CYBER: Another holding that a data breach forensics report is not privileged


By Judith A. Selby, Partner at Kennedys (New York) & Joshua Mooney, Partner at Kennedys (Philadelphia)

Since last summer, several courts have issued decisions holding that a forensics report prepared in the wake of a data breach is not privileged from discovery in subsequent data breach litigation. On July 22, 2021, the Pennsylvania federal district court magistrate judge (middle district) weighed in on the subject, holding that a forensics report was not privileged. In re Rutter’s Data Security Breach Litigation, No. 20-00382 (M.D. Pa. July 22, 2021). The facts of the case are straightforward.

In May 2019, Rutter’s received two Carbon Black Defense alerts identifying the execution of suspicious scripts and indications of potentially compromised credentials. That same day, Rutter’s retained outside breach counsel “to advise Rutter’s on any potential notification obligations.” Counsel thereafter retained Kroll Cyber Security “to conduct forensic analyses on Rutter’s card environment and determine the character and scope of the incident.” Kroll “gathered and analyzed ‘pertinent facts,’ including forensic images and ‘virtual machine snapshots of a sample of potentially affected in-store site controllers.’”. According to the decision, both Rutter’s and counsel “understood Kroll’s work to be privileged.” “Numerous” meetings took place between Kroll and Rutter’s, and Rutter’s paid Kroll directly. In the subsequent data breach litigation, plaintiffs sought both the forensics report produced by Kroll and “related communications” between Kroll and Rutter’s.

Work Product Doctrine. The magistrate judge began her analysis by noting that the work product doctrine applies to documents and tangible things prepared in anticipation of litigation or for trial by or for another party or by or for that other party's representative (including an attorney, consultant, surety, indemnitor, insurer, or agent). (Citing In re Cendent Corp. Securities Litigation, 343 F.3d 658, 662 (3d Cir. 2003).) A document is prepared in anticipation of litigation if “in light of the nature of the document and the factual situation of the particular case, the document can fairly be said to have been prepared or obtained because of the prospect of litigation.” Id. Aiding in “identifiable” or “impending” litigation must have been the “primary motivating purpose behind the creation of the document.” Id. Further, the party must have an objectively reasonable, “unilateral belief” that litigation will result. Id.

The magistrate concluded that it was “clear” from the retention contract between Kroll and Rutter’s that “the primary motivating purpose behind” the forensic report was not to prepare for the prospect of litigation. Examining the wording of Kroll’s statement of work (SOW), the magistrate focused on the following description:

The overall purpose of this investigation will be to determine whether unauthorized activity within the Rutter’s systems environment resulted in the compromise of sensitive data, and to determine the scope of such a compromise if it occurred.

Id. According to the magistrate, the description “demonstrates that Defendant did not have a unilateral belief that litigation would result at the time it requested the Kroll Report,” and that the “purpose of the investigation was to determine whether data was compromised, and the scope of such compromise if it occurred,” and not to prepare for litigation. Id. (emphasis in original).

In addition, to Rutter’s corporate deposition, its 30(b)(6) witness testified that “litigation was not contemplated at the time the Kroll Report was prepared.” Id. Instead, the deponent testified that “Kroll would have prepared – done this work and prepared its incident response investigation regardless of whether or not lawsuits were filed six months later[.]” Id. As a result, the magistrate concluded that “it cannot be said that the ‘primary motivating factor’ behind the creation of the Kroll Report was to aid in identifiable or impending litigation.” Id. Adding further weight to the magistrate’s conclusion was that “Kroll provided its report to Defendant when it was completed and there is no evidence that it was provided first to [breach counsel].”

Attorney-Client Privilege. Noting that the attorney-client privilege applies to communications providing legal guidance and interpretations to specific facts and events, the magistrate observed that Rutter’s had not established that “the Kroll Report and related communications involved ‘presenting opinions and setting forth … tactics’ rather than discussing facts.” The court observed:

  • The SOW showed that Kroll was employed “to collect data from Defendant’s equipment, to monitor Defendant’s equipment, to determine whether Defendant’s equipment was compromised and to what extent; and
  • Kroll’s role included to work alongside Rutter’s IT personnel to identify and remediate potential vulnerabilities.

Thus, Rutter’s could not establish that “the Kroll Report and related communications between Kroll and Defendant had a primary purpose of providing or obtaining legal assistance for Defendant” in order to qualify under the attorney-client privilege.

What this case means. The reality is that it is becoming more and more difficult to convince a court in data breach litigation that a forensic report prepared in the wake of a cyberattack is privileged. And we note that the event of this matter predates the In re Capital One decision that received so much attention. Certainly, to strengthen any such argument, attention should be given to the wording of any SOW. The SOW should be treated not just as a form document. In addition, this is not the first decision we have seen where other discovery taken in the data breach litigation has undermined a subsequent privilege assertion over the forensic report. 

The safest and perhaps best approach is to assume that, when a forensic report is created, a privilege claim over the report will be challenged in any subsequent litigation or enforcement action. Thus, breach counsel should work closely with the forensic investigator regarding the content of any such report, especially its scope, its wording, and its dissemination. Some items to consider when producing a report include: 

  • What is the report’s intended purpose – to decipher what happened and which data and systems, if any, have been compromised, or really to prepare for a defense against an anticipated claim?
  • Have you negotiated a new SOW, or does the SOW predate the cyberattack?
  • What does the SOW say – does its wording belie a privilege claim?
  • Who is the report’s audience? Who will see it?
  • If litigation is anticipated, should a separate report (or investigation) be prepared solely for counsel?
Share this Post:
Posted by Judith A. Selby

Judy is a Partner at Kennedys in New York City. For more than 25 years, Judy Selby has served as a trusted advisor to insurers across a wide variety of industries. Focused primarily on insurance coverage matters, Judy represents clients in all phases of large scale, complex first and third party insurance issues. She has extensive experience handling insurance coverage trials in the U.S. and international arbitrations in London. Judy also helps clients navigate insurance due diligence in connection with mergers and acquisitions, as well as run off and adverse development cover transactions. In recent years, Judy has also expanded her practice to accommodate emerging technology risk, by focusing on matters involving cyber and data privacy. Operating at the intersection of cybersecurity and insurance coverage, she has counseled clients on cyber policy adoption, and also provided compliance advice regarding privacy and cybersecurity laws and regulations. 

Posted by Joshua Mooney


ad ad

Related articles

Ryan Specialty Appoints to Its Board of Directors Anthony J. Kuczinski, Former President & CEO of Munich Re US

Ryan Specialty Holdings, Inc. (NYSE: RYAN), a leading international specialty insurance firm, announced that Anthony J. Kuczinski has been appointed to its Board of Directors and will serve as a member...

Ryan Specialty Appoints Thomas Nash President of CorRisk Solutions

Ryan Specialty announced effective December 1, 2023 the appointment of Thomas Nash as President of CorRisk Solutions (CorRisk), the wholesale distribution professional liability managing general underwriter,...

In memoriam: Florin Andrreescu

Source: XPrimm Florin ANDREESCU, a seasoned professional in the insurance industry, has left an indelible mark on the sector through his dedicated career spanning several decades. His journey, marked...

Trade Credit Insurance payouts up 23% to protect UK businesses against bad debts

Insurance payouts to help businesses survive bad debts rose by 23% in the first half of the year, to their highest first half yearly figure since 2018 according to figures out today from the Association...

Insurance prices continue to stabilise as the US cyber market records second quarterly decrease since the second half of 2018

London, 1 November, 2023 – Global commercial insurance prices increased 3% in the third quarter of 2023, the same as the prior quarter, according to the Global Insurance Market Index released...

Aon announces new Asia Pacific COO

Aon has named Citibank Asia Pacific executive Jeff Plein as its new Asia Pacific COO.  The appointment follows Bill Hooper’s move to the position of Global COO of Commercial Risk...