Tag: Data Privacy Litigations

Privilege Dwindles for Data Breach Reports

Data privacy lawyers and cyber security incident response professionals are losing sleep over the growing number of federal courts ordering disclosure of post-data breach forensic reports.  Following the decisions in Capital One and Clark Hill, another district court has recently ordered the defendant in a data breach litigation to turn over the forensic report it believed was protected under the attorney-client privilege and work product doctrines. These three decisions help underscore that maintaining privilege over forensic reports may come down to the thinnest of margins—something organizations should keep in mind given the ever-increasing risk of litigation that can follow a cybersecurity incident.

In May 2019, convenience store and gas station chain Rutter’s received two alerts signaling a possible breach of their internal systems. The same day, Rutter’s hired outside counsel to advise on potential breach notification obligations. Outside counsel immediately hired a forensic investigator to perform an analysis to determine the character and scope of the incident. Once litigation ensued, Rutter’s withheld the forensic report from production on the basis of the attorney-client privilege and work product doctrines. Rutter’s argued that both itself and outside counsel understood the report to be privileged because it was made in anticipation of litigation. The Court rejected this notion.

With respect to the work product doctrine, the Court stated that the doctrine only applies where identifiable or impending litigation is the “primary motivating purpose” of creating the document. The Court found that the forensic report, in this case, was not prepared for the prospect of litigation. The Court relied on the forensic investigator’s statement of work which stated that the purpose of the investigation was to “determine whether unauthorized activity . . . resulted in the compromise of sensitive data.” The Court decided that because Rutter’s did not know whether a breach had even occurred when the forensic investigator was engaged, it could not have unilaterally believed that litigation would result.

The Court was also unpersuaded by the attorney-client privilege argument. Because the forensic report only discussed facts and did not involve “opinions and tactics,” the Court held that the report and related communications were not protected by the attorney-client privilege. The Court emphasized that the attorney-client privilege does not protect communications of fact, nor communications merely because a legal issue can be identified.

The Rutter’s decision comes on the heels of the Capital One and Clark Hill rulings, which both held that the defendants failed to show that the forensic reports were prepared solely in anticipation of litigation. In Capital One, the company hired outside counsel to manage the cybersecurity vendor’s investigation after the breach, however, the company already had a longstanding relationship and pre-existing agreement with the vendor. The Court found that the vendor’s services and the terms of its new agreement were essentially the same both before and after the outside counsel’s involvement. The Court also relied on the fact that the forensic report was eventually shared with Capital One’s internal response team, demonstrating that the report was created for various business purposes.

In response to the data breach in the Clark Hill case, the company hired a vendor to investigate and remediate the systems after the attack. The company also hired outside counsel, who in turn hired a second cybersecurity vendor to assist with litigation stemming from the attack. During the litigation, the company refused to turn over the forensic report prepared by the outside counsel’s vendor. The Court rejected this “two-track” approach finding that the outside counsel’s vendor report has not been prepared exclusively for use in preparation for litigation. Like in Capital One, the Court found, among other things, that the forensic report was shared not only with inside and outside counsel, but also with employees inside the company, IT, and the FBI.

As these cases demonstrate, the legal landscape around responding to security incidents has become filled with traps for the unwary.  A coordinated response led by outside counsel is key to mitigating a data breach and ensuring the lines are not blurred between “ordinary course of business” factual reports and incident reports that are prepared for litigation purposes.

© 2021 Bracewell LLP

Article By Philip J. BezansonSeth D. DuCharme, and Brittney E. Justice of Bracewell LLP

Fore more articles on cybersecurity, visit the NLR Communications, Media, Internet, and Privacy Law News section.

Countdown to TransUnion—How Will SCOTUS Come Out on Key Standing Issues for Data Privacy Litigations?

Data privacy litigators have their eye on the Supreme Court going into the end of the month as we wait for the Court’s opinion in Ramirez v. TransUnion.  And when the decision is issued, CPW will be there in real time to fill you in.  In the meantime, below is a refresher of the facts and issues raised in Ramirez, and why it is a must-watch decision for the end of the Supreme Court’s current term.

As readers of CPW already know, Article III limits federal court jurisdiction to actual “cases or controversies.”  U.S. Const. Art. III, § 2.  The Supreme Court has held that standing “is an essential and unchanging part of the case-or-controversy requirement of Article III.”  This includes the following three elements, which constitute the “irreducible constitutional minimum of standing”:

First, the plaintiff must have suffered an “injury in fact”—an invasion of a legally protected interest which is (a) concrete and particularized … and (b) actual or imminent not conjectural or hypothetical … Second, there must be a causal connection between the injury and the conduct complained of … Third, it must be likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.

As relevant for Ramirez, in 2016, the Supreme Court decided Spokeo, Inc. v. Robins, 136 S. Ct. 1540.  In Spokeo, the Court affirmed that a plaintiff cannot “allege a bare procedural violation, divorced from any concrete harm, and satisfy the injury-in-fact requirement of Article III.”  (emphasis added).  The Supreme Court’s analysis emphasized that “[a] ‘concrete’ injury must be ‘de facto’; that is, it must actually exist.”  Id. (emphasis in original).

Which brings us to Ramirez.  The plaintiff alleged that he had difficulty obtaining credit, was embarrassed in front of family members, and canceled a vacation after a car dealer received a credit report indicating that his name matched a name on a government “terrorist list” of persons with whom U.S. businesses may not transact.  In response, Ramirez filed a class action alleging three violations of the Fair Credit Reporting Act (“FCRA”), two concerning the mode of providing consumers with a copy of their own credit file and one concerning the procedural requirements for furnishing an accurate credit report.

Ramirez sought to represent a class of thousands of individuals, the vast majority of whom (more than 75%) never had a credit report disseminated to any third party, let alone suffered a denial of credit or other injury anything like what he experienced.  The trial court nonetheless let the class proceed on the theory that the absent class members all suffered an Article III injury and that the vast differences between the experiences of the named plaintiff and the class he purported to represent were immaterial.  Ramirez ultimately obtained a multi-million dollar jury verdict against the credit reporting agency TransUnion for falsely flagging him and more than 8,100 other people as terrorists.

The Supreme Court granted cert for the question: “Whether either Article III or Rule 23 permits a damages class action where the vast majority of the class suffered no actual injury, let alone an injury anything like what the class representative suffered.”  (emphasis added).  TransUnion argued in its opening brief that Ramirez’s class definition includes individuals who suffered no injury because they never had a credit report disseminated to a third party with incorrect or misleading information.  TransUnion further asserted that simply alleging an FCRA violation and claiming statutory damages does not itself confer Article III standing.

At oral argument earlier this year, several members of the Court expressed skepticism about Ramirez’s standing argument if carried to its logical conclusion.  [For Kristin Bryan’s real time coverage of that oral argument, check it out here].  However, at this point it is an open-ended question as to whether the Court will rule in a way that curtails the availability of Article III standing in data privacy litigations going forward.  Suffice to say, depending on how the Court rules, the case could have a major impact on litigations brought under various federal and state data privacy statutes (not only the FCRA but also the Telephone Consumer Protection Act, the Illinois Biometric Information Privacy Act, among others) and for data event litigations where Article III standing is a frequently litigated issue.

© Copyright 2021 Squire Patton Boggs (US) LLP
For more articles on SCOTUS, visit the NLRLitigation / Trial Practice section.