Another Federal Court Orders Production of Data Breach Forensic Report

Ballard Spahr LLP
Contact

Ballard Spahr LLP

[co-author: Emily Klode]

Following in the footsteps of the Eastern District of Virginia’s Capital One decision last year and the District of D.C.’s Clark Hill decision earlier this year, the Eastern District of Pennsylvania has just ordered the production of a data breach forensic report and related communications. In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220 (E.D. Pa. July 22, 2021). The Rutter’s decision is a reminder that although courts had generally found such documents protected by the attorney-client privilege and/or work product doctrine, the tide may be changing.

On May 29, 2019, Rutter’s received two security alerts which detailed “the execution of suspicious scripts and indications of the use of potentially compromised credentials.” The same day, Rutter’s engaged outside counsel to advise on its potential notification obligations. Outside counsel then engaged a forensic investigator to perform an analysis to determine the character and scope of the incident. The parties all assumed that the investigation, including its ultimate report and the communications made in furtherance thereof, would be protected by the attorney-client privilege and/or the work product doctrine. The plaintiffs moved to compel, and the federal magistrate judge granted the motion.

With respect to the work-product doctrine, the Court explained that the doctrine only applies where impending litigation is the “primary motivating purpose behind the creation of the document.” The Court then held that it was clear from the contract that “the primary motivating purpose” behind the forensic investigation was not to prepare for the prospect of litigation—it was to determine whether data was compromised, and the scope of such compromise if it occurred. The Court also relied on the testimony of Rutter’s corporate designee and the fact that outside counsel did not receive the report before Rutter’s. Based on these facts, the Court held that the work product doctrine did not apply.

With respect to the attorney-client privilege, the Court explained that a “communication may only be privileged if its primary purpose is to gain or provide legal assistance.” The Court further explained that for privilege to apply, the attorney must be “acting as a lawyer,” meaning that the lawyer “must guide future conduct by interpreting and applying legal principles to specific facts.” The Court emphasized that privilege does not protect communications of fact, nor communications merely because a legal issue can be identified. Based on that law, the Court found that Rutter’s had not demonstrated that the forensic report and related communications involved “presenting opinions and setting forth . . . tactics rather than discussing facts.” Specifically, the Court noted that only one portion of the forensic vendor’s services was not inherently factual—working with Rutter’s IT personnel to identify and remediate potential vulnerabilities, which the Court found was not providing legal advice.

The Rutter’s opinion casts further doubt on whether courts will extend protection over data breach forensic investigation reports and communications. However, like the Capital One and Clark Hill cases, the Rutter’s opinion leaves open the possibility for protection if certain facts occur—some of which companies and outside counsel can control to a degree. Accordingly, although confusion and chaos can be pervasive at the beginning stages of a data breach, companies and outside counsel should take steps to build a record that may help them secure privilege down the road.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP
Contact
more
less

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.