While there are no guarantees as to which communications will ultimately be protected by privilege, a company can increase its odds of creating a sphere of privilege-protected communications in the aftermath of a data breach by giving consideration to such issues in structuring its internal investigations.
Below we highlight lessons learned from the decision of the United States District Court for the District of Minnesota following the much publicized December 2013 data breach involving Target Corporation (Target).
Following its data breach, Target initiated a two-track investigation.
On one track, Target set up an ordinary course internal investigation aimed at determining how the breach occurred and how Target and the credit card brands could respond to it. A team from Version Business Network Services (Verizon) was retained to assist with this investigation.
On another track, Target’s external counsel retained a separate team at Verizon to investigate and educate external counsel about the breach so as to “enable counsel to provide legal advice to Target, including legal advice in anticipation of litigation and regulatory enquiries.” As part of this track, Target also struck a task force to assist external counsel.
Plaintiffs’ counsel sought records relating to both tracks of the investigation, arguing that everything should be producible because Target needed to undertake an investigation even if there had been no lawsuit.
THE COURT’S DECISION
Target was by and large successful. The court found that the documents relating to the second track investigation, including Verizon’s work product, were privileged. It found that these investigations were not focused on remediation of the breach, but on informing Target’s counsel about the breach so that Target’s lawyers could provide the company with legal advice and defend the company in pending litigation.
The only documents the court required to be produced were certain emails from Target’s CEO to the board of directors that provided an update on Target’s response from a business perspective.
Where a post-breach investigation involves employees, contractors or other third parties, Ontario courts are likely to consider privilege using similar factors as the court in Target. In particular, to assess whether solicitor-client privilege extends to communications between counsel and third parties, Ontario courts are likely to consider whether the third party’s role was to educate counsel and facilitate legal advice. With regards to litigation privilege, Ontario courts are likely to consider whether the communications at issue were prepared for the dominant purpose of existing or anticipated litigation, or as part of a normal course investigation.
With this in mind, a company can increase its odds of preserving a sphere of privileged communications by taking the following steps:
- Create a work stream designed specifically for the purpose of obtaining legal advice
- Have internal and external legal counsel involved in the direction and execution of that work stream
- Have third-party contractors retained by external counsel for the specific purpose of assisting in the litigation.
While taking such steps will not guarantee privilege protection, a thoughtful and deliberate work plan increases the odds.