Companies that think they may have suffered a data security incident should involve their legal advisers as early as possible in the response and investigation process to avoid suffering the same fate as Rutter’s convenience stores, which was ordered to turn over a data breach report to opposing lawyers.
The decision came with a July 22 ruling by U.S. Magistrate Judge Karoline Mehalchick, who said the report – authored by consultancy firm Kroll Cyber Security, LLC — could not be shielded from discovery, as Rutter’s attempts to fend off a lawsuit filed by customers who were financially affected by the 2018-19 breach. How that ruling impacts the ultimate outcome of the lawsuit remains to be seen, but legal experts point to lessons for companies on how to approach incident response, even before they've confirmed that an incident has even occurred.
“If Rutter’s, their outside counsel and outside cybersecurity firm did not carefully establish a three-way relationship and carefully curate the investigation and communications under the auspices of the outside counsel, then they did not set themselves up for the strongest defense of the attorney-client privilege and work product doctrine,” said Aloke Chakravarty, partner at Snell & Wilmer's and co-chair of the law firm’s Investigations, Government Enforcement and White Collar Protection practice group.
Nuances of privilege
Mehalchick said that privilege does not apply to the specific report in question because there was no evidence that Rutter’s or its law firm ordered the third-party investigation with any reasonable or obvious expectation of a future lawsuit.
Indeed, the judge noted that Kroll’s statement of work said that the purpose of the probe would be “to determine whether unauthorized activity within the Rutter’s systems environment resulted in the compromise of sensitive data, and to determine the scope of such a compromise if it occurred.” In other words, it was not yet clear if there had been a malicious breach for which the York, Pennsylvania-based retail and gas chain could potentially be found responsible and liable.
“This language demonstrates that Defendant did not have a unilateral belief that litigation would result at the time it requested the Kroll Report,” Mehalchick wrote in her ruling.
Tim Shields, a partner with law firm Kelley Kronenberg, agreed with the judge’s perception that the contractual scope of work did not explicitly cite litigation as a factor, but he expressed apprehension that the ruling “will discourage behavior we should encourage. For example, will a future in-house counsel warn against doing a cyber investigation/remediation for the fear the report will be used against the company in litigation?”
Chakravarty also said he was concerned about the ruling’s “very dangerous implications,” opining that the decision “threatens to undermine a fundamental tool which corporate clients rely upon to thoroughly investigate indications of compromise while preserving the attorney client privilege and attorney work product doctrines.”
It’s common sense that Rutter’s law firm brought in Kroll to “mitigate legal risk," he added. With that said, however, “it is possible that sufficient evidence of that wasn’t offered,” especially since the judge relied heavily on the SOW, which did neither spelled out those intentions, nor dictated that counsel was overseeing the investigation.
Indeed, the judge’s ruling is simply the latest in a string of data breaches cases in which the written language of the SOW won out over a broader interpretation of why the investigation was being conducted in the first place.
Call your lawyer... early
According to the experts, businesses and their legal teams will need to adjust to this trend and take steps to further protect their forensic analysis reports from discovery.
“The decision reminds cyber incident responders that structuring an incident response and maintaining the formalities of working in a legal investigation is critical,” said Chakravarty. For that reason, one of a breached company’s first calls should be to its lawyers to get them involved and establish privilege as soon as possible, he added.
Even if a potential data security incident is only suspected and not yet confirmed, there is likely little harm in operating under the premise that a lawsuit could happen. And if a breach has been proven, even if it’s a mild one, then it’s especially important to adopt this line of thinking.
“For the last two years, unless the breach was pegged to be very small — a small amount of PII (…less than 50,000 pieces of PII) in question or low dollar amounts in question (less than $100,000) — I always anticipate litigation,” said Paul Ferrillo, partner at Seyfarth Shaw LLP. “Data breaches are very public. Data breach notifications to… state AGs are public, and plaintiffs watch the notifications looking for low-hanging fruit.”
While Chakravarty believes Judge Mehalchick’s ruling was “too narrow to properly give weight to the important attorney-client protections at issue here,” he also acknowledged that the defendant team may have suffered some self-inflicted damage in how the data forensic investigation was contracted and executed.
For that reason, businesses should be crystal-clear about the nature and purpose of the work being conducted by any third-party investigatory firm. Ferrillo said that because the Rutter’s SOW did not appear to accomplish that, the breach report was interpreted by the judge as “business as usual,” or “any old investigation driven by the company rather than the lawyers.”
Moreover, a company’s legal team should be overseeing the breach investigation process.
“The SOW and processes should have been run exclusively through counsel,” stated Shields. “Another option for counsel was to work through a series of SOWs with the vendor to segment the investigation to minimize discoverable work product. Then counsel could provide summaries and mental impressions to the client which would likely be covered under attorney-client privilege.”
According to Chakravarty, legal counsel should normally take charge of such responsibilities as discussing legal risks, assessing the probability of litigation, handling any administrative or regulatory proceedings, providing advisory services, determining whether a third-party forensics partner should be brought in and covered by privilege, and drafting an explicitly-written SOW.
Meanwhile, the contractual investigatory firm must also do its part by ensuring that “substantive communications should not occur without curation by counsel,” Chakravarty continued. Additionally, “non-lawyer incident responders should be trained and attuned to steps that are necessary to protect the privilege.”
“Going forward, companies who suspect a cyber incident should take conspicuous and consistent steps to establish and preserve the attorney-client privilege and work product doctrine throughout their investigation of the incident,” Chakravarty concluded. “Remaining vigilant to protect these tools, in contractual documents, communications, the direction and control of the investigation, reporting on the investigation and the legal advice to the client is absolutely critical” to avoid the situation Rutter's now finds itself in.