October 23, 2015, Magistrate Judge Jeffrey J. Keyes of the United States District Court for the District of Minnesota determined that the attorney-client privilege and the work-product doctrine shielded from disclosure certain communications with and documents created by a forensic computer consultant. In 2013, Target suffered a data breach.  Once it discovered the breach, Target conducted a two-track investigation.  On the first track, the company conducted a non-privileged, ordinary course of business investigation.  Target retained a team from Verizon Business Network Services Inc. (“PFI Verizon”) to conduct that investigation.  On the second track, Target’s in-house and outside counsel (together, “counsel”) retained a separate team from Verizon (“Privileged Verizon”) to investigate the breach and help counsel provide legal advice to Target.  Additionally, on the second track, Target formed a Data Breach Task Force (“Task Force”) to coordinate activities performed at counsel’s direction and educate Target’s lawyers about the breach.  Target lawyers and non-lawyers were on the Task Force.

The Court’s order resolved a motion to compel filed by plaintiffs that compose a financial institution class (“Plaintiffs”) in the underlying class action lawsuit against Target.  Plaintiffs filed the motion because Target refused to produce communications and documents associated with Target’s Task Force and the purported privileged investigation that Privileged Verizon conducted.  Target refused to produce those materials because, in its opinion, the materials fell within the protection of the attorney-client privilege, the work-product doctrine, or both.  Plaintiffs’ countered that the communications and documents associated with the Task Force and Privileged Verizon’s forensic investigation were created in the ordinary course of business, and such materials cannot be shielded by the attorney-client privilege or the work-product doctrine.

The Court granted in part and denied in part Plaintiffs’ motion to compel.  The Court ordered Target to produce e-mails sent by the chief executive officer to the board of directors that “merely update[d] the . . . [board] on what Target’s business-related interests were in response to the breach.”  According to the Court, the attorney-client privilege did not protect those communications because they did not (1) “involve any confidential communications between attorney and client,” (2) “contain requests for or discussion necessary to obtain legal advice,” or (3) “include the provision of legal advice.”  Additionally, the work-product doctrine did not attach to those e-mails because “[n]one of Target’s declarations demonstrate[d] that th[e] [b]oard of [d]irectors update was provided because of any anticipation of litigation within the meaning of Fed. R. Civ. P. 26(b)(3).”  Aside from ordering Target to produce those e-mails, the Court denied the remainder of Plaintiffs’ motion.

The Court denied Plaintiffs’ motion with regard to certain Task Force e-mails.  The Court concluded that the attorney-client privilege and the work-product doctrine shielded one set of e-mails because Target had demonstrated that remediating the breach was not the Task Force’s focus.  Instead, Target persuaded the Court that the Task Force’s focus was educating Target’s in-house and outside counsel about the breach such that Target’s lawyers would be better equipped to give the company legal advice about pending litigation and anticipated litigation.  Additionally, the Court determined that the work-product doctrine shielded another set of documents because Plaintiffs failed to demonstrate that without the materials, they would “have been deprived of any information about how the breach occurred or how Target conducted its non-privileged or work-product protected investigation.”  According to the Court, Target had produced various materials, such as forensic computer images, which would allow Plaintiffs to determine how the breach happened and what Target’s response was.  The Court’s order, therefore, contributed to the nascent—but growing—body of case law that addresses whether the attorney-client privilege and the work-product doctrine can shield from disclosure communications with and documents created by forensic computer consultants hired by counsel in response to a data breach.

A copy of the Court’s order is available by clicking here.