Data Protection Report - Norton Rose Fulbright

On October 23, 2015, the Federal District Court in Minnesota upheld Target’s assertion that documents produced pursuant to an internal investigation of its 2013 security incident fell within the protections of the attorney-client privilege and work-product doctrine.

The plaintiffs, comprised of a class of financial institutions, argued Target had improperly asserted privilege and work-product claims for items relating to a group called the Data Breach Task Force, which Target established in response to the data breach. The plaintiffs also contended that Target improperly asserted privilege and work-product claims for communications with and documents prepared by a forensic investigator, who Target had retained to investigate the data breach.

Plaintiffs argued that both the communications and documents were not protected by the attorney-client privilege and the work-product doctrine “because Target would have had to investigate and fix the data breach regardless of any litigation, to appease its customers and ensure continued sales, discover its vulnerabilities, and protect itself against future breaches.”

In response, Target argued that it had established the Data Breach Task Force at the request of Target’s in-house lawyers and its retained outside counsel so that the task force could educate Target’s attorneys about aspects of the breach and counsel could provide Target with informed legal advice and “to coordinate activities on behalf of [Target’s in-house and outside] counsel to better position the Target Law Department and outside counsel to provide legal advice to Target personnel to defend the company.”

Target further asserted that, with respect to the forensic investigation, it engaged in a “two-track investigation, and that it had only claimed privilege and work-product protection for documents generated by the forensic investigators that Target’s outside counsel engaged to “enable counsel to provide legal advice to Target, including legal advice in anticipation of litigation and regulatory inquiries.”  Target did not claim that the work conducted as a part of the separate investigation into the data breach on behalf of several credit card brands was protected under the attorney-client privilege or work-product doctrine.  Target made this distinction even though it used the same forensic investigation firm to conduct each investigation.

Court’s ruling on the scope of protections afforded to breach investigations

Following an in-camera review of the documents at issue, the Federal court agreed with the retailer’s position that the attorney-client privilege and work-product doctrine barred the production of the majority of the records claimed as privileged.

The court found that Target had demonstrated “that the work of the data breach task force was focused not on remediation of the breach, as plaintiffs contend, but on informing Target’s in-house and outside counsel about the breach so that Target’s attorneys could provide the company with legal advice and prepare to defend the company in litigation that was already pending and was reasonably expected to follow.”  The court further found that communications between in-house counsel and the client were privileged because they constituted communications between  attorney and client that “were made for the purpose of obtaining legal advice and made in anticipation of litigation.”

The only items that were deemed outside of the protection of the attorney-client privilege and work-product doctrine were communications made to Target’s Board of Directors in the aftermath of the data breach.  The court explained that these communications were made for the purpose of “updat[ing] the Board of Directors on what Target’s business-related interests were in response to the breach,” and were not communications between an attorney and client nor were they “requests for or discussion necessary to obtain legal advice, nor include the provision of legal advice.”

Our Take

The Federal court decision underscores the importance of retaining legal counsel early on to direct an organization’s response to and forensic investigation of a data security incident.  Under this opinion, documents prepared to assist in the provision of legal advice or prepared in anticipation or contemplation of litigation will normally be privileged, even if prepared by an outside consultant or expert.  Where, however, documents or communications are prepared or made in the ordinary course of business, the privilege may not attach.

This delineation shows that hiring outside counsel to assist in a data security investigation may strengthen arguments supporting privilege.  Outside counsel, like in-house counsel, is able to preserve the attorney-client privilege and work product doctrine by retaining forensic or security experts.  Although both in-house and outside counsel may take advantage of privilege protections, the use of outside counsel may enhance the probability that, following a data security incident, any documents prepared or response taken are not deemed within the ordinary course of business.

To subscribe for updates from our Data Protection Report blogvisit the email sign-up page.