A data security incident will always require a technical response, and usually that technical response will come from outside experts.  Those experts are hired to investigate and remediate an incident.  Since data incidents can lead to government investigations and litigation, the question is whether digital forensics reports from those vendors — and the communications around those reports — will be subject to discovery when litigation occurs.  A recent decision in this important and evolving area of case law makes clear that protecting those reports and communications is very difficult, and requires a great deal of care.

The Court’s Opinion:  Attorney Work Product and Attorney-Client Privilege

In Re Rutter’s Data Security Breach Litigation involves a data security incident that Rutter’s (a U.S. convenience store chain) experienced in 2019.  When Rutter’s discovered the incident, they hired outside counsel, which then hired a cybersecurity consultant.  The consultant was hired “to conduct forensic analysis on Rutter’s card environment and determine the character and scope of the incident.”  On July 22, a Magistrate Judge in the U.S. District Court for the Middle District of Pennsylvania determined that the consultant’s report, and the communications concerning that report, could not be shielded from discovery.

The court considered two theories for preventing disclosure:  the attorney work product doctrine, and the attorney-client privilege.  Neither helped the defendant prevent disclosure.

The attorney work product doctrine shields documents from discovery if documents are prepared in anticipation of litigation.  But in Rutter’s case, the court determined that the primary purpose of the consultant’s work, according to the statement of work and the testimony of relevant witnesses, was “to determine whether unauthorized activity within the Rutter’s systems environment resulted in the compromise of sensitive data, and to determine the scope of such a compromise if it occurred.”  In Rutter’s case, there was no evidence that litigation was contemplated or anticipated.

The attorney-client privilege shields documents and communications from disclosure if there is a communication between an attorney and a client for the purpose of obtaining or providing legal advice for the client.  While this communication must be in confidence, the presence of a consultant does not necessarily destroy the privilege, if the consultant is acting as an agent to facilitate the attorney-client communication.  But in Rutter’s case,  the available evidence demonstrated that the consultant worked with Rutter’s IT department to resolve the breach; there was no evidence that the consultant’s work was done to assist in the provision of legal advice.

Practical Fallout

How should businesses react to this decision?

First, this opinion should not be a surprise.  A number of recent decisions concerning the discoverability of forensics reports have considered the work product and privilege doctrines in roughly the same manner.  These are long-standing doctrines that are being applied to the data security incident context; they are not new doctrines being invented by courts.  Businesses should already be taking care in the way the court in In Re Rutter’s suggests — the case does not break new ground.

Second, the court does helpfully provide further guideposts to businesses.  Practical takeaways for businesses that seek to minimize the risks stemming from a security incident include the following:

• Structure contracts with consultants to make clear that the consultant is working at the direction of counsel to provide legal advice to the client, and that the parties reasonably anticipate the possibility of litigation.
• Because it’s not just reports, but also communications between consultants and businesses that are potentially discoverable, take care to limit such communications (especially written communications) to only what is necessary.
• Make sure that counsel is directly involved with the consultant.  While this means additional expense, it will strengthen the case that the consultant’s work is for the purpose of assisting counsel, and done as much as possible at counsel’s direction.

Third, the In Re Rutter’s decision should be a helpful reminder that simply having attorneys involved in some fashion does not protect documents and communications from discovery.  So, for example, merely having a three-way contract between an affected business, a consultant, and a lawyer does not then create privilege:  care must be taken that communications are either in anticipation of litigation or for the purpose of providing legal advice.  Paper does not create privilege.

Fourth, remember that no matter what precautions you take — how you structure the contract or the conduct between counsel and consultant — courts may still determine that reports, drafts, and communications concerning reports may be discoverable.  While the steps above may minimize the risk of discovery, they will not eliminate those risks.