District Court (Pa.) Says Cybersecurity Consultant’s Report Post-Data Breach Is Not Protected by Privilege

In In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220, at *2 (M.D. Pa. July 22, 2021), Judge Mahalchick ordered production of an investigative report from a cybersecurity consultant prepared in response to a data breach.

Now before the Court is a discovery dispute regarding the production of an investigative report which was created after Defendant was notified of a potential data breach. (Plaintiffs’ Letter, June 15, 2021; Defendant’s Letter, June 15, 2021). Plaintiffs request an order compelling the production of “an investigative report created in response to the data breach by a third-party cybersecurity consultant—Kroll Cyber Security, LLC (“Kroll”)—and any related communications between Kroll and Defendant…” (Plaintiffs’ Letter, June 15, 2021) (“Plfs’ 6/15 Letter”). Defendant asserts that this material is protected by both the work product doctrine and the attorney-client privilege. (Defendant’s Letter, June 15, 2021) (“Def’s 6/15 Letter”).

The District Court found no work product protection because the work was not done “in anticipation of litigation”.

It is clear from the contract between Kroll and Defendant that the primary motivating purpose behind the Kroll Report was not to prepare for the prospect of litigation. Included in the contract is a “statement of work” (SOW) which includes a description of services. (Def’s 6/15 Letter, at 14). The following is included in the “Description of Services” section of the SOW: “The overall purpose of this investigation will be to determine whether unauthorized activity within the Rutter’s systems environment resulted in the compromise of sensitive data, and to determine the scope of such a compromise if it occurred.” (Def’s 6/15 Letter, at 14). This language demonstrates that Defendant did not have a unilateral belief that litigation would result at the time it requested the Kroll Report. See Martin, 983 F.2d at 1260. The purpose of the investigation was to determine whether data was compromised, and the scope of such compromise if it occurred. (Def’s 6/15 Letter, at 14). Without knowing whether or not a data breach had occurred, [*7] Defendant cannot be said to have unilaterally believed that litigation would result. (Def’s 6/15 Letter, at 14); see Martin, 983 F.2d at 1260.  Furthermore, in its corporate deposition, Defendant stated that litigation was not contemplated at the time the Kroll Report was prepared. (Plfs’ 6/15 Letter, at 17). Rutter’s’ corporate designee, Bernard Frazer, is the individual who signed the agreement with Kroll to perform the investigation at issue and write the Kroll Report. (Def’s 6/15 Letter, at 9-16; Plfs’ 6/15 Letter, at 1). Frazer testified that he was not “contemplating” forthcoming lawsuits as a result of the data breach at the time Kroll was performing its work and that he was unaware of anyone else at Rutter’s contemplating such lawsuits. (Plfs’ 6/15 Letter, at 17). According to Defendant, “Kroll would have prepared — done this work and prepared its incident response investigation regardless of whether or not lawsuits were filed six months later[.]” (Plfs’ 6/15 Letter, at 17-18). As such, it cannot be said that the “primary motivating factor” behind the creation of the Kroll Report was to aid in identifiable or impending litigation. See Rockwell Intern., 897 F.2d at 1266 (holding that for the work product doctrine to apply, litigation [*8] must have been the “primary motivating purpose behind the creation of the document”); Leonen, 135 F.R.D. at 97 (D.N.J. 1990) (holding that there must have ben an identifiable specific claim or impending litigation when the materials were prepared). . . . For the foregoing reasons, production of the Kroll Report and related communication between Kroll and Defendant are not precluded by the work-product doctrine.

The District Court also found that no attorney-client privilege attached.

Here, Defendant does not establish that the Kroll Report and related communications involved “presenting opinions and setting forth … tactics” rather than discussing facts. See Fidelity & Guar. Co., 809 F.Supp. at 364. The SOW shows that Kroll was employed to collect data from Defendant’s equipment, to monitor Defendant’s equipment, to determine whether Defendant’s equipment was compromised and to what extent, and to “work alongside Rutter’s IT personnel to identify and remediate any potential vulnerabilities.” (Def’s 6/15 Letter, at 14). Only one portion of this description of services is not inherently factual: Kroll’s role in working with Rutter’s IT personnel to identify and remediate potential vulnerabilities. (Def’s 6/15 Letter, at 14). However, this service cannot be deemed to be gaining or providing legal assistance, as neither Kroll nor Rutter’s IT personnel are professionals in the field of law and this service involves those two entities working alongside each other with no mention of attorney involvement. (Def’s 6/15 Letter, at 14); see Kramer, 1992 U.S. Dist. LEXIS 7418, 1992 WL 122856, at *1.  For the foregoing reasons, Defendant does not carry its burden of establishing that the Kroll Report and related communications between Kroll and Defendant had a primary purpose of providing or obtaining legal assistance for Defendant. See Teleglobe, 493 F.3d at 359. The record shows that the report and communications were either factual in nature or, where advice and tactics were involved, did not include legal input. (Def’s 6/15 Letter, at 14); see Teleglobe, 493 F.3d at 359. The attorney-client privilege does not apply to the Kroll Report and related communications between Kroll and Defendant.