Last year’s decision in In re: Capital One Customer Data Security Breach Litigation, E.D. Va., No. 1:19-md-02915, and the decision earlier this year in Guo Wengui v. Clark Hill, PLC, et al., 2021 WL 106417 (D.D.C. 2021), drew widespread attention for their holdings, compelling the disclosure of a post-security incident report prepared by a forensic consultant. The decisions departed from other courts, which have protected reports from disclosure based on either the attorney-client privilege or the attorney work product doctrine. Last week, a decision from the U.S. District Court for the Middle District of Pennsylvania (authored by Chief Magistrate Judge Karoline Mehalchick) joined Capital One and Guo Wengui in rejecting a company’s argument that “an investigative report which was created after Defendant was notified of a potential data breach” was protected from disclosure by either the attorney-client privilege or the attorney work product doctrine. In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220 (M.D. Pa. July 22, 2021).
The court rejected the work product argument after concluding that Rutter’s did not anticipate litigation when Rutter’s engaged Kroll Cyber Security, LLC to conduct an investigation and prepare a report. The court based its conclusion on the fact that Kroll’s Statement of Work provided, “‘The overall purpose of this investigation will be to determine whether unauthorized activity within the Rutter’s systems environment resulted in the compromise of sensitive data, and to determine the scope of such a compromise if it occurred.’” Id. at *6. Because Rutter’s did not even know if data had been compromised, the court noted, Rutter’s could not have “unilaterally believed that litigation would result.” Id. at *7 (emphasis in original).
While one could easily envision how a company could anticipate litigation even without being certain that data was compromised (litigation is often filed without evidence of compromise or exfiltration), the court cited deposition testimony supporting its reading of the SOW. Apparently, the Rule 30(b)(6) witness for Rutter’s (who also signed the Kroll agreement) “testified that he was not ‘contemplating’ forthcoming lawsuits as a result of the data breach at the time Kroll was performing its work and that he was unaware of anyone else at Rutter’s contemplating such lawsuits,” and that Kroll would have conducted “‘its incident response investigation regardless of whether or not lawsuits were filed six months later.’” Id. For the court, that proved that litigation could not have been the “‘primary motivating factor’” behind the Kroll report, the test the court applied for whether material qualified as work product. Id. at *5, 8. The court also noted that, unlike other circumstances in which reports have been protected (citing the Experian data breach litigation), the investigation report was not provided first to Rutter’s outside counsel and the report’s legal nature was not supported by declarations. Id. at *5.
The court was also unpersuaded that Kroll’s report contained any attorney-client privileged information. Finding that only legal advice or communications, not facts, are covered by the privilege, the court held that Kroll’s report merely discussed facts, not “‘opinions and … tactics.’” Id. at *11-12. Again, the SOW guided the court: the court quoted its description of services to show that Kroll was hired “to collect data from Defendant’s equipment, to monitor Defendant’s equipment, to determine whether Defendant’s equipment was compromised and to what extent, and to ‘work alongside Rutter’s IT personnel to identify and remediate any potential vulnerabilities.’” Id. at *12.
Although the court did not cite either the Capital One or Guo Wengui decisions, the court’s decision adds to the growing number of courts expressing skepticism about claims of attorney-client privilege or work product protection over incident response reports. And while the Magistrate Judge’s decision is subject to further review—and the facts in Rutter’s are unique in many respects—the decision reinforces our previous advice about the circumstances in and mechanisms by which to engage incident response providers to maximize the chances of protecting incident response reports. You can find our previous advice (see our June 2020 and February 2021 client alerts), and you can view our webinar describing the steps we recommend you take to maximize the case for attorney-client privilege and work product protection in this context.