The Minnesota magistrate judge presiding over discovery in the litigation seeking to hold Target Corp. liable for the retailer’s 2013 data breach issued an order denying the motion by a plaintiff class of about 9,000 banks to compel production of certain documents relating to Target’s internal investigation that were withheld on privilege grounds.
The banks argued that Target could not avoid disclosure of the details of its investigation conducted by a “Data Breach Task Force” (DBTF) under the attorney-client privilege or work product doctrine, because the investigation of the breach and the planning process for remediation constitute regular business functions. The banks claimed that Target’s use of outside counsel to direct the DBTF did not transform factual communications into requests for legal advice. Rather, the plaintiffs argued that those communications were “regular” business discussions Target would have conducted “regardless of any litigation, to appease its customers and ensure continued sales, discover its vulnerabilities, and protect itself against future breaches.”
Additionally, the banks argued that even if the work product doctrine did apply, production was appropriate because they made “a showing of ‘substantial need and an inability to secure the substantial equivalent of the items through alternate means without undue hardship.’” (citing Pittman v. Frazer, 129 F.3d 983, 988 (8th Cir. 1997)). The banks explained that they had attempted to obtain the allegedly privileged information through depositions, but Target’s counsel objected on privilege grounds.
In response, Target argued that the banks’ complaint acknowledged the extraordinary nature of the breach, and, therefore, the banks’ claims that the DBTF was conducting “regular” business functions or “ordinary work” were untrue.
Target further argued that in accordance with applicable Eighth Circuit law (citing Simon v. G.D. Searle & Co., 816 F.2d 397, 404 (8th Cir. 1987)) and In re Kellogg Brown & Root, Inc., 756 F.3d 754 (D.C. Cir. 2014), communications are privileged even if they serve a business purpose, so long as one of the “significant purposes of the internal investigation” was to obtain or provide legal advice, or so long as mixed business and legal communications “‘impliedly’ request legal advice regarding business decisions.” Applying these principles, Target argued that the communications were privileged because the DBTF “facilitated Counsel’s investigation and provision of legal advice.” With respect to the DBTF’s communications with a third-party consultant, Verizon Business Network Services, Target asserted those communication were protected because they were essential to counsel’s understanding of the complex technical issues involved – necessary details for providing legal advice. Finally, Target argued that the banks had not shown substantial need in light of the substantial discovery produced so far.
On October 23, 2015, Magistrate Judge Jeffrey Keyes issued an order largely denying the banks’ motion. Judge Keyes explained that Target effectively established that the purpose of the DBTF, including retaining Verizon, was to educate its lawyers so that they could provide legal advice.
As a result, documents relating to the DBTF were privileged. Judge Keyes did, however, find that email communications from Target’s chief executive officer providing updates to the board of directors in the aftermath of the data breach were improperly redacted on the basis of privilege, as they “merely update the Board of Directors on what Target’s business-related interests were in response to the breach” and did not relate to legal advice, nor did they constitute work product.
With respect to certain documents that constituted work product, Judge Keyes determined that the banks had not demonstrated substantial need or undue hardship.
The reasoning Judge Keyes employed and the detailed record presented by Target to establish the legal nature of the DBTF provide valuable insight for organizations conducting internal investigations. Specifically, structuring and documenting the legal nature of an investigation are critical in establishing and protecting attorney-client confidentiality, and the mental impressions reflected in work product.
The case is In re Target Corporation Customer Data Security Breach Litigation, No. 0:14-md-02522 (D. Minn.).