A recent magistrate decision from the Middle District of Pennsylvania adds to the growing body of cases limiting discovery protection for forensic reports and other materials prepared in response to a data security incident. Accordingly, companies should review their protocols for invoking the attorney-client privilege and attorney work product protection in light of this and other recent decisions by several other district courts.

Summary of In re Rutter's Decision

The decision, In re Rutter's Data Sec. Breach Litig., No. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220, at *2 (M.D. Pa. July 22, 2021), considered whether Rutter's, a convenience store chain, could be compelled to produce an investigative report by a third-party cybersecurity consultant and communications with that firm.

After receiving alerts of a potential compromise of its computer network, Rutter's hired outside counsel which in turn engaged Kroll Cyber Security to investigate the incident. After an approximately two-month forensic investigation and numerous meetings between the two, Kroll provided Rutter's with a written report of its findings. Class action plaintiffs from subsequent litigation sought to compel production of the report and related communications between Rutter's and Kroll.

Rutter's argued that the Kroll report was protected from disclosure by both the attorney-client privilege and work product doctrine and that the related communications were attorney-client privileged. The court rejected Rutter's arguments under both theories.

In doing so, the court followed several other recent district court decisions, including those in In re Capital One from the Eastern District of Virginia1 and Wengui v. Clark Hill from the District of Columbia,2 limiting the extent to which the attorney-client privilege and work product doctrine will protect investigation reports and communications following a data security incident.

Attorney Work Product

Under Federal Rule of Civil Procedure 26(b)(3), which defines the federal work product doctrine, a party to litigation generally "may not discover documents and tangible things that are prepared in anticipation of litigation or for trial by or for another party or its representative" (emphasis added). The Rutter's court stated that for the Kroll report to be considered attorney work product, the "primary motivating purpose" behind the report's creation must have been a "unilateral belief" that litigation would result from the data security incident.3

The court then held that the prospect of litigation could not have been the primary motivating purpose for creating the report, largely based on language in Kroll's statement of work (SOW) for the matter. The SOW stated that the purpose of the investigation was to determine "whether unauthorized activity within the Rutter's systems environment resulted in the compromise of sensitive data" and "the scope of such a compromise if it occurred."4 According to the court, "[w]ithout knowing whether or not a data breach had occurred, [Rutter's] cannot be said to have unilaterally believed that litigation would result."5

The court also relied on statements made by Rutter's corporate designee in his deposition. The designee testified that forthcoming litigation was not being contemplated at the time Kroll was performing its work, and that the Kroll report would have been prepared regardless of any litigation.6

The court distinguished a 2017 decision by the Central District of California in In re Experian Data Breach Litig. that held a similar forensics report was protected attorney work product.7 The Rutter's court noted that unlike in Experian, where the report was provided only to outside and in-house counsel—and not to the incident response team, Kroll apparently provided its report directly to Rutter's and not to outside counsel.8 Other recent decisions have declined to apply work product protection on similar grounds, holding that a party's decision to share a report with non-attorneys may indicate that the report was really prepared for non-legal purposes.9

Notably, the Experian court applied a different test than the Rutter's court for determining whether the forensic report was "prepared in anticipation of litigation" under Rule 26(b)(3). The Experian court stated that a report merely needed to be prepared "because of" litigation—it need not be prepared exclusively for litigation, and litigation need not even be the primary motive behind the report's preparation.10 The stark difference between the tests applied by these two courts highlights that whether discovery protection applies may turn in large part on which court is hearing the case.

Attorney-Client Privilege

The Rutter's court likewise rejected Rutter's argument that the attorney-client privilege protected the Kroll report or the related communications from discovery. The court stated that for the privilege to apply, the "primary purpose" of generating the report and communications must have been to provide or seek legal assistance.11

Once again, the court relied on the language of Rutter's SOW, which indicated that Kroll was engaged for two main purposes: (1) to collect data and facts related to the incident, and (2) to work with Rutter's IT personnel to assess and remediate potential vulnerabilities. The court held that of these purposes neither involved providing or seeking legal assistance, stating "[t]he record shows that the report and communications were either factual in nature or, where advice and tactics were involved, did not include legal input."12

Strategies for Maintaining Attorney-Client Privilege and Attorney Work Product Protection in an Increasingly Hostile Landscape

Rutter's and other recent decisions make it more difficult to protect forensic investigations and reports as attorney-client privileged or attorney work product. Even where cybersecurity consultants are engaged by outside counsel, courts are likely to scrutinize whether those consultants were really hired for a legal purpose, as opposed to a technical or business one. Similarly, courts are likely to ask whether the investigation and incident response work would have occurred anyway as a necessary part of the company's information security program—regardless of any legal issues or prospective litigation.

That said, Rutter's and other recent decisions do not eliminate these discovery protections following a data security incident and even provide some helpful guidance on how to invoke these protections successfully. Companies should be vigilant about the manner in which they engage forensic consultants to investigate a data security incident and take the following steps before doing so:

Consider the Big Picture

Recent decisions indicate that substantial measures may be necessary to protect from discovery certain investigative reports or communications with cybersecurity consultants. Before engaging a consultant, discuss with counsel whether undertaking some of these more onerous measures makes sense in light of the circumstances and the company's goals.

In Experian, the court held that an investigative report was protected work product in part because it was shared only with legal and not with the incident response team. In some cases, companies may decide that a report that cannot be shared with IT and information security personnel does not provide much value in helping the client address the data security incident. Where that is true, the company may decide to accept some risk of disclosure to pursue its business and security goals.

Pay Close Attention to SOWs and Other Descriptions of Services

Rutter's and several other recent decisions have critically analyzed the language in SOWs and other contractual documents. Descriptions of the consultant's services should be customized for each engagement and should cite legal—rather than business or information security—purposes for the provided services.

In Capital One, the court held that a forensic report was not protected work product in part because the description of services in the operative letter agreement between the consultant and outside counsel was virtually identical to the description in a prior, pre-breach SOW between the consultant and Capital One.13 The court held that this similarity indicated that the work performed by the consultant in response to the breach would have been performed regardless of any litigation arising from the specific incident.

Where applicable, the SOW should cite specific reasons for the consultant's work related to protecting the company from prospective litigation. The Rutter's court stated that company's need to analyze its breach reporting obligations, while legal in nature, did not make the investigation report protected work product because such analysis was not in anticipation of litigation.14

Avoid Using Pre-Incident Contracts

While not an issue in Rutter's, the Capital One decision noted that the letter agreement between outside counsel and the consultant referenced a pre-incident MSA between Capital One and the consultant.15 The court cited this reference as further evidence that the consultant's work was not really performed in anticipation of litigation.

Accordingly, to emphasize the distinction between pre- and post-incident work, companies should enter into entirely new contracts to govern a consultant's forensic work following a security incident. Where feasible, companies should consider engaging a consultant not used for non-protected security work.

Companies should consult with outside counsel and prospective cybersecurity consultants before an incident occurs to determine the best way to contract for the necessary services in the event of an incident.

Limit Recipients of Protected Communications and Reports

Rutter's and several other decisions turn in significant part on the audience with whom the investigative reports were shared. The courts cited the defendants' decision to share the reports to non-lawyers as evidence that the reports had essentially non-legal purposes. To that end, companies should share protected reports sparingly and must be able to articulate a legal purpose for sharing the report with each recipient.

At the outset of an investigation, a company should clearly define the incident response team that will assist counsel in providing legal advice. Additions or subtractions from this team should be documented in a manner to preserve privilege and work product protections, including by defining the role of additions to the team. Communications within this team should also be clearly marked as privileged and copy legal recipients at all times.

Prepare for Disclosure

While taking care to lay the groundwork for successful privilege and work product claims, companies simultaneously should prepare for disclosure of reports and communications. In particular, companies should:

  • Limit email and other written communications;
  • Determine whether a written report from the cybersecurity consultant is needed before requesting one;
  • Do not include technical or other remedial recommendations in the investigative report—inclusion of these could defeat privilege or work product claims (on the grounds that they are not related to legal advice) and could also be damaging in discovery if some recommendations were not adopted; and
  • Advise the incident response team and supporting personnel on good communications etiquette and hygiene (communicate facts, not conjecture, etc.). Companies should consult with counsel to generate protocols and best practices before an incident occurs and should test these protocols through tabletops and other exercises.

Conclusion

The legal landscape for asserting the attorney-client privilege and attorney work product protection following a data security incident is becoming increasingly inhospitable. Companies should not wait until after they have suffered an incident to prepare.

Rather, they should use Rutter's and other recent decisions as an opportunity to scrutinize and refine their protocols and guidelines for engaging cybersecurity consultants and maintaining discovery privileges.

FOOTNOTES

1  In re Capital One Consumer Data Sec. Breach Litig., 2020 WL 3470261 (E.D. Va. June 25, 2020).
2  Wengui v. Clark Hill, 338 F.R.D. 7 (D.D.C. Jan. 12, 2021).
3  Rutter’s, 2021 U.S. Dist. LEXIS 136220, at *6.
4  Id. at *6 (emphasis added).
5  Id. at *6-7.
6  Id. at *7.
7  In re Experian Data Breach Litig., 2017 WL 4325583 (C.D. Cal. May 18, 2017)
8  Rutter’s, 2021 U.S. Dist. LEXIS 136220, at *2-3, *8.
9  See, e.g., Wengui, 338 F.R.D. at 12 (noting that the report was shared with “select members of Clark Hill’s leadership and IT team” and the FBI, indicating that it was prepared and used for a variety of non-legal purposes).
10 Experian, 2017 WL 4325583, at *1.
11 Rutter’s, 2021 U.S. Dist. LEXIS 136220, at *10-11.
12 Id. at *12.
13 Capital One, 2020 WL 3470261 at *5.
14 Rutter’s, 2021 U.S. Dist. LEXIS 136220 at *9, fn. 2.
15 Id. at *1.