M.D. Pa. orders the production of cybersecurity report in data breach class action
Takeaway: Counsel for companies that suffer a data breach often hire an outside cybersecurity firm to remediate the breach and assist counsel in preparing for and defending against litigation. These companies typically take the position that the cybersecurity firm’s report constitutes attorney work-product not subject to discovery, as having been prepared for counsel in anticipation of litigation. As we explained in a prior article – Data Breach Class Actions – Eastern District of Virginia Finds Cybersecurity Firm Incident Report Not Protected by Work-Product Doctrine (June 26, 2020) – a Magistrate Judge in the Eastern District of Virginia in 2020 ordered Capital One to produce such a report, finding the report had not been created primarily for litigation. Recently, a Magistrate Judge in the Middle District of Pennsylvania ordered a convenience and gas station chain to produce a cybersecurity report, finding the report not protected under either the work-product doctrine or the attorney-client privilege. In re Rutter’s Data Security Breach Litigation, No. 1:20-CV-382, 2021 WL 3733137 (M.D. Pa. July 22, 2021).
Rutter’s, a chain of convenience stores and gas stations with locations in Pennsylvania, West Virginia, and Maryland, learned in May 2019 that hackers had executed a malware attack against its card payment system, compromising its customer card data. Rutter’s quickly hired outside counsel to provide advice about its data breach notification obligations, and outside counsel then hired Kroll Cyber Security, LLC (“Kroll”) “‘to conduct forensic analyses on Rutter’s card environment and determine the character and scope of the incident.’” 2021 WL 3733137, at *1. Representatives of Kroll and Rutter’s met numerous times; Rutter’s paid Kroll directly for its services; and Kroll’s investigation concluded in July 2019 when it first provided Rutter’s (as opposed to outside counsel) with its written report. Both Rutter’s and its outside counsel viewed and treated the investigation and the report as privileged.
Class action plaintiffs sued Rutter’s, alleging various claims arising out of the breach, and they discovered the existence of Kroll’s investigation during a Rule 30(b)(6) deposition of Rutter’s Vice President of Technology. Ultimately, they moved to compel the production of the Kroll investigative report and related communications. Rutter’s objected to the production of the report and communications as protected from disclosure under the work-product doctrine and the attorney-client privilege.
U.S. Magistrate Chief Judge Karoline Mehalchick of the Middle District of Pennsylvania granted plaintiffs’ motion to compel, ruling that the Kroll report was not protected by the work-product doctrine or the attorney-client privilege. Analyzing the work-product issue first, Judge Mehalchick found that preparation for litigation did not constitute the “primary motivating purpose” of the report. Id. at *2. The Kroll contract, entered by Rutter’s and Kroll, included a “statement of work” (SOW), stating that “[t]he overall purpose of this investigation will be to determine whether unauthorized activity within the Rutter’s systems environment resulted in the compromise of sensitive data, and to determine the scope of such a compromise if it occurred.” Id. According to Judge Mehalchick, this language demonstrated that Rutter’s did not anticipate litigation. Kroll’s investigation instead represented a factual exercise – “to determine whether data was compromised, and the scope of such compromise if it occurred.” Id. (emphasis in original). Given that Rutter’s did not know that a data breach had occurred, it could not have “unilaterally believed” at the time that litigation would be filed. Id.
Importantly, Rutter’s Vice President of Technology testified that litigation had not been anticipated at the time Kroll prepared the report. Instead, he agreed that “Kroll would have prepared – done this work and prepared its incident response investigation regardless of whether or not lawsuits were filed six months later[.]” Id. Citing case law on the work-product doctrine, the court concluded that preparation for impending litigation did not constitute the report’s “primary motivating factor.” Id.
Turning to the attorney-client privilege, Judge Mehalchick concluded that the privilege did not protect the report from disclosure either. Rutter’s failed to prove that the report and related communications involved “presenting opinions and setting forth . . . tactics,” as opposed to examining the factual details of the breach. Id. at *4. She concluded that Rutter’s did “not carry its burden of establishing that the Kroll Report and related communications between Kroll and Defendant had a primary purpose of providing or obtaining legal assistance for Defendant. … and that the report and communications were either factual in nature or, where advice and tactics were involved, did not include legal input.” Id.
Accordingly, Judge Mehalchick granted the motion to compel, ordering Rutter’s to produce the Kroll report and related communications.
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.