A federal judge has ruled that because an investigative report commissioned by Pennsylvania-based convenience store chain Rutter’s in response to a data security breach was not prepared for litigation purposes, it is discoverable.

In a July 22 ruling granting the class action plaintiffs’ motion to compel the document, U.S. Magistrate Chief Judge Karoline Mehalchick of the Middle District of Pennsylvania held that the report done by consultant Kroll Cyber Security for Rutter’s was not covered by attorney-client and work product privilege.