- Emergency Consultation Services
- FMG BlogLine
By: Nicholas Jajko
The crack in the foundation of Attorney Work Product and Client Communication Privilege protections for data breach forensic investigation reports was further eroded by a recent Federal district court ruling.
The Magistrate Judge in a Middle District of Pennsylvania data breach class action granted Plaintiffs’ letter motion to compel an investigation report prepared by Kroll Cyber Security, LLC (“Koll”) at the direction of Defendants’ outside breach counsel. The matter, In re Rutter’s Data Security Breach Litigation, was brought by customers of Rutter’s Farm Stores Inc., a York, Pennsylvania-based farm, dairy, and operator of the convenience store gas stations. The class alleges damages resulting from payment card stealing malware which infected Rutter’s in-store and pays at the pump point of sale systems in 2018 and 2019. Following the discovery of the suspicious code in May 2019, Rutter’s counsel engaged Kroll under a Statement of Work to “determine whether unauthorized activity within the Rutter’s systems environment resulted in the compromise of sensitive data.” The Court found this language suggested no unilateral and objective prospect of litigation existed such that the Attorney Work Product protection could not preclude production. Similarly, the Court construed the Attorney-Client privilege narrowly, finding the report was fact-based and not a communication with a primary purpose of providing or obtaining legal assistance.
This decision follows In re: Capital One Customer Data Security Breach Litigation, where the court granted a motion to compel the investigative report from FireEye, Inc., d/b/a Mandiant (“Mandiant”) based on the defendant’s pre-existing contractual relationship with the vendor. Although litigation was imminent at the time, the Court found no indication the report would not otherwise have been prepared in the normal course of the business relationship, prior to counsel being involved.
Practically, cyber incident response attorneys must rely on these decisions when managing client expectations and as a guide to direct forensic investigations into cyber breach and privacy incidents:
Absent regulatory inquiry, there are few mechanisms to compel investigation reports outside of litigation. Fortunately for cyber insureds, overcoming Article III standing for almost all data breach litigation remains a steep climb. As a result, judicial orders compelling the production of investigation reports remain rare.