3 LESSONS ON PRESERVING LEGAL PRIVILEGES FOLLOWING A “BREACH”
Murphy’s law guaranteed that the moment I deployed, U.S. Courts started rapidly issuing cyber law opinions. Nothing like using third world Wi-Fi to download written orders from .gov websites…
That said, a July 22, 2021, opinion from the Middle District of Pennsylvania really highlighted the need for businesses to start treating cyber like other high-risk area of liability. Indeed, 3 invaluable lessons emerge from the In Re Rutter’s Data Security Breach Litigation:
Therein, the court examined a discovery dispute regarding the production of the defendant, Rutter’s MSSP investigative report that examined a 2019 data breach. A press release from Rutter's said that the root of the breach was malware collecting data from payment cards swiped through point-of-sale (POS) devices installed inside convenience stores and at fuel pumps.
After filing a $5M+ suit for damages, Plaintiffs successfully compelled the cybersecurity consultant, Kroll Cyber Security, LLC (“Kroll”) and all related communications between Kroll and Rutter despite claims of two legal privileges: 1) Attorney-Client; and 2) Work-product doctrine.
Following the receipt of alerts from Carbon Black (EDPR software) on May 29, 2019, regarding suspicious script, Rutters hired the law firm of Baker Hostetler (“Baker”) to advise on notification obligations. Baker then hired Kroll to perform forensic analyses and investigate the origin of the breach. Likely based on the In Re Capital One data breach case, Baker, Rutter, and Kroll all believed that the reports and communications would be confidential since unlike Capital One, Rutter had its attorney retain Kroll and initially direct its work. However, the 4 material flaws in Baker and Rutter’s strategy were that Kroll and the Rutter often met privately, Rutter (not its attorney) paid Kroll directly, Kroll provided its report directly to Rutter (not Baker), and the contract with Kroll did not include necessary language.
Specifically, the work-product privilege failed because contract executed between Kroll and Rutter made clear that the investigatory report was to determine whether a breach occurred, its scope, and the sensitive information affected. The statement of work did not include any language indicating that the report was intended to prepare for potential litigation. This reasoning demonstrates a lack of understanding by the court about how close a link there is between breaches and future litigation, but still proves itself as a cautionary tale.
The court wanted to see evidence that Rutters had a “unilateral belief that litigation would result at the time it requested the Kroll Report” because “without knowing whether or not a data breach had occurred, Defendant cannot be said to have unilaterally believed that litigation would result.” It also did not help that in a corporate deposition of Rutter (the scariest discovery tool for any organization) the Rutter representative testified that the company was not “contemplating” future lawsuits. Whoops…. corporate depositions strike again!
The attorney-client privilege argument also failed. A communication may only be privileged if its primary purpose is to gain or provide legal assistance. The lawyer in the communication must be “acting as a lawyer” and not in another capacity. The Kroll contract stated that the purpose was to “collect data from Defendant’s equipment, to monitor Defendant’s equipment, to determine whether Defendant’s equipment was compromised and to what extent, and to ‘work alongside Rutter’s IT personnel to identify and remediate any potential vulnerabilities.’” And, more importantly, none of the individuals exchanging the communications were attorneys or discussing inherently legal issues.
To learn from another’s mistake, the lessons here are threefold:
1) Create a cyber incident response plan WITH AN ATTORNEY so that all those responding to the situation know who, and in which order, to call to ensure all legal remedies and privileges are preserved. If you are a liquid business with any capital or insurance, you will most likely be sued following a breach.
2) If you are breached, send out lots of internal corporate emails explaining something like the following: “With these indicators of compromise, I am concerned about facing future legal claims asserted by anyone affected by a potential data security problem. We need to contact our attorney at [NAME/PHONE NUMBER] so that he/she can retain a qualified forensic team to examine the matter, recommend future efforts, and prepare relevant data in the event of litigation or an investigation by a regulatory agency. Please also call the insurer.” Do NOT use the words “breach” or language suggesting fault of any individual employee. Do, however, ensure that the attorney hires, pays, communicates with, and draws up the contract with the forensic team. Any potential concerns about fault must be communicated over the telephone and not in written correspondence.
3) And while not a failsafe, ensure counsel is involved in meetings with the forensic team.