Takeaway: Counsel for companies that suffer a data breach often hire an outside cybersecurity firm to remediate the breach and assist counsel in preparing for and defending against litigation. These companies typically take the position that the cybersecurity firm’s report constitutes attorney work-product not subject to discovery, as having been prepared for counsel in anticipation of litigation. As we explained in a prior article – Data Breach Class Actions – Eastern District of Virginia Finds Cybersecurity Firm Incident Report Not Protected by Work-Product Doctrine (June 26, 2020) – a Magistrate Judge in the Eastern District of Virginia in 2020 ordered Capital One to produce such a report, finding the report had not been created primarily for litigation. Recently, a Magistrate Judge in the Middle District of Pennsylvania ordered a convenience and gas station chain to produce a cybersecurity report, finding the report not protected under either the work-product doctrine or the attorney-client privilege. In re Rutter’s Data Security Breach Litigation, No. 1:20-CV-382, 2021 WL 3733137 (M.D. Pa. July 22, 2021).
Rutter’s, a chain of convenience stores and gas stations with locations in Pennsylvania, West Virginia, and Maryland, learned in May 2019 that hackers had executed a malware attack against its card payment system, compromising its customer card data. Rutter’s quickly hired outside counsel to provide advice about its data breach notification obligations, and outside counsel then hired Kroll Cyber Security, LLC (“Kroll”) “‘to conduct forensic analyses on Rutter’s card environment and determine the character and scope of the incident.’” 2021 WL 3733137, at *1. Representatives of Kroll and Rutter’s met numerous times; Rutter’s paid Kroll directly for its services; and Kroll’s investigation concluded in July 2019 when it first provided Rutter’s (as opposed to outside counsel) with its written report. Both Rutter’s and its outside counsel viewed and treated the investigation and the report as privileged.
Class action plaintiffs sued Rutter’s, alleging various claims arising out of the breach, and they discovered the existence of Kroll’s investigation during a Rule 30(b)(6) deposition of Rutter’s Vice President of Technology. Ultimately, they moved to compel the production of the Kroll investigative report and related communications. Rutter’s objected to the production of the report and communications as protected from disclosure under the work-product doctrine and the attorney-client privilege.
U.S. Magistrate Chief Judge Karoline Mehalchick of the Middle District of Pennsylvania granted plaintiffs’ motion to compel, ruling that the Kroll report was not protected by the work-product doctrine or the attorney-client privilege. Analyzing the work-product issue first, Judge Mehalchick found that preparation for litigation did not constitute the “primary motivating purpose” of the report. Id. at *2. The Kroll contract, entered by Rutter’s and Kroll, included a “statement of work” (SOW), stating that “[t]he overall purpose of this investigation will be to determine whether unauthorized activity within the Rutter’s systems environment resulted in the compromise of sensitive data, and to determine the scope of such a compromise if it occurred.” Id. According to Judge Mehalchick, this language demonstrated that Rutter’s did not anticipate litigation. Kroll’s investigation instead represented a factual exercise – “to determine whether data was compromised, and the scope of such compromise if it occurred.” Id. (emphasis in original). Given that Rutter’s did not know that a data breach had occurred, it could not have “unilaterally believed” at the time that litigation would be filed. Id.
Importantly, Rutter’s Vice President of Technology testified that litigation had not been anticipated at the time Kroll prepared the report. Instead, he agreed that “Kroll would have prepared – done this work and prepared its incident response investigation regardless of whether or not lawsuits were filed six months later[.]” Id. Citing case law on the work-product doctrine, the court concluded that preparation for impending litigation did not constitute the report’s “primary motivating factor.” Id.
Turning to the attorney-client privilege, Judge Mehalchick concluded that the privilege did not protect the report from disclosure either. Rutter’s failed to prove that the report and related communications involved “presenting opinions and setting forth . . . tactics,” as opposed to examining the factual details of the breach. Id. at *4. She concluded that Rutter’s did “not carry its burden of establishing that the Kroll Report and related communications between Kroll and Defendant had a primary purpose of providing or obtaining legal assistance for Defendant. … and that the report and communications were either factual in nature or, where advice and tactics were involved, did not include legal input.” Id.
Accordingly, Judge Mehalchick granted the motion to compel, ordering Rutter’s to produce the Kroll report and related communications.