Incident Response – Privilege and Work Product Issues After In re Premera

Despite considerable incident response work after numerous alleged data breaches, very few opinions have addressed the application of attorney-client privilege and the work-product doctrine to the materials created by such work. 

Recently, in In re Premera Blue Cross Customer Data Sec. Breach Litig., the United States District Court for the District of Oregon provided detailed analysis of the issues. The November 13, 2017 opinion concerned a class action brought against Premera after Premera’s March 17, 2015 disclosure that its computer network had been breached. The Plaintiffs alleged that the breach compromised the confidential information of approximately 11 million current and former members, affiliated members, and employees of Premera. The Plaintiffs requested an order to compel Premera to produce certain documents, described by category, that Premera had withheld on assertions of attorney-client privilege or the work-product doctrine.

The four categories of materials sought by Plaintiffs’ counsel were: (1) documents that Premera asserted incorporated the advice of counsel, but which were not prepared by or sent to counsel; (2) documents that Premera asserted were prepared at the request of counsel, but were not prepared by or sent to counsel and appear to be business documents not prepared because of litigation; (3) documents that relate to third-party vendor work on the data breach investigation and remediation; and (4) documents that Premera sent to third-parties Premera asserts are subject to the joint defense or common interest exception to the waiver of privilege by disclosure. Although all four categories and the court’s discussion of each are relevant and should be reviewed, this article focuses on the third category – the documents relating to the work done by Mandiant, a third party cybersecurity firm.

The court began by referring to the general law of attorney-client privilege and work-product doctrine applicable to all privilege disputes. Importantly, the court continued the reasoning of the United States District Court, C.D. California earlier this year, in applying the “because of” test to potential work-product materials prepared for dual purposes – litigation and any other – in the context of materials prepared following a data breach.

The third category of documents is of particular interest because it addresses, among others, documents relating to Mandiant’s work for Premera. Mandiant was hired by Premera in October 2014 to review Premera’s data management system. On January 29, 2015, Mandiant discovered the existence of malware in Premera’s system. On February 20, 2015, Premera hired outside counsel in anticipation of litigation as a result of the breach. The next day, on February 21, 2015, Premera and Mandiant entered into an amended statement of work that shifted supervision of Mandiant’s work to outside counsel. However, the amended statement of work did not otherwise change the scope of Mandiant’s work from what was described in the Master Services Agreement between Mandiant and Premera entered into on October 10, 2014.

The court found that the amended statement of work did not support that Mandiant’s focus shifted to an investigator working on behalf of outside counsel, and that the materials were not protected. In reaching its conclusion, the court differentiated two of the few relevant, prior cases. The first was In re Target Corp. Customer Data Sec. Breach Litig., 2015 WL 6777384 (D. Minn., Oct. 23, 2015). In that case, Target had dual-tracked the investigation and engaged separate teams: one to investigate the data breach generally, and the other to investigate through a company retained by counsel for the purpose of assisting the attorneys in providing legal advice and preparing for litigation. The Premera court described the distinction between the circumstances before it and those in Target:

With Premera, however, there was only one investigation, performed by Mandiant, which began at Premera’s request. When the supervisory responsibility later shifted to outside counsel, the scope of the work performed did not change. Thus, the change of supervision, by itself, is not sufficient to render all of the later communications and underlying documents privileged or immune from discovery as work product.

Similarly, the court distinguished In re Experian Data Breach Litigation, 2017 WL 4325583 (C.D. Cal., May 18, 2017). In Experian, outside counsel was hired by the company and outside counsel then hired Mandiant. However, here, Premera had already hired Mandiant, which was performing an ongoing investigation under Premera’s supervision before outside counsel became involved. The Premera court made it clear that Premera had the burden of showing that Mandiant changed the nature of its investigation, and failed to meet that burden. 

This failure to sufficiently amend the statement of work was ultimately fatal to both assertions of attorney-client privilege as well as work-product protection. The Premera court did allow that Premera could properly withhold materials that were not “dual purpose,” were prepared “for the purpose of communicating with an attorney” for legal advice, or did contain “the mental impressions of counsel prepared in anticipation of litigation.” 

This new decision and those before it collectively suggest some steps that an entity may want to consider to try to protect the work concerning its incident response. Each matter is different and the facts and applicable law of any given situation may affect whether attorney-client privilege and work product protection apply. While any entity should evaluate its own situation and consider discussing these issues with counsel, the following are among the possible topics about which to assess timing and relative merits: (1) identify and engage incident response counsel as soon as possible, working with one’s insurer depending on the type of insurance coverage that may be involved, (2) have incident response counsel retain and direct the work of other third-party service providers, (3) have engagement letters appropriately indicate what work is being requested and for what purpose, including its role in assisting counsel in providing legal advice and in anticipation of litigation, (4) consider two parallel investigations as in Target, and (5) develop a strategy about with whom, internally and externally, incident response work is discussed and shared.