This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
The Central District of California recently joined the small growing list of courts that have held forensic reports created by outside security companies following a data breach are protected from disclosure in civil litigation in certain circumstances. In the case In re Experian Data Breach Litigation, Judge Andrew J. Guilford held that a forensic report created by the security firm Mandiant at the direction of Experian’s outside counsel, Jones Day, qualified as trial preparation material (or “work product”) under Federal Rule of Civil Procedure (FRCP) 26(b)(3) and denied a motion to compel its production.
Experian is only the third case to result in a ruling addressing these important questions. While all three rulings protected forensic reports from disclosure, the analysis in each case was highly fact-dependent. Judge Guilford’s reasoning in Experian addresses several key issues not directly raised in those other cases and sheds light on several others.
The Experian Case
In September 2015, Experian discovered that an unauthorized third party had accessed one of its systems. Experian promptly retained an outside legal firm, Jones Day, to investigate and advise on the legal implications of the breach. Jones Day hired the security firm Mandiant to conduct a technical analysis of the incident.
Experian publicly announced the data breach in early October 2015. The multiple class actions that followed were consolidated for pre-trial discovery in the Central District of California. Mandiant completed its analysis at the end of October and provided its forensic report directly to Jones Day, which delivered it to Experian’s in-house counsel. The full report was not shared with Experian’s internal Incident Response Team or the employees working on remediating the breach. Experian’s in-house counsel, however, shared a redacted version of the report with the in-house counsel of co-defendant T-Mobile. T-Mobile had entered into a joint defense agreement (JDA) with Experian before Jones Day retained Mandiant.
Experian withheld Mandiant’s report in the discovery process, asserting that it was protected by both attorney-client privilege and the work-product doctrine. Plaintiffs moved to compel production of the report, arguing neither doctrine applied because Experian had independent business obligations to conduct the investigation and that it had waived both protections in any case. Judge Guilford found that the work-product doctrine protected the report from disclosure in these circumstances and therefore declined to address whether attorney-client privilege also applied.
Experian’s story is far from unusual. Companies suffered a record number of data breaches in 2016, and litigation frequently follows news of a breach for any large corporation like Experian. In spite of the growing number of data breach class actions, however, courts are still grappling with how to adapt fundamental legal concepts to the data breach context. Attorney-client privilege and work-product protection often are among the more contested issues in these cases because of the critical role that security experts such as Mandiant play both in assessing an incident and in proactively protecting a company from a breach. Judge Guilford’s order and the facts of the Experian case provide insight into steps an organization can take to help protect forensic reports from disclosure in litigation.
Prepared in Anticipation of Litigation Standard
FRCP 26(b)(3) provides the work-product standard for documents and requires that a party or its representative produce the document unless it was prepared in anticipation of litigation. The Ninth Circuit applies a “but-for” test to determine whether a document meets the in anticipation of litigation requirement. Under that test, the document does not need to be prepared exclusively for litigation to qualify for the protection, and courts do not consider whether litigation was the primary or secondary motive for its production.
The technical analysis provided by post-breach forensic reports such as Mandiant’s is useful not only for assessing potential legal risk, but also for significant operational reasons, including restoring IT functions and maintaining customer and client relationships. Whether a specific report qualifies as work product depends in large part on the extent to which an organization can argue that it was prepared specifically and primarily for use by their attorney’s and not for regular business purposes. Judge Guilford highlighted three key facts to conclude that supported Experian’s argument that the Mandiant report was intended to prepare for litigation under the Ninth Circuit’s test:
- Jones Day hired Mandiant to assist it in providing legal advice regarding the breach;
- Experian did not share the full report with its internal Incident Response Team (which presumably was involved in the internal investigation) or employees conducting remediation; and
- Mandiant’s previous work for Experian on a data breach in 2013 was sufficiently separate from this incident, even though it involved a similar analysis of Experian’s systems.
Taken together, these steps demonstrated that Mandiant’s work was primarily intended to assist Experian’s outside counsel to prepare for the inevitable litigation that would follow from the breach.
Substantial Need/Undue Burden Exception
An opposing party can obtain a document that satisfies the work-product test, or a redacted version of it, if the party demonstrates both substantial need for the information the document contains and that the party could not obtain the substantial equivalent through other means. Outside security experts frequently have extensive access to a company’s entire operational systems at a critical point in time when conducting forensic analyses of a potential breach. Much of the information collected in that process is critical for understanding how the breach occurred and what information was affected.
In many cases, it would be difficult for plaintiffs’ own expert to replicate the analysis after the fact. In Experian, Mandiant provided evidence that it relied solely on server images provided by Experian’s technical team and did not work directly on Experian’s operational networks to conduct its analysis. The court thus found that plaintiffs could replicate the analysis by requesting those same server images in discovery and that the expense of doing so was insufficient to overcome the work-product protection.
Waiver of both attorney-client and work-product protection is frequently an issue in data breach cases because the forensic report has potential value to many units within an organization and is of key strategic interest to the Board of Directors. In addition, as happened in Experian, there often are other parties with an interest in the report’s contents.
In contrast to the relatively strict confidentiality requirement under attorney-client privilege, work-product protection permits disclosure of a protected document to others with a common interest so long as that disclosure is consistent with maintaining secrecy against opposing parties. Here, the court determined that Experian had not waived the protection by providing Mandiant’s report, or portions of it, to several others, including co-defendant T-Mobile. The court cited Experian’s careful internal control of the report and the JDA Experian entered into with T-Mobile prior to retaining Mandiant as well as the careful redaction of the version shared with T-Mobile.
Comparing Target and Genesco
Only two other courts have analyzed the application of attorney-client privilege or work-product protection in the context of data breach litigation. In the first, Genesco v. Visa, the Middle District of Tennessee held that documents related to IBM’s work following a data breach at Genesco was protected from disclosure under attorney-client privilege. In a thinly reasoned order, the court cited Genesco’s general counsel’s statements in an affidavit that he retained IBM to provide consulting and technical services specifically for the purpose of providing legal advice.
While Genesco‘s ruling is significant as the first in this area, the court’s limited analysis makes it difficult to extend to other situations. The second decision, In re: Target Corporation Customer Data Security Breach Litigation, however, is more detailed and can usefully be compared with Experian to develop early guidelines in this area.
In a class action by close to 9000 banks against Target Corp. following a major credit card data breach, the District of Minnesota held that a forensic report and related documents created under the direction of in-house and outside counsel were protected from disclosure under some combination of work-product and/or attorney-client privilege. Target had retained forensic teams from Verizon to conduct a two-track investigation of the breach and sought to protect only the documents and communications created by the team assigned to assist counsel.
The court agreed that Target effectively established that the contested documents, including a forensic report by Verizon, were created specifically for the purpose of educating its attorneys so that they could provide informed legal advice. In addition to the dual-track structure, the court cited evidence that the two teams did not communicate with one another and that outside counsel was involved in retaining Verizon. The court also emphasized that it had reviewed the contested documents in camera to confirm that they were focused on providing advice to counsel, rather than on remediation of the breach or other business-related functions.
Points to Consider When Asserting Privilege and Work-Product Protection
As these three decisions illustrate, courts engage in a heavily fact-dependent analysis to decide whether attorney-client privilege and work-product protection will apply in a given case. Nonetheless, the Experian ruling, taken together with Target in particular as well as Genesco, provides some general guidelines and points to specific steps an organization can take to strengthen the argument for protection against disclosure of forensic reports and related documents in litigation:
- Ask outside counsel to retain the outside forensic firm and direct their investigation;
- Channel communication of the forensic report and all related communications through outside counsel;
- Establish a separate process for internal investigation and remediation of the incident and maintain a strict separation between that process and the counsel-directed investigation;
- Focus expert reports and related communications on assessment of the legal implications of the incident;
- Carefully and specifically identify the materials the counsel-directed investigation relies on and, to the extent possible, limit reliance to materials that could be provided to an independent expert to produce a similar report;
- Have outside counsel work directly with in-house counsel to manage communication of the outside forensic investigation and distribution of the report within the organization; and
- Where possible, limit distribution to selected portions of the report and consider redacting even those portions.