Originally posted in National Law Review, October 28, 2015.<\/em><\/p>\n U.S. Magistrate Judge Jeffrey J.\u00a0Keyes\u00a0denied a class of\u00a0banks\u2019 motion that\u00a0Target\u00a0produce documents generated during its internal investigation\u00a0of the massive 2013 holiday season data breach.1<\/sup>\u00a0This decision highlights the need\u00a0for corporations to carefully structure their post-breach investigations in order to claim\u00a0attorney-client privilege over the investigation and any resulting documents.<\/p>\n The Court\u2019s ruling was the result of a long-standing discovery dispute between the parties\u00a0over documents created during two separate investigations conducted by Target. Target\u00a0maintained numerous entries on its privilege log relating to these documents, that Target\u00a0claimed were either attorney-client privileged or work product.2<\/sup>\u00a0The banks, which were granted class certification last month, argued that the documents\u00a0at issue could not be cloaked with privilege where Target would have had to investigate\u00a0and fix the data breach \u201cregardless of any litigation.\u201d The banks claimed that even\u00a0though the investigative probes were launched at the direction of Target\u2019s counsel,\u00a0discussions with its counsel should still be made available because they related to\u00a0Target\u2019s handling of regular business functions.\u00a0Target countered that it had essentially set up a two-tracked investigation to respond\u00a0to the breach. The first track consisted of a non-privileged investigation by Verizon on\u00a0behalf of numerous credit card companies. Its purpose was for Target to understand\u00a0and appropriately respond to the breach. The second track involved a probe by a\u00a0separate team from Verizon in conjunction with Target\u2019s internal task force.<\/p>\n Target argued that documents related to the second track were privileged. Target\u00a0claimed the second track investigation \u201cwas not involved in an ordinary-course-of business\u00a0investigation.\u201d3<\/sup>\u00a0Rather, Target asserted that the second Verizon probe was\u00a0conducted at the request of Target\u2019s internal counsel to educate Target\u2019s attorneys so\u00a0that they could provide informed legal advice with respect to the breach.4<\/sup><\/p>\n Following an in camera review of a majority of the disputed privilege log entries, Judge\u00a0Keyes struck down the banks\u2019 motion. Judge Keyes found:<\/p>\n Target demonstrated, through the declaration of [Chief Legal Officer] Timothy\u00a0Baer, that the work of the Data Breach Task Force was focused not on\u00a0remediation of the breach, as Plaintiffs contend, but on informing Target\u2019s inhouse\u00a0and outside counsel about the breach so that Target\u2019s attorneys could\u00a0provide the company with legal advice and prepare to defend the company in\u00a0litigation that was already pending and was reasonably expected to follow.5<\/sup><\/p>\n<\/blockquote>\n Judge Keyes further found that the work-product doctrine applied to two additional\u00a0entries, where the Banks did not prove a substantial need for the materials. \u201cPlaintiffs\u00a0have not demonstrated that without these work-product protected materials, they\u00a0have been deprived of any information about how the breach occurred or how Target\u00a0conducted its non-privileged or work-product protected investigation,\u201d Judge Keyes\u00a0ruled. \u201cTarget has produced documents and other tangible things, including forensic\u00a0images, from which Plaintiffs can learn how the data breach occurred and about\u00a0Target\u2019s response to the breach.\u201d6<\/sup><\/p>\n Judge Keyes\u2019s ruling included only a single exception to his sweeping denial of the\u00a0banks\u2019 request, ordering the production of several e-mail updates from Target\u2019s CEO to\u00a0its board of directors in the aftermath of the breach.<\/p>\n In responding to a data breach, organizations should structure their breach response\u00a0investigation artfully to ensure all aspects of the investigation (and the documents\u00a0created as a result) maintain the attorney-client privilege. As soon as a breach\u00a0occurs, organizations should engage legal counsel to develop a strategy to deal\u00a0with the various risks. Counsel should identify documents, as well as communicate\u00a0to employees, that each data breach investigation is meant to be legally privileged\u00a0because the investigation is in anticipation of litigation and directed by counsel.<\/p>\n\n
Practical Considerations<\/h4>\n