Attorney Work Product and Client Communication Privilege protections for data breach forensic investigation reports impacted by a recent ruling


By: Nicholas Jajko

The crack in the foundation of Attorney Work Product and Client Communication Privilege protections for data breach forensic investigation reports was further eroded by a recent Federal district court ruling. 

The Magistrate Judge in a Middle District of Pennsylvania data breach class action granted Plaintiffs’ letter motion to compel an investigation report prepared by Kroll Cyber Security, LLC (“Koll”) at the direction of Defendants’ outside breach counsel. The matter, In re Rutter’s Data Security Breach Litigation, was brought by customers of Rutter’s Farm Stores Inc., a York, Pennsylvania-based farm, dairy, and operator of the convenience store gas stations. The class alleges damages resulting from payment card stealing malware which infected Rutter’s in-store and pays at the pump point of sale systems in 2018 and 2019. Following the discovery of the suspicious code in May 2019, Rutter’s counsel engaged Kroll under a Statement of Work to “determine whether unauthorized activity within the Rutter’s systems environment resulted in the compromise of sensitive data.” The Court found this language suggested no unilateral and objective prospect of litigation existed such that the Attorney Work Product protection could not preclude production. Similarly, the Court construed the Attorney-Client privilege narrowly, finding the report was fact-based and not a communication with a primary purpose of providing or obtaining legal assistance.

This decision follows In re: Capital One Customer Data Security Breach Litigation, where the court granted a motion to compel the investigative report from FireEye, Inc., d/b/a Mandiant (“Mandiant”) based on the defendant’s pre-existing contractual relationship with the vendor. Although litigation was imminent at the time, the Court found no indication the report would not otherwise have been prepared in the normal course of the business relationship, prior to counsel being involved. 

Practically, cyber incident response attorneys must rely on these decisions when managing client expectations and as a guide to direct forensic investigations into cyber breach and privacy incidents:

  • While the imminence of litigation is beyond breach counsel’s control, engagement agreements should always be “tri-partite”;
  • Counsel should also resist vendors’ preference to operate under one Master Services Agreement with subsequent SOWs referring back to the original MSA, citing Capital One as justification; and
  • Further, clients should be counseled that Work Product Protection and Attorney-Client Privilege is not rock-solid, but that such steps are taken to best preserve all potential arguments in favor of preclusion.

Absent regulatory inquiry, there are few mechanisms to compel investigation reports outside of litigation. Fortunately for cyber insureds, overcoming Article III standing for almost all data breach litigation remains a steep climb.  As a result, judicial orders compelling the production of investigation reports remain rare. 

For additional questions, please contact Nicholas Jajko at