In a significant ruling addressing the scope of the attorney-client privilege and work product doctrine in a data breach case, a Federal judge in Oregon ordered Premera Blue Cross, the Washington-based healthcare services provider, to produce a broad swath of post-breach remediation documents that were initially withheld based on privilege and work product assertions. The 12-page ruling was released in late October by U.S. District Judge Michael H. Simon and means that members of a putative class action will now see draft press releases, customer notices, and even investigatory documents created by an outside forensics firm hired by the company.

Background

The case – In re Premera Blue Cross Customer Data Securities Breach Litigation, No. 3:15-md-2633-SI, 2017 U.S. Dist. LEXIS 178762 (D. Or. Oct. 27, 2017) – involved a cyber-attack in 2014 on Premera’s network that, a putative class has alleged, resulted in the compromise of financial and medical records of 11 million customers. Plaintiffs claim that the breached information included names, dates of birth, social security numbers, health insurance identification numbers, mailing addresses, telephone numbers, email addresses, medical claims information and financial information. The class complaint charges that the breach started in May 2014 and went undetected for nearly a year.

Premera initially withheld from production to the class plaintiffs a variety of documents created in response to the data breach. Among them were draft and final versions of public relations releases, customer correspondence, and forensic reports Premera’s employees and contractors created as part of their breach response. Premera argued the documents belonged in the three categories, each requiring attorney-client or work-product protection under a different theory:

  • Drafts of documents incorporating advice of counsel, i.e. documents Premera’s counsel had written or edited.
  • Documents Premera’s counsel had requested other, non-legal personnel create.
  • Reports issued by a forensic investigator under the supervision of Premera’s outside counsel.

The Court Concludes Breach Response Documents Serve a Business Purpose

The court stated that whether documents are protected by the attorney-client privilege or workproduct doctrine depends on the documents’ purpose. Documents prepared for obtaining legal advice or in anticipation of litigation are protected from disclosure. Documents prepared for a purpose other than, or in addition to, obtaining legal advice generally are not. As to the first two categories of breach response documents – those incorporating advice of counsel and those created at counsel’s request – the court concluded they had been created for a business, rather than legal, purpose. Premera had been required to prepare the documents in response to the data breach, which the court described as a business function. In the court’s view, the company simply had not created the documents to obtain legal advice or in anticipation of litigation.

The court, however, noted that “[t]here may be some documents ... that contain protected attorneyclient communications, such as drafts that include edits or redlines by an attorney communicating legal advice … [and] need not be disclosed.” Further, the court said, “if there are documents for which the primary purpose was to prepare for litigation, to advise counsel of underlying facts to help with counsel’s legal representation, or otherwise to communicate with counsel for the purpose of receiving legal advice or representation, those documents would be protected under the attorney-client privilege.”

The Court Concludes the Forensic Investigator’s Reports Serve a Business Purpose

The court also found the forensic investigator’s reports to be business related. Premera initially hired the forensic investigator to review its “data management system.” After the investigator found malware in Premera’s system, Premera hired outside counsel and executed an amended statement of work with the investigator, specifying that the investigator would report to – and take direction from – outside counsel. The court rejected Premera’s argument that once outside counsel began supervising the investigator, the investigator’s work product was privileged and protected as such. The court reasoned that the amended statement of work merely transferred supervision of the investigator to outside counsel. Significantly, it did not change or redefine the investigator’s scope of work. Thus, according to the court, under the amended statement of work, the investigator continued with the same business-related scope of work Premera initially hired it to perform. In its analysis, the court distinguished two of the leading data breach privilege cases, In re Experian Data Breach Litigation, No. SACV 15-01592 AG (DFMx), 2017 U.S. Dist. LEXIS 162891 (C.D. Cal. May 18, 2017) and In re Target Corp. Customer Data Securities Breach Litigation, MDL No. 14-2522 (PAM/JJK), 2015 U.S. Dist. LEXIS 151974 (D. Minn. Oct. 23, 2015). Experian did not control because in that case, outside counsel – not the company – had hired the forensic investigator. Target did not apply because Target produced its data breach investigation materials in discovery and Target’s outside counsel had hired a forensic investigator to conduct a separate investigation for the purpose of providing legal advice. We have written about the attorney-client privilege in data breach cases on our Data Security Law Blog. Please click here to read our most recent post on this topic.

Conclusion

The Premera ruling is a cautionary tale with regard to the application of the attorney-client privilege and work-product doctrine in data breach cases. While the decision does not break new ground, it underscores the complexities and fact-specific nature of asserting the privilege in data breach litigation, especially when materials serve purposes other than those related to legal advice and when forensic investigators are not retained and directed by external counsel.