One might think that any company reasonably anticipates litigation after suffering a data breach, so the work product doctrine would almost inevitably protect its data breach investigation. But only a handful of companies have succeeded in claiming such protection.
In In re Rutter's Data Security Breach Litigation, Civ. A. No. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220 (M.D. Pa. July 22, 2021), data breach victim Rutter's learned of a possible data breach on May 29, 2019. Later that same day, it hired BakerHostetler "to advise [it] on any potential notification obligations." Id. at *3 (internal citation omitted). The next day BakerHostetler hired consultant Kroll "to conduct forensic analyses on Rutter's card environment and determine the character and scope of the incident." Id. (internal citation omitted). But Rutter's still lost its work product claim. The court pointed to Kroll's scope of work — which was "to determine whether unauthorized activity . . . resulted in the compromise of sensitive data, and to determine the scope of such a compromise if it occurred." Id. at *6 (emphases added) (internal citation omitted). The court noted Kroll's corporate designee's testimony that "he was unaware of anyone else at Rutter's contemplating such lawsuits." Id. at *7. Finally, the court emphasized that "Kroll provided its report to Defendant when it was completed and there was no evidence that it was provided first to BakerHostetler." Id. at *8. The court similarly rejected Rutter's attorney-client privilege claim, noting that Kroll's scope of work made "no mention of attorney involvement" in the investigation, which resulted in a report that "did not include legal input." Id. at *12-13.
Perhaps there is nothing a company can do to assure work product or privilege protection for such data breach investigations. But this most recent losing effort should at least help companies avoid these fatal facts.