CYBER: Another holding that a data breach forensics report is not privileged


By Judith A. Selby, Partner at Kennedys (New York) & Joshua Mooney, Partner at Kennedys (Philadelphia)

Since last summer, several courts have issued decisions holding that a forensics report prepared in the wake of a data breach is not privileged from discovery in subsequent data breach litigation. On July 22, 2021, the Pennsylvania federal district court magistrate judge (middle district) weighed in on the subject, holding that a forensics report was not privileged. In re Rutter’s Data Security Breach Litigation, No. 20-00382 (M.D. Pa. July 22, 2021). The facts of the case are straightforward.

In May 2019, Rutter’s received two Carbon Black Defense alerts identifying the execution of suspicious scripts and indications of potentially compromised credentials. That same day, Rutter’s retained outside breach counsel “to advise Rutter’s on any potential notification obligations.” Counsel thereafter retained Kroll Cyber Security “to conduct forensic analyses on Rutter’s card environment and determine the character and scope of the incident.” Kroll “gathered and analyzed ‘pertinent facts,’ including forensic images and ‘virtual machine snapshots of a sample of potentially affected in-store site controllers.’”. According to the decision, both Rutter’s and counsel “understood Kroll’s work to be privileged.” “Numerous” meetings took place between Kroll and Rutter’s, and Rutter’s paid Kroll directly. In the subsequent data breach litigation, plaintiffs sought both the forensics report produced by Kroll and “related communications” between Kroll and Rutter’s.

Work Product Doctrine. The magistrate judge began her analysis by noting that the work product doctrine applies to documents and tangible things prepared in anticipation of litigation or for trial by or for another party or by or for that other party's representative (including an attorney, consultant, surety, indemnitor, insurer, or agent). (Citing In re Cendent Corp. Securities Litigation, 343 F.3d 658, 662 (3d Cir. 2003).) A document is prepared in anticipation of litigation if “in light of the nature of the document and the factual situation of the particular case, the document can fairly be said to have been prepared or obtained because of the prospect of litigation.” Id. Aiding in “identifiable” or “impending” litigation must have been the “primary motivating purpose behind the creation of the document.” Id. Further, the party must have an objectively reasonable, “unilateral belief” that litigation will result. Id.

The magistrate concluded that it was “clear” from the retention contract between Kroll and Rutter’s that “the primary motivating purpose behind” the forensic report was not to prepare for the prospect of litigation. Examining the wording of Kroll’s statement of work (SOW), the magistrate focused on the following description:

The overall purpose of this investigation will be to determine whether unauthorized activity within the Rutter’s systems environment resulted in the compromise of sensitive data, and to determine the scope of such a compromise if it occurred.

Id. According to the magistrate, the description “demonstrates that Defendant did not have a unilateral belief that litigation would result at the time it requested the Kroll Report,” and that the “purpose of the investigation was to determine whether data was compromised, and the scope of such compromise if it occurred,” and not to prepare for litigation. Id. (emphasis in original).

In addition, to Rutter’s corporate deposition, its 30(b)(6) witness testified that “litigation was not contemplated at the time the Kroll Report was prepared.” Id. Instead, the deponent testified that “Kroll would have prepared – done this work and prepared its incident response investigation regardless of whether or not lawsuits were filed six months later[.]” Id. As a result, the magistrate concluded that “it cannot be said that the ‘primary motivating factor’ behind the creation of the Kroll Report was to aid in identifiable or impending litigation.” Id. Adding further weight to the magistrate’s conclusion was that “Kroll provided its report to Defendant when it was completed and there is no evidence that it was provided first to [breach counsel].”

Attorney-Client Privilege. Noting that the attorney-client privilege applies to communications providing legal guidance and interpretations to specific facts and events, the magistrate observed that Rutter’s had not established that “the Kroll Report and related communications involved ‘presenting opinions and setting forth … tactics’ rather than discussing facts.” The court observed:

  • The SOW showed that Kroll was employed “to collect data from Defendant’s equipment, to monitor Defendant’s equipment, to determine whether Defendant’s equipment was compromised and to what extent; and
  • Kroll’s role included to work alongside Rutter’s IT personnel to identify and remediate potential vulnerabilities.

Thus, Rutter’s could not establish that “the Kroll Report and related communications between Kroll and Defendant had a primary purpose of providing or obtaining legal assistance for Defendant” in order to qualify under the attorney-client privilege.

What this case means. The reality is that it is becoming more and more difficult to convince a court in data breach litigation that a forensic report prepared in the wake of a cyberattack is privileged. And we note that the event of this matter predates the In re Capital One decision that received so much attention. Certainly, to strengthen any such argument, attention should be given to the wording of any SOW. The SOW should be treated not just as a form document. In addition, this is not the first decision we have seen where other discovery taken in the data breach litigation has undermined a subsequent privilege assertion over the forensic report. 

The safest and perhaps best approach is to assume that, when a forensic report is created, a privilege claim over the report will be challenged in any subsequent litigation or enforcement action. Thus, breach counsel should work closely with the forensic investigator regarding the content of any such report, especially its scope, its wording, and its dissemination. Some items to consider when producing a report include: 

  • What is the report’s intended purpose – to decipher what happened and which data and systems, if any, have been compromised, or really to prepare for a defense against an anticipated claim?
  • Have you negotiated a new SOW, or does the SOW predate the cyberattack?
  • What does the SOW say – does its wording belie a privilege claim?
  • Who is the report’s audience? Who will see it?
  • If litigation is anticipated, should a separate report (or investigation) be prepared solely for counsel?
Share this Post:
Posted by Judith A. Selby

Judy is a Partner at Kennedys in New York City. For more than 25 years, Judy Selby has served as a trusted advisor to insurers across a wide variety of industries. Focused primarily on insurance coverage matters, Judy represents clients in all phases of large scale, complex first and third party insurance issues. She has extensive experience handling insurance coverage trials in the U.S. and international arbitrations in London. Judy also helps clients navigate insurance due diligence in connection with mergers and acquisitions, as well as run off and adverse development cover transactions. In recent years, Judy has also expanded her practice to accommodate emerging technology risk, by focusing on matters involving cyber and data privacy. Operating at the intersection of cybersecurity and insurance coverage, she has counseled clients on cyber policy adoption, and also provided compliance advice regarding privacy and cybersecurity laws and regulations. 

Posted by Joshua Mooney


ad ad

Related articles

Socius Insurance Services, Inc. Acquires Kelly Underwriting Services, LLC

San Francisco, CA – January 18th, 2023 Socius Insurance Services, Inc. (“Socius”), a leading provider of wholesale insurance solutions, with a specialized focus on management, professional and cyber liability...

Zurich U.S. National Accounts names broker, casualty leaders

Brian Winters moves to Head of Broker Execution role; Bill Chepulis succeeds Winters as Head of Large Casualty. Two familiar names in Zurich North America’s U.S. National Accounts business are taking...

Aon: Political Risk Maps

Click here to read the latest Aon Political Risk Maps Quarterly Newsletter.   This quarter it has become ever more...

The Global Risks Report 2023: Cost-of-living crisis and climate concerns raise tensions

The World Economic Forum’s 18th annual report highlights the challenges of addressing immediate and long-term risk. Conflict and geo-economic tensions have triggered a series of deeply interconnected...

Zurich North America announces new LPGA and PGA TOUR Golf Ambassadors

Albane Valenzuela and Sahith Theegala join Billy Horschel and Collin Morikawa as Zurich Golf Ambassadors.  SCHAUMBURG, Ill., Jan. 23, 2023 – Zurich North America, title sponsor of the PGA TOUR’s Zurich...

New Chubb and National Center for the Middle Market Survey Finds Middle Market Economic Confidence Rebounds from 2022 Mid-Year, but Still Trailing 2021 Historical Averages

WHITEHOUSE STATION, N.J., Jan. 25, 2023 /PRNewswire/ -- New data  released from Chubb and the National Center for the Middle Market (NCMM), reveals a rebound in middle market economic...