Statement Of Work Can Make Or Break Discoverability Of Data Breach Report

Matthew Siegel
Cozen O'Connor
Contact
LinkedIn
Facebook
X
Send
Embed

Cozen O'Connor

A recent decision from a federal court in Pennsylvania highlights the importance of a carefully crafted statement of work (“SOW”) when commissioning an investigative report in response to a data security breach. A convenience store chain recently learned this lesson the hard way when it was ordered to produce to plaintiffs’ counsel a report it commissioned from a cybersecurity consultant to determine the scope of a data breach. The store — which is the defendant in a class action stemming from a 2019 malware attack that compromised customer information — argued that the report was protected from discovery under the attorney-client privilege and/or work product doctrine because the consultant was hired by counsel. The defendant had engaged that counsel for advice on any notification obligations flowing from the attack.

In granting the plaintiffs’ motion to compel, the court examined the SOW attendant to the report to determine whether it was commissioned in anticipation of litigation; i.e., whether the prospect of litigation was a motivating factor in requesting the report. The court found nothing in the SOW signaling a belief that litigation was on the horizon, and a corporate designee for the chain testified to the same effect during a deposition.

Further, the court found that the report was factual — rather than tactical — in nature, taking it out from under the umbrella of attorney-client privilege. “The SOW shows that [the consultant] was employed to collect data from defendant’s equipment, to monitor defendant’s equipment, to determine whether defendant’s equipment was compromised and to what extent, and to ‘work alongside [the defendant’s] IT personnel to identify and remediate any potential vulnerabilities,’” the court’s opinion notes.

The bottom line for the court was this: The SOW made clear that the report was commissioned to determine whether a breach had occurred, and if so, the extent of the breach. And unless and until a breach had been established, the defendant had no reason to think it would be sued. Therefore, the report was unprotected and discoverable. While the extent to which this decision is followed by other courts remains to be seen, it gives companies one more thing to think about in the wake of a data breach.

The case is In re Rutter’s Data Sec. Breach Litigation, Civ. A. No. 1:20-CV-382 (M.D. Pa. July 22, 2021). A copy of the court’s opinion can be found here.

 
Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cozen O'Connor | Attorney Advertising

Written by:

Cozen O'Connor
Cozen O'Connor
Contact
more
less

Cozen O'Connor on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide