Growing Number of Federal Courts Order Production of Forensic Reports in Data Breach Cases

By Jennifer Oliver and Oliver Kiefer

A growing number of federal courts have held that the attorney-client privilege and work-product doctrine do not apply to forensic reports and related communications created in data breach litigation. 

Many privacy professionals are already familiar with some cases holding that privilege did not apply to those reports.  On July 22, yet another federal court ordered production of materials prepared in the wake of a data incident.  In In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220 (E.D. Pa. July 22, 2021), plaintiffs filed suit regarding a payment card breach involving the defendant’s point-of-sale (POS) devices. 

According to plaintiffs, Rutter’s received two alerts detailing the execution of suspicious scripts and indications of the use of potentially compromised credentials.  Rutter’s then hired outside counsel to advise Rutter’s on any potential notification obligations.  In turn, outside counsel hired a third-party security firm to conduct forensic analyses on Rutter’s card environment and determine the scope of the incident.

Upon learning of the third-party investigation during a deposition, plaintiffs sought production of the third-party security firm’s written report and related communications.  Rutter’s objected, citing the work product doctrine and attorney-client privilege.

Rule 26(b)(3) of the Federal Rules of Civil Procedure specifies that “for the work product doctrine to apply, the document must be prepared ‘in anticipation of litigation.’” Additionally, the Third Circuit Court of Appeals has specified that aiding in “identifiable” or “impending” litigation must have been the “primary motivating purpose behind the creation of the document.” This involves a two-step inquiry: whether (1) the party which ordered or prepared the document had a “unilateral belief” that litigation would result, and (2) the anticipation of litigation was objectively reasonable.

Applying this test in Rutter’s, the Court held that “[t]he purpose of the investigation was to determine whether data was compromised, and the scope of such compromise if it occurred,” and therefore Rutter’s cannot be said to have unilaterally believed that litigation would ensue.

Supporting this finding, Rutter’s corporate designee testified that: (1) he was not considering the possibility of forthcoming lawsuits at the time the security firm was performing its work, and (2) the security firm “would have . . . done this work and prepared its incident response investigation regardless of whether or not lawsuits were filed.”.

The court also held that attorney-client privilege would not apply.  In the Third Circuit, attorney-client privilege attaches to: (1) a communication (2) made between privileged persons (3) in confidence (4) for the purpose of obtaining or providing legal assistance for the client.  A communication is privileged only if its “primary purpose” is to gain or provide legal assistance, and it does not protect the communication of facts.

Here, the court rejected Rutter’s assertion of attorney-client privilege because the defendant did not meet its burden of establishing that the report and related communications had a primary purpose of providing or obtaining legal assistance.  Rather, the evidence showed that the security firm was engaged to collect data, monitor IT equipment, and determine whether the IT equipment had been compromised.

This decision adds to a growing body of cases rejecting the claim that forensic reports created in the wake of data breaches should routinely be shielded from discovery on work-product or attorney-client privilege grounds.  Privacy practitioners will undoubtedly continue to pay special attention to this important development.