Target Discovery Ruling Sheds Light on Preserving Privilege of Post-Breach Internal Investigations

Originally posted in National Law Review, October 28, 2015.

U.S. Magistrate Judge Jeffrey J. Keyes denied a class of banks’ motion that Target produce documents generated during its internal investigation of the massive 2013 holiday season data breach.¹ This decision highlights the need for corporations to carefully structure their post-breach investigations in order to claim attorney-client privilege over the investigation and any resulting documents.

The Court’s ruling was the result of a long-standing discovery dispute between the parties over documents created during two separate investigations conducted by Target. Target maintained numerous entries on its privilege log relating to these documents, that Target claimed were either attorney-client privileged or work product.² The banks, which were granted class certification last month, argued that the documents at issue could not be cloaked with privilege where Target would have had to investigate and fix the data breach “regardless of any litigation.” The banks claimed that even though the investigative probes were launched at the direction of Target’s counsel, discussions with its counsel should still be made available because they related to Target’s handling of regular business functions. Target countered that it had essentially set up a two-tracked investigation to respond to the breach. The first track consisted of a non-privileged investigation by Verizon on behalf of numerous credit card companies. Its purpose was for Target to understand and appropriately respond to the breach. The second track involved a probe by a separate team from Verizon in conjunction with Target’s internal task force.

Target argued that documents related to the second track were privileged. Target claimed the second track investigation “was not involved in an ordinary-course-of business investigation.”³ Rather, Target asserted that the second Verizon probe was conducted at the request of Target’s internal counsel to educate Target’s attorneys so that they could provide informed legal advice with respect to the breach.⁴

Following an in camera review of a majority of the disputed privilege log entries, Judge Keyes struck down the banks’ motion. Judge Keyes found:

Target demonstrated, through the declaration of [Chief Legal Officer] Timothy Baer, that the work of the Data Breach Task Force was focused not on remediation of the breach, as Plaintiffs contend, but on informing Target’s inhouse and outside counsel about the breach so that Target’s attorneys could provide the company with legal advice and prepare to defend the company in litigation that was already pending and was reasonably expected to follow.⁵

Judge Keyes further found that the work-product doctrine applied to two additional entries, where the Banks did not prove a substantial need for the materials. “Plaintiffs have not demonstrated that without these work-product protected materials, they have been deprived of any information about how the breach occurred or how Target conducted its non-privileged or work-product protected investigation,” Judge Keyes ruled. “Target has produced documents and other tangible things, including forensic images, from which Plaintiffs can learn how the data breach occurred and about Target’s response to the breach.”⁶

Judge Keyes’s ruling included only a single exception to his sweeping denial of the banks’ request, ordering the production of several e-mail updates from Target’s CEO to its board of directors in the aftermath of the breach.

Practical Considerations

In responding to a data breach, organizations should structure their breach response investigation artfully to ensure all aspects of the investigation (and the documents created as a result) maintain the attorney-client privilege. As soon as a breach occurs, organizations should engage legal counsel to develop a strategy to deal with the various risks. Counsel should identify documents, as well as communicate to employees, that each data breach investigation is meant to be legally privileged because the investigation is in anticipation of litigation and directed by counsel.

Read the full article on National Law Review.