Can Any Data Breach Investigation Report Deserve Protection? Part I

January 31, 2024

Companies and even law firms suffer data breaches, and usually claim privilege and work product protection for the inevitable resulting investigation. Unfortunately, courts seem to have rejected such protection claims in all but a few cases. Most of the other data breach victims have tried to emulate two of the winners, but have failed.

In Leonard v. McMenamins Inc., Case No. C22-0094-KKE, 2023 U.S. Dist. LEXIS 217502 (W.D. Wash. Dec. 6, 2023), defendant suffered a ransomware attack, triggering a lawsuit by current and former employees claiming that their personal data had been breached. McMenamins retained the Stoel Rives law firm to represent it. That firm in turn hired Stroz Friedberg to “provide consulting and technical services” that the law firm claimed it needed to provide legal advice to its client McMenamins. Id. at *2. McMenamins asserted privilege and work product protection for the Stroz Friedberg report. The court flatly rejected McMenamins’ privilege claim, bluntly stating that “the report does not provide legal advice.” Id. at *12. The court also rejected the privilege claim for communications between McMenamins and Stroz Friedberg personnel — noting that “neither [Stroz Friedberg’s] engagement letter nor the scope of work identifies any work by Stroz Friedberg related to the provision of legal advice.” Id. at *13. The court explained that “[t]he evidence demonstrates Stroz Friedberg was providing a business service, by seeking and providing factual information to McMenamins and their counsel,” which did not become protected “merely because an attorney was copied.” Id. at *13-14.

The court also rejected McMenamins’ work product claim. Next week’s Privilege Point will address that other losing argument.