Another holding that a data breach forensics report is not privileged

Since last summer, several courts have issued decisions holding that a forensics report prepared in the wake of a data breach is not privileged from discovery in subsequent data breach litigation. Late last week, on July 22, 2021, the Pennsylvania federal district court magistrate judge (middle district) weighed in on the subject, holding that a forensics report was not privileged. In re Rutter’s Data Security Breach Litigation, No. 20-00382 (M.D. Pa. July 22, 2021). The facts of the case are straightforward.

In May 2019, Rutter’s received two Carbon Black Defense alerts identifying the execution of suspicious scripts and indications of potentially compromised credentials. That same day, Rutter’s retained outside breach counsel “to advise Rutter’s on any potential notification obligations.” Counsel thereafter retained Kroll Cyber Security “to conduct forensic analyses on Rutter’s card environment and determine the character and scope of the incident.” Kroll “gathered and analyzed ‘pertinent facts,’ including forensic images and ‘virtual machine snapshots of a sample of potentially affected in-store site controllers.’”. According to the decision, both Rutter’s and counsel “understood Kroll’s work to be privileged.” “Numerous” meetings took place between Kroll and Rutter’s, and Rutter’s paid Kroll directly. In the subsequent data breach litigation, plaintiffs sought both the forensics report produced by Kroll and “related communications” between Kroll and Rutter’s.

Work Product Doctrine. The magistrate judge began her analysis by noting that the work product doctrine applies to documents and tangible things prepared in anticipation of litigation or for trial by or for another party or by or for that other party's representative (including an attorney, consultant, surety, indemnitor, insurer, or agent). (Citing In re Cendent Corp. Securities Litigation, 343 F.3d 658, 662 (3d Cir. 2003).) A document is prepared in anticipation of litigation if “in light of the nature of the document and the factual situation of the particular case, the document can fairly be said to have been prepared or obtained because of the prospect of litigation.” Id. Aiding in “identifiable” or “impending” litigation must have been the “primary motivating purpose behind the creation of the document.” Id. Further, the party must have an objectively reasonable, “unilateral belief” that litigation will result. Id.

The magistrate concluded that it was “clear” from the retention contract between Kroll and Rutter’s that “the primary motivating purpose behind” the forensic report was not to prepare for the prospect of litigation. Examining the wording of Kroll’s statement of work (SOW), the magistrate focused on the following description:

The overall purpose of this investigation will be to determine whether unauthorized activity within the Rutter’s systems environment resulted in the compromise of sensitive data, and to determine the scope of such a compromise if it occurred.

Id. According to the magistrate, the description “demonstrates that Defendant did not have a unilateral belief that litigation would result at the time it requested the Kroll Report,” and that the “purpose of the investigation was to determine whether data was compromised, and the scope of such compromise if it occurred,” and not to prepare for litigation. Id. (emphasis in original).

In addition, to Rutter’s corporate deposition, its 30(b)(6) witness testified that “litigation was not contemplated at the time the Kroll Report was prepared.” Id. Instead, the deponent testified that “Kroll would have prepared – done this work and prepared its incident response investigation regardless of whether or not lawsuits were filed six months later[.]” Id. As a result, the magistrate concluded that “it cannot be said that the ‘primary motivating factor’ behind the creation of the Kroll Report was to aid in identifiable or impending litigation.” Id. Adding further weight to the magistrate’s conclusion was that “Kroll provided its report to Defendant when it was completed and there is no evidence that it was provided first to [breach counsel].”

Attorney-Client Privilege. Noting that the attorney-client privilege applies to communications providing legal guidance and interpretations to specific facts and events, the magistrate observed that Rutter’s had not established that “the Kroll Report and related communications involved ‘presenting opinions and setting forth … tactics’ rather than discussing facts.” The court observed:

  • The SOW showed that Kroll was employed “to collect data from Defendant’s equipment, to monitor Defendant’s equipment, to determine whether Defendant’s equipment was compromised and to what extent; and
  • Kroll’s role included to work alongside Rutter’s IT personnel to identify and remediate potential vulnerabilities.

Thus, Rutter’s could not establish that “the Kroll Report and related communications between Kroll and Defendant had a primary purpose of providing or obtaining legal assistance for Defendant” in order to qualify under the attorney-client privilege.

What this case means. The reality is that it is becoming more and more difficult to convince a court in data breach litigation that a forensic report prepared in the wake of a cyberattack is privileged. And we note that the event of this matter predates the In re Capital One decision that received so much attention. Certainly, to strengthen any such argument, attention should be given to the wording of any SOW. The SOW should be treated not just as a form document. In addition, this is not the first decision we have seen where other discovery taken in the data breach litigation has undermined a subsequent privilege assertion over the forensic report.

The safest and perhaps best approach is to assume that, when a forensic report is created, a privilege claim over the report will be challenged in any subsequent litigation or enforcement action. Thus, breach counsel should work closely with the forensic investigator regarding the content of any such report, especially its scope, its wording, and its dissemination. Some items to consider when producing a report include: 

  • What is the report’s intended purpose – to decipher what happened and which data and systems, if any, have been compromised, or really to prepare for a defense against an anticipated claim?
  • Have you negotiated a new SOW, or does the SOW predate the cyberattack?
  • What does the SOW say – does its wording belie a privilege claim?
  • Who is the report’s audience? Who will see it?
  • If litigation is anticipated, should a separate report (or investigation) be prepared solely for counsel?