In the most recent object lesson in a data breach privilege case, a federal appeals court has ordered a Michigan-based mortgage lender to turn over privileged forensic investigatory documents after the investigator’s conclusions were revealed in discovery.

Background. In the case, Leibovic v. United Shore Financial Services, LLC, et al, No. 17-2290, the plaintiff applied for a mortgage through United Shore Financial Services, LLC, a nationwide mortgage lender. In turn, United Shore used a computer software program called BlitzDocs to process and store loan documentation, which was provided by co-defendant, Zerox Mortgage Services or ZMS.

In a putative class action, plaintiff claims that his personal information was stolen when a foreign “criminal enterprise gained unauthorized access to United Shore’s files” and used his information to create phony credit cards and checks. United Shore has defended the case by pushing back and blaming its vendor, ZMS.

In an interrogatory response, United Shore said that it retained a forensic firm – through counsel – to investigate the breach that had concluded XMS’s action caused the intrusions. The interrogatory stated that its forensic investigator determined that “certain files stored in XMS’s … system had been accessed without authorization … in plain violation of established security protocols.” United Shore disclosed more than 150 non-privileged documents concerning the investigation, but it withheld additional documents based on the attorney client privilege.

District Court Ruling. XMS moved to compel United Shore to produce the privileged documents, arguing that it implicitly waived the attorney-client privilege by referencing its investigator’s conclusions in its discovery response.

The district court agreed. It concluded that United Shore not only disclosed that its investigator "conducted an investigation ... [but] also provided...conclusions from that investigation.”

United Shore’s response “went beyond providing factual information regarding the existence of the investigation … [and] included details regarding Navigant’s conclusions,” wrote the court. “This exceeded the scope of the interrogatory and – as XMS contends – United Shore fails to explain ‘why the conclusions of a supposedly privileged investigation commissioned by counsel would not themselves be privileged.'”

Sixth Circuit. In a writ of mandamus, United Shore argued that there was no implicit waiver of the privilege because the interrogatory sought only factual information. United Shore also argued that the lower court ruling would “chill or inhibit communications between counsel and agents retained to investigate and resolve data breaches.”

In a two-page order, the three-judge panel of the U.S. Court of Appeals for the Sixth Circuit rebuked United Shore’s attempt “to prove a defense by disclosing or describing the attorney-client communications. Once waived, the privilege is waived with respect to all communications involving the same subject matter.”

“’Litigants cannot hide behind the privilege if they are relying on privileged communications to make their case’ or, more simply, cannot use the privilege as a ‘shield and a sword.’”

The Sixth Circuit’s ruling – another reminder of the risks in data breach investigations – comes a month after a federal judge in Oregon order Premera Blue Cross, the Washington-based health care services provider, to produce a broad swatch of post-breach remediation documents that were initially withheld based on privilege and work product concerns. For more on the Premera case, see our article here.