Can Any Data Breach Investigation Report Deserve Protection? Part III

February 14, 2024

The last two Privilege Points have described yet another losing effort to protect a data breach investigation and related communications. In Leonard v. McMenamins Inc., Case No. C22-0094-KKE, 2023 U.S. Dist. LEXIS 217502 (W.D. Wash. Dec. 6, 2023), the court denied the company’s privilege and work product claims — specifically rejecting its efforts to squeeze into two of the only few winning data breach investigation scenarios. In re Target Corp. Customer Data Security Breach Litig., MDL No. 14-2522, 2015 U.S. Dist. LEXIS 151974 (D. Minn. Oct. 23, 2015); In re Experian Data Breach Litig., No. SACV 15-01592AG (DFMx), 2017 U.S. Dist. LEXIS 162891 (C.D. Cal. May 18, 2017).

The court found that McMenamins’ situation “more closely resembles” a decision extensively addressed in previous Privilege Points: Guo Wengui v. Clark Hill, 338 F.R.D. 7 (D.D.C. 2021). McMenamins Inc., 2023 U.S. Dist. LEXIS 217502, at *9. In that case, the Clark Hill law firm suffered a data breach, and lost its privilege and work product claim for its resulting investigation. The skeptical McMenamins court quoted the Clark Hill court’s observation that counsel’s (rather than the client’s) retention of the consultant “appears to [have been] designed to help shield the material from disclosure.” 2023 U.S. Dist. LEXIS 217502, at *9 (alteration in original) (citation omitted).

So what is a data breach victim to do? It seems unrealistic for a company to pay for two entirely separate investigations, or to deprive its internal incident response team of its consultant’s report. Perhaps victims should focus on the investigation report’s content — asking for “just the facts” without any editorial comment or needless criticism — reminding the consultant that its report almost certainly will be read by adversaries. The victim’s employees should likewise be reminded that all of their communications with such consultants are also likely to be discoverable. Facts are never privileged anyway, so a purely factual consultant report and communications between the victim and the consultant presumably would not cause the victim any additional harm by containing injurious “sound bites” an adversary might use.