Norton Rose Fulbright - Data Protection Report blog

On July 22, 2021, a federal court in Pennsylvania held that an investigative report created by Kroll (the “Kroll Report”), the defendant’s third party cybersecurity consultant, and related communications were not protected by privilege. The court found that the Kroll Report was not protected by the work-product doctrine or attorney-client privilege. The decision comes after the widely publicized Capital One decision, where plaintiffs were also forced to turn over a forensic report.

Work-Product Doctrine

With respect to defendant’s work-product arguments, the court found that the doctrine did not apply.  First, in the opinion of the court, the Kroll Report was not prepared with an eye toward litigation. The court wrote that the statement of work described Kroll’s services as relating to determining “whether unauthorized activity within Rutter’s systems environment resulted in the compromise of sensitive data.” The contractual language did not show that the defendant believed litigation may occur. Indeed, the court points out that the language in the statement of work demonstrates that when Kroll was engaged, Rutter’s was not even sure a data breach had occurred. Because Rutter’s did not know whether a breach occurred at the time Kroll was engaged, it would have been impossible to anticipate litigation. Further, Rutter’s confirmed in depositions that it was not contemplating litigation when contracting with Kroll.

Second, the Kroll Report was provided directly to Rutter’s, not to Rutter’s retained counsel. Also, Rutter’s paid Kroll directly for their work. The court highlighted Kroll’s failure to first provide the report to outside counsel.  According to the decision, this fact differentiated the Kroll Report from other reports that were protected in similar cases. And, again in Rutter’s corporate deposition, it reiterated that even at the time the Kroll Report was provided, Rutter’s was not contemplating litigation. Taken together, these facts were fatal to asserting that Kroll Report was covered by the work-product doctrine.

Attorney-Client Privilege 

The court also found that the Kroll Report and related communications were not protected by the attorney-client privilege. This is because both the report and communications were primarily concerned with facts, not legal advice. Again the court looks to the Kroll statement of work, which describes the services as factual in nature. According to the court, the terms between Rutter’s and Kroll state that Kroll will work with the Rutter’s IT personnel without mentioning Kroll’s work was for the “purpose of providing or obtaining legal assistance for Defendant.” Moreover, the court avers, that communications concerned with advice and tactics did not involve input from legal.

Our Take:

Here, the forensic investigation was conducted before the Capital One decision, so the lessons of Capital One were not incorporated into how Kroll was retained. Nonetheless, the case highlights that companies seeking to protect forensic reports need to take every precaution possible. This includes being upfront and clear about which parts of the investigation are intended to inform legal advice, including what, if any, written deliverables are to be produced and for what purpose. Further, where defendants seek legal advice or anticipate litigation, they should take extra precautions to appropriately incorporate outside counsel into every aspect of the investigation.

Finally, the court emphasized  that Rutter’s did not know at the time of Kroll’s engagement whether a breach of personal data had occurred. This reasoning could potentially be applied in many common security breach scenarios, as a determination of data access or exfiltration is frequently unknown until the conclusion of the forensic investigation.

Practical Recommendations:

  • Engage outside counsel early in the incident response process to advise during the earliest stages of the investigation, enabling counsel, among other aspects of the investigation, to advise on the selection of and proper engagement of forensic firms and other third parties.
  • Discuss with counsel early and revisit regularly what steps should be taken to support an intention that the investigation is being conducted in anticipation of litigation. Consider whether a litigation hold should be in place, what role outside counsel should have in directing and documenting forensic tasks, and what means are best suited to communicating with the forensic firm – particularly at the outset when many more facts are known than unknown.
  • Carefully consider what to put in writing, and discuss the development of work-product and need for interim findings, summaries, internal reports, or reports intended for third parties.

Before drafting a forensic report , discuss the purpose and parameters of the report with counsel, including the structure and purpose so that the report is clearly understood to be supporting legal advice in anticipation of litigation.