Another Court Orders Production of Cybersecurity Firm’s Forensic Report in a Data Breach Case
Another district court just ordered the defendant in a data breach class action to turn over the forensic report it believed was entirely protected from disclosure by the attorney-client privilege and work product doctrine. See In re Rutter’s Inc. Data Security Breach Litigation, Case No. 1:20-CV-382 (N.D. Penn. July 22, 2021). The court granted the motion to compel Rutter’s to produce its investigative report (the “Kroll Report”), which was created after the defendant was notified of a potential breach. Once litigation ensued, and as is customary, Rutter’s withheld the Kroll Report from production on the basis of the work product doctrine and the attorney-client privilege. But, ruling on the plaintiffs’ motion to compel the disclosure of the report, the court rejected the notion that incident reports are necessarily prepared in anticipation of litigation and instead looked at the “primary motivating purpose” behind the report. The court ultimately found that the evidence in the case, including the agreement between the defendant and the vendor demonstrated that litigation was not the “primary motivating factor” behind the creation of the Kroll Report. Moreover, attorney client privilege did not apply to communications and statements regarding facts. After a careful consideration and analysis, the court ordered the report to be produced in its entirety.
The Following Factors Worked Against Rutter’s:
The agreement between Rutter’s and the vendor stated that the “purpose of the investigation was to determine whether data was compromised, and the scope of such compromise if it occurred.”
The agreement also indicated that the vendor was merely retained to collect data, monitor IT equipment, and determine whether it had been compromised.
There was also insufficient evidence that Rutter’s anticipated that litigation would ensue.
Rutter’s corporate designee testified, moreover, that Rutter was not anticipating a lawsuit as a result of the data breach incident at the time when the vendor was retained.
There was evidence that the report would have been prepared regardless of whether a suit was ultimately filed.
There was no evidence that the law firm received the report before Rutter’s did.
The report and related communications “were either factual in nature or, where advice and tactics were involved, did not include legal input.”
The Rutter’s decision comes on the heels of the widely publicized Capital One decision, which was the first case compelling a defendant in a data breach case to turn over its forensic report. Until 2020, the companies and cybersecurity vendors had always assumed that such reports were automatically privileged.
The 2020 Capital One Decision:
In 2020, another federal court paved the way for stripping incident reports of work-product protection in In re: Capital One Customer Data Security Breach Litigation, Case No. 1:19-md-02915 (E.D. Va May 26, 2020). As we previously discussed in our blog post on this subject, the Capital One court ruled that incident reports did not automatically qualify for protection from disclosure, sending shock waves across the cybersecurity world.
In its ruling, the Capital One court emphasized that the litigation itself does not automatically protect the materials at issue. Rather, the materials must be prepared in anticipation of litigation, with litigation being the “driving force behind the preparation of each requested document” to qualify for work-product protection. See Order at 6. The Capital One court looked at the totality of the circumstances in deciding that there was no work product protection and emphasized that the mere fact that a law firm was retained or that litigation was likely, alone, was insufficient to trigger protection.
The following factors ultimately worked against Capital One:
The company had a longstanding relationship and pre-existing agreements with this vendor.
There was no evidence that the report would not have been prepared but for this litigation.
There was evidence that a report of this kind would have been prepared after an incident, no matter what.
The vendor’s work was the same, the services were almost identical, and the terms of its agreement were essentially the same both before and after the law firm’s involvement.
The scope of work did not change when the law firm became involved.
The vendor’s retainer was originally paid as a “business expense” and not a legal expense.
The report was provided to four different regulators and accountant, which indicated that it was prepared for regulatory and business reasons (rather than purely legal reasons).
The report was also shared with Capital One’s internal response team (including technical, IT, cyber, and enterprise services teams), which again demonstrated that the report had various business and regulatory purposes.
Recommended Steps:
Companies can take the following steps to maximize and strengthen their claim for work product and attorney-client privilege protection of incident reports:
Retain outside counsel and consult with litigation counsel immediately after an incident occurs.
Do not retain an outside vendor directly but do so through outside counsel.
Allow outside counsel to control the work and performance of the vendor.
Ensure the vendor sends the report only to outside counsel.
Hire different vendors or, at a minimum, ensure there is a vastly different agreement and scope of services specifically tailored to the report.
Do not include the report in the scope of services before the incident.
Clearly differentiate between the vendor’s routine services and litigation-related services.
Do not share the report with anyone, except for legal purposes.
Share the report with as few people as necessary.
If a report is also necessary for internal business, accounting, or regulatory purposes, have a separate, “sanitized” report prepared.
The report and the related work must be a “legal expense” paid for out of the company’s legal budget, preferably through outside counsel.
Document anticipated or potential threat of litigation early on.
Take the time to carefully select and prepare your 30(b)(6) witness for the deposition.
Takeaway:
Decisions such as Rutter’s and Capital One have widespread implications for both in the data privacy litigation context and compliance-related investigations. Companies must be careful not to blur the lines between “ordinary course of business” factual reports and incident reports that are prepared for litigation purposes.