chevron-down Created with Sketch Beta.

ARTICLE

A Tale of Two Functions: Business and Legal Considerations after a Data Breach

Eric Todd Presnell and Benjamin Perry

Summary

  • Following the Target decision, the tide has turned significantly regarding the production of data breach reports in litigation.
  • The U.S. District Court for the Eastern District of Virginia reached the opposite conclusion in In re Capital One Consumer Data Security Breach Litigation, foreshadowing a trend in favor of ordering production of such reports.
  • After the Capital One case, the trend in favor of producing such reports continued. In Guo Wengui v. Clark Hill, PLC, the court similarly found that the evidence did not support efforts to withstand production of the data breach investigatory report.
  • The decisions in Target, Capital One, Clark Hill, and Rutter’s provide important food for thought that companies should be considering before any data breach occurs, while plaintiffs’ counsel are taking note of important weaknesses in the attorney-client privilege and work-product protections.
A Tale of Two Functions: Business and Legal Considerations after a Data Breach
dra_schwartz via Getty Images

In-house counsel faced with a data breach encounter a difficult balancing act. On one hand, it is critical to determine the cause of the breach and generate a plan to bolster security systems to reduce the likelihood of similar occurrences in the future. On the other hand, these same reports, usually performed by third-party consulting companies, can generate damning evidence for affected parties in ensuing litigation. Whether such reports are subject to production in litigation often turns on a handful of minutiae, such as the primary purpose of the report’s creation and whether the company maintains a clear line between business and legal functions. As a matter of practicality and necessity, that line often becomes blurred quite quickly, and several recent case decisions demonstrate the pitfalls that can result in inadvertent production of these reports in litigation.

One of the earlier reported decisions involved Target’s successful objection to production of a data breach report on the basis of privilege in class-action litigation. See In re Target Corp. Customer Data Sec. Breach Litig., No. MDL142522PAMJJK, 2015 WL 6777384 (D. Minn. Oct. 23, 2015). Unlike many of the cases that followed, Target succeeded in protecting its data breach investigatory report from production in litigation.

Following the Target decision, the tide has turned significantly regarding the production of data breach reports in litigation. These cases all tend to have similar threads: whether, and to what extent, these reports are generated for the purpose of providing legal advice or in anticipation of litigation and, most importantly, whether the company can prove either of those prongs.

Consulting Report: Business Versus Legal Purposes

Following Target, the U.S. District Court for the Eastern District of Virginia reached the opposite conclusion in In re Capital One Consumer Data Security Breach Litigation, foreshadowing a trend in favor of ordering production of such reports. No. 1:19MD2915 (AJT/JFA), 2020 WL 2731238 (E.D. Va. May 26, 2020).

In that case, Capital One had a master services agreement (MSA) and retainer with an information security consulting firm to be able to quickly respond to cybersecurity incidents. Capital One periodically entered into individual statements of work (SOWs) with the consulting firm pursuant to the MSA for various projects.

After a data breach occurred in March 2019, Capital One retained outside counsel to provide legal advice in connection with the data breach incident. Capital One, its outside counsel, and the consulting firm then entered into a letter agreement pursuant to the MSA and SOW providing that the consulting firm would provide consulting services as directed by counsel and that any reports from the consulting firm would be provided directly to outside counsel rather than to Capital One. Notably, Capital One initially designated these expenses as “business critical” expenses and not “legal” expenses, although they would later be recategorized and deducted from the legal budget.

When Capital One publicly announced the data breach, litigation quickly ensued. After the litigation began, the consulting firm prepared a report analyzing the causes of the data breach. Meanwhile, Capital One also conducted a separate internal investigation into the data breach. The consulting firm initially provided its written report to Capital One's outside counsel, which in turn provided the report to Capital One’s legal department and board of directors. The consulting report was also apparently provided to four federal regulators, an accounting firm, and an internal “corporate governance office general email” inbox.

When a discovery dispute predictably arose over the production of that report, Capital One asserted blanket objections of work-product protection and attorney-client privilege while also stating that it would produce selective documents relating to these investigations. The court disagreed with Capital One’s objections. In ordering production of the consulting firm report, the court noted Capital One’s production of the report to regulators and an accounting firm, evidencing significant regulatory and business reasons for the investigation. The court also noted that Capital One failed to establish which individuals had access to the corporate governance office general email in-box and for what purpose, as well as whether any restrictions were placed on who had access to that in-box. Lastly, the court placed significance on the fact that Capital One had an existing SOW with the consulting firm and that the SOW was not amended to reflect the scope of the new work following the data breach, with the only difference being that the report was provided directly to outside counsel before being distributed to Capital One and other parties.

Deficiencies in Two-Track Approach to Data Breach Investigation

After the Capital One case, the trend in favor of producing such reports continued. In Guo Wengui v. Clark Hill, PLC, the court similarly found that the evidence did not support efforts to withstand production of the data breach investigatory report. 338 F.R.D. 7 (D.D.C. 2021).

On Clark Hill’s work-product claim, the court applied the “but for” test for analyzing claims of the work-product doctrine, that is, whether the document would have otherwise been created without the anticipation of imminent litigation. After reviewing the evidence, the court held that Clark Hill failed to meet its burden that the document, or a substantially similar document, would not have been produced in the ordinary course of business.

Clark Hill argued that it employed a “two-track” approach involving two separate investigations into the breach: (1) one investigation by an initial consulting firm to determine the cause of the breach for business purposes and (2) one investigation by a second consulting firm for purposes of obtaining legal advice from outside counsel. Unfortunately for Clark Hill, the court determined that Clark Hill’s claim of a two-track process found little support in the record. The court noted that the sworn statements from Clark Hill did not explicitly support this claim, instead providing only an equivocal statement that the second consulting firm was not needed for “business continuity” because of the retainer of the first consulting firm. The court also cited Clark Hill’s contradictory interrogatory response, which provided that “its understanding of the progression of the September 12, 2017 cyber-incident [was] based solely on the advice of outside counsel and [the second consulting firm] retained by outside counsel,” suggesting that the first consulting firm provided no analysis to Clark Hill or outside counsel to aid in Clark Hill’s response. Id. at 11 (emphasis added by district court). This conclusion was further supported by the lack of any comparable written report or findings produced by the first consulting firm. This all reflected, according to the court, that Clark Hill retained the second consulting firm to supplant the work being performed by the first firm rather than to supplement it with another function. Finally, the court noted that the recipients of the report from the second consulting firm were evidence of the reasons for its production. Clark Hill shared the report with outside and in-house counsel, “select members of Clark Hill’s leadership and IT team,” and the FBI. Id. at 12. The court further quoted the language of a sworn statement from Clark Hill’s general counsel, which provided that the report was used to assist Clark Hill in managing “any issues” rather than those solely related to anticipated litigation.

With regard to attorney-client privilege, the court made short work of this objection. Although the attorney-client privilege generally only protects communications between an attorney and the client for the purpose of obtaining legal advice, the privilege can also protect reports of third parties, such as cybersecurity consultants, made at the request of the attorney or client. But the court nonetheless held that the privilege did not apply in this instance. The court began by noting that the attorney-client privilege is narrowly construed and does not apply if the analysis or advice is that of the third-party consultant rather than counsel. The court also distinguished the Target case, where privilege was upheld, by noting that Target had a “two-track approach” that did not exist in Clark Hill, as well as the facts that Target’s report was not shared as widely as Clark Hill’s report and that the Target report did not center on “remediation of the breach.” Id. at 14.

Scope of SOW and Anticipation of Imminent Litigation

In re Rutter's Data Security Breach Litigation involved a convenience-store chain, Rutter’s, that retained outside counsel in response to suspicious activity potentially indicating a data breach in order to determine whether the breach triggered any notification obligations. No. 1:20-CV-382, 2021 WL 3733137 (M.D. Pa. July 22, 2021). The outside counsel for Rutter’s quickly retained a cybersecurity firm, Kroll, to investigate. In connection with that investigation, the cybersecurity consultant provided Rutter’s with a written report and related communications. During the course of subsequent litigation relating to the breach, the plaintiffs learned of this investigation and sought production of the Kroll report. Rutter’s objected to the production of these documents on the basis of both work-product and attorney-client privilege.

The court overruled both of these objections. First, the court analyzed the scope of the cybersecurity firm’s SOW, which stated an overarching purpose of determining whether unauthorized activity occurred and the scope of such activity. The court cited the language of the SOW and the testimony of the corporate representative of Rutter’s as evidence that Rutter’s was not anticipating imminent litigation at the time that it requested the investigation. In addition, the report was not provided to outside counsel first, but rather directly to Rutter’s. The court then quickly dispensed with the claim of attorney-client privilege by correctly noting that attorney-client privilege does not protect disclosure of the underlying facts.

Takeaways

The decisions in Target, Capital One, Clark Hill, and Rutter’s provide important food for thought that companies should be considering before any data breach occurs, while plaintiffs’ counsel are taking note of important weaknesses in the attorney-client privilege and work-product protections. Some of the common focal points include the following:

  • Statements of work. It is good practice for companies to have existing engagements with cybersecurity consulting firms to prepare for quick data breach responses. But to establish a basis for privilege or work-product protection, the company and the consulting firm should execute additional documentation, such as a SOW addendum, stating that counsel is retaining the firm and that its investigation is confidential, the results will only be provided to counsel, and the investigation is undertaken to assist counsel in providing legal advice to the company. Companies understandably want to be prepared for data breaches by engaging consulting companies in advance and having SOWs in place to efficiently respond to such incidents if and when they occur; however, to the extent that companies have an existing SOW in place, whether the company meaningfully amends the SOW to reflect the nature and purpose of the new work can have far-reaching consequences.
  • Use of “two-track” investigations. Companies that employ a two-tiered approach to investigating data breaches—one for business purposes and one for legal purposes—stand a better chance of sustaining an objection on the basis of work product. That approach must also be well-documented, as the Clark Hill case demonstrates. Mere lip service or statements of a two-tiered approach, unsupported by other evidence, are often not enough.
  • Contents of data breach reports. It is axiomatic that although impressions of counsel and communications for the purpose of obtaining legal advice are protected by attorney-client privilege, facts are not. To the extent that facts regarding the source and/or cause of a breach are contained in a written report, the underlying facts are not privileged. And even when the work-product doctrine would otherwise apply to protect underlying facts, that protection can be overcome by a showing of substantial need or an inability to obtain the same information from other sources.
  • Sharing of data breach reports. A company’s response to a data breach often involves a variety of business functions—business, legal, cybersecurity, and governance, among others. To the extent that data breach reports are shared with different departments or individuals, whether a company documents the recipients and the purpose of sharing that information can be a determining factor in whether the report is subject to later production in litigation. The aforementioned cases demonstrate that courts will consider the extent to which a report was distributed, as well as the reason for its distribution, as one factor in considering whether a report was generated for business or legal purposes.
  • Separation of business and legal functions. The analysis often starts and ends here: what was the purpose of the report’s creation? If there are indicators that the report was created for business purposes, such as funding the report from a business as opposed to a legal budget, or sharing the report with entities (such as an accounting firm), courts will lean toward ordering production.

Conclusion

As always with litigation, the devil is in the details. Even seemingly minor details can make the difference down the road between a court sustaining or overruling a claim of attorney-client privilege or work-product protection.

    Author