On October 23, 2015, the United States District Court for the District of Minnesota, in large part, upheld Target’s assertion of the attorney-client privilege and work-product protections for information associated with a privileged, internal investigation of Target’s 2013 data breach.

The plaintiffs contended that the challenged information was not protected by the attorney-client privilege or the work-product doctrine because “Target would have had to investigate and fix the data breach regardless of any litigation, to appease its customers and ensure continued sales, discover its vulnerabilities, and protect itself against future breaches.”

Target countered that there was a two-track investigation. The first track was an ordinary-course-of-business investigation, involving, among other things, a forensic investigator’s non-privileged report for the card brands. The second track, part of which included a different team from the same forensic investigator, was created at the request of Target’s in-house lawyers and its retained outside counsel. The purpose of the second-track investigation was to educate the attorneys about aspects of the breach so that they could provide Target with informed legal advice.

Although the same forensic investigator was used for both tracks, Target explained that it only claimed privilege and work-product protections for certain information related to the second-track investigation. Target provided evidence that the forensic teams did not communicate with each other about the substance of the second-track, attorney-directed investigation.

After an in-camera inspection, the court found that the majority of the information was shielded from disclosure. The most notable findings were:

  • Communications from CEO to Board of Directors. Neither the attorney-client privilege nor work-product doctrine applied to communications made by Target’s CEO to its Board of Directors.
    • Attorney-Client Privilege. The evidence did not show that the communications: (a) involved any confidential communications between attorney and client; (b) contained requests for, or discussion necessary to obtain legal advice; or (c) included the provision of legal advice.
    • Work Product. None of the materials appeared to be provided due to reasonably anticipated litigation within the meaning of Federal Rule of Civil Procedure 26(b)(3).
  • Emails related to Data Breach Task Force. The attorney-client privilege and the work-product doctrine protected emails regarding the work of Target’s attorney-directed Data Breach Task Force. The Data Breach Task Force informed Target’s in-house and outside counsel about the breach so that Target’s attorneys could provide the company with legal advice and prepare to defend the company in litigation that was already pending and reasonably anticipated.
  • Emails from in-house counsel to client. Emails between a Target in-house attorney and his clients were created for the purpose of obtaining legal advice and made in anticipation of litigation. Therefore, they were protected by both the attorney-client privilege and work-product doctrine.
  • Emails regarding breach occurrence. Certain emails regarding how the breach occurred were protected by the work-product doctrine. Moreover, the plaintiffs failed to demonstrate that, without these work-product protected materials, they would be deprived of any information about how the breach occurred or how Target conducted its investigations. The court noted that Target produced information from which the plaintiffs could learn about how the data breach occurred and about Target’s breach response.
  • Emails regarding legal advice. Certain emails were protected by the attorney-client privilege because Target demonstrated the information in those communications was transmitted for the purpose of obtaining legal advice regarding the investigation.

The court did not cite the United States Court of Appeals for the D.C. Circuit’s 2014 and 2015 opinions about the application of the attorney-client privilege and work-product protection in corporate internal investigations. Although those decisions were outside the data breach context, this most likely was due to the double-track structure of the Target investigative teams, which helped to separate information that was protected and information that was not. In any event, the D.C. Circuit has previously held that blended reasons for a corporate internal investigation do not invalidate the privilege, as long providing legal advice was a “significant purpose” of the investigation.