Data Breach Forensic Investigation Report Is Not Privileged Information, Court Rules


A Magistrate Judge in the U.S. District Court for the Middle District of Pennsylvania has ordered Rutter’s, a convenience-store chain, to produce an investigative report prepared by a security consultant regarding a suspected data breach event, as well as all communications between the party and the company performing the investigation.

In the July 2021 rulingRutter’s Data Sec Breach Litig, No. 1:20-cv-000382-JEJ-KM, the Court held that the report and related communications were not protected from disclosure by the work product doctrine or the attorney-client privilege.

In striking the claim of work product protection advanced by Rutter’s counsel, the Court’s decision hinged on a few factors, including:

  1. The description of services in the statement of work executed between the retaining law firm and the security consultant;
  2. testimony by Rutter’s 30(b)(6) designee that he was not anticipating litigation when he signed the agreement for the investigative services; and
  3. a lack of evidence of the investigation report being provided to outside counsel for an assessment of legal risk prior to delivering it to Rutter’s.

Without showing that the investigation was conducted because of a reasonable anticipation of litigation, Rutter’s could not establish that the work product doctrine protected the report from disclosure. The Court also held Rutter’s could not establish the investigative report, and communications between the consultant and Rutter’s, had the primary purpose of providing or obtaining legal assistance for Rutter’s, thereby denying the claim of attorney-client privilege.

The Court’s ruling underscores the need to involve outside legal counsel early, as well as clearly define the scope and purpose of any data breach investigation.

Note: This is at least the second court ruling that found forensic reports are not privileged, Indeed, A U.S. Magistrate Judge in 2020 ordered Capital One Financial Corp. to disclose a forensic report to the plaintiffs in a lawsuit stemming from Capital One’s 2019 data breach. In doing so, the Judge rejected Capital One’s argument that the report is protected from disclosure to the plaintiffs by the work product doctrine.

Blog courtesy of Hunton Andrews Kurth, a U.S.-based law firm with a Global Privacy and Cybersecurity practice that’s known throughout the world for its deep experience, breadth of knowledge and outstanding client service. Read the company’s privacy blog here.