A federal judge has rejected class action plaintiff's efforts to access materials created in the course of Target's investigation of its infamous 2013 data breach, deeming many documents protected by the attorney-client privilege or work product doctrine.  The decision, issued by the United States District Court for the District of Minnesota, signals the importance of engaging legal counsel at the outset of any data breach and utilizing counsel at all stages of the investigative work.

The court's order resolved a motion to compel filed by a plaintiff class of financial institutions.  The motion argued that entries on Target's privilege log relating to the forensic investigations conducted by Target following discovery of the data breach were documents created in the ordinary course of business, and therefore, the materials cannot be shielded by the attorney-client privilege or the work-product doctrine.

In response, Target asserted that its investigation involved educating its lawyers about the breach for the purpose of obtaining legal advice.  In fact, Target intentionally maintained a "two-track" investigation.  The first track focused on an ordinary-course-of-business forensic investigation for the purpose of a creating a non-privileged report for the card brands implicated by the massive credit card hack. The second track engaged a separate team from Verizon Business Network Services, Inc. – the forensic investigator engaged by Target – and that team informed Target's in-house and outside counsel about the breach, enabling counsel to provide legal advice to Target in anticipation of litigation and regulatory inquiries. Additionally, as a part of the second track, Target formed a Data Breach Task Force, including lawyers and non-lawyers, to coordinate response activities performed at counsel’s direction.  Target argued that it only claimed privilege for information related to the second track.

The court looked favorably upon a declaration provided by Target's Chief Legal Officer explaining that Target retained outside counsel to obtain legal advice about the breach and the possible ramifications and relied upon declarations explaining the two-track system.

The court found that the majority of the information at issue was shielded from disclosure by the attorney-client privilege, but ultimately granted in part and denied in part Plaintiffs’ motion to compel. 

The court ordered Target to produce e-mails sent by the chief executive officer to the board of directors that “merely update[d] the . . . [board] on what Target’s business-related interests were in response to the breach.”  The attorney-client privilege did not protect those communications because they did not (1) “involve any confidential communications between attorney and client,” (2) “contain requests for or discussion necessary to obtain legal advice,” or (3) “include the provision of legal advice.”  Additionally, the work-product doctrine did not attach to those e-mails because “[n]one of Target’s declarations demonstrate[d] that th[e] [b]oard of [d]irectors update was provided because of any anticipation of litigation within the meaning of Fed. R. Civ. P. 26(b)(3).” 

The court's order shields Target's emails, including those related to the Data Breach Task Force.  The court also found that emails regarding the breach occurrence were protected by the work-product doctrine.  Certain emails between a Target in-house attorney and his clients made for the purpose of obtaining legal advice and in anticipation of litigation were also protected by the attorney-client privilege and work-product doctrine.

As evidenced by recent high-profile data breaches and subsequent class action lawsuits brought against the organization by consumers, financial institutions, and insurance providers, the timing of an organization's engagement of outside counsel can have a profound impact on controlling disclosure of post-breach confusion and investigation communications.  Organizations experiencing a data breach face a large number of state requirements for responding to a breach, including informing consumers and state agencies.  Organizations may also have to report information related to the breach to vendors due to contractual agreements or other third parties.  As affirmed by the court's order, engaging outside counsel increases the chances that your organization's response will not be disclosed in litigation, government investigations, or other inquiries.

Counsel may best be used to increase the chances of protecting documents and communications related to a possible or actual data breach if your organization:

  • Engages counsel immediately upon discovery of a possible data breach;
  • Permits outside counsel to engage a forensic investigator (or permit counsel to be listed on the engagement agreement);
  • Permits outside counsel to engage any other outside experts (or permit counsel to be listed on the engagement agreement);
  • Permits counsel to advise your organization on the type of investigation needed;
  • Permits the forensic investigator to work at the direction of counsel;
  • Labels as privileged any investigatory materials as prepared for the purpose of education counsel so counsel can impart legal advice;
  • Uses appropriate Upjohn warnings to assure that interview subjects know that the interviews are being conducted to help the company obtain legal advice and that they are privileged and confidential;
  • Employs two tracks of investigation – one track for the purpose of developing a non-privileged report and the second track for the purpose of educating counsel in anticipation of litigation;
  • Permits counsel to send communications regarding the data breach or its investigation to the Board of Directors;
  • Document the need to obtain legal advice in all communications regarding the data breach and copy counsel;
  • Engage counsel to direct the assessment of cyber readiness, and document the legal purpose of the assessment, such as to obtain an understanding of areas of potential liability.

Click here to find the order (In re: Target Corporation Customer Data Security Breach Litigation, MDL No. 14-2522, October 23, 2015).