was not prepared to help outside counsel provide legal advice. This is another distinction between the facts in this and the Experian investigation, where the report had first been provided to Experian’s outside counsel.
The Rutter’s court also declined to apply the attorney-client privilege. The court noted that the attorney-client privilege “simply does not attach to a discussion of the facts, no matter how extensive or involved the discussion may become.” And because it found that the report and related communications at issue did not involve “presenting opinions and setting forth … tactics” rather than discussing facts, it was not privileged. The court commented in particular on the scope of the outside security firm’s engagement: since it was hired to collect data and information, the report and related communications “were either factual in nature or, where advice and tactics were involved, did not include legal input.” This ruling appears to turn on the details of the security firm’s engagement and the contents of the report.
The outcome of this ruling is not particularly surprising in light of the evolving caselaw on this issue. In fact, most cases where courts have denied motions to compel the production of post-breach investigative reports have turned on a finding that the reports are protected work product, not privileged attorney-client communications.
In any event, this ruling is a good reminder of the challenge companies face in responding to data breach incidents. Among other things, firms should strongly consider retaining outside counsel to assist with all legal aspects of the response, and—where possible—taking steps to draw clear lines between business and legal aspects of the response in order to avoid being forced to produce sensitive investigative reports.