Following in the footsteps of the Eastern District of Virginia’s Capital One decision last year and the District of D.C.’s Clark Hill decision earlier this year, the Eastern District of Pennsylvania has just ordered the production of a data breach forensic report and related communications.  In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220 (E.D. Pa. July 22, 2021).  The Rutter’s decision is a reminder that although courts had generally found such documents protected by the attorney-client privilege and/or work product doctrine, the tide may be changing.

On May 29, 2019, Rutter’s received two security alerts which detailed “the execution of suspicious scripts and indications of the use of potentially compromised credentials.”  The same day, Rutter’s engaged outside counsel to advise on its potential notification obligations.  Outside counsel then engaged a forensic investigator to perform an analysis to determine the character and scope of the incident.  The parties all assumed that the investigation, including its ultimate report and the communications made in furtherance thereof, would be protected by the attorney-client privilege and/or the work product doctrine.  The plaintiffs moved to compel, and the federal magistrate judge granted the motion.

With respect to the work-product doctrine, the Court explained that the doctrine only applies where impending litigation is the “primary motivating purpose behind the creation of the document.”  The Court then held that it was clear from the contract that “the primary motivating purpose” behind the forensic investigation was not to prepare for the prospect of litigation—it was to determine whether data was compromised, and the scope of such compromise if it occurred.  The Court also relied on the testimony of Rutter’s corporate designee and the fact that outside counsel did not receive the report before Rutter’s.   Based on these facts, the Court held that the work product doctrine did not apply.

With respect to the attorney-client privilege, the Court explained that a “communication may only be privileged if its primary purpose is to gain or provide legal assistance.”  The Court further explained that for privilege to apply, the attorney must be “acting as a lawyer,” meaning that the lawyer “must guide future conduct by interpreting and applying legal principles to specific facts.”  The Court emphasized that privilege does not protect communications of fact, nor communications merely because a legal issue can be identified.  Based on that law, the Court found that Rutter’s had not demonstrated that the forensic report and related communications involved “presenting opinions and setting forth . . . tactics rather than discussing facts.”  Specifically, the Court noted that only one portion of the forensic vendor’s services was not inherently factual—working with Rutter’s IT personnel to identify and remediate potential vulnerabilities, which the Court found was not providing legal advice.

The Rutter’s opinion casts further doubt on whether courts will extend protection over data breach forensic investigation reports and communications.  However, like the Capital One and Clark Hill cases, the Rutter’s opinion leaves open the possibility for protection if certain facts occur—some of which companies and outside counsel can control to a degree.  Accordingly, although confusion and chaos can be pervasive at the beginning stages of a data breach, companies and outside counsel should take steps to build a record that may help them secure privilege down the road.