A recent decision from a federal court in Pennsylvania highlights the importance of a carefully crafted statement of work (“SOW”) when commissioning an investigative report in response to a data security breach. A convenience store chain recently learned this lesson the hard way when it was ordered to produce to plaintiffs’ counsel a report it commissioned from a cybersecurity consultant to determine the scope of a data breach. The store — which is the defendant in a class action stemming from a 2019 malware attack that compromised customer information — argued that the report was protected from discovery under the attorney-client privilege and/or work product doctrine because the consultant was hired by counsel. The defendant had engaged that counsel for advice on any notification obligations flowing from the attack.

In granting the plaintiffs’ motion to compel, the court examined the SOW attendant to the report to determine whether it was commissioned in anticipation of litigation; i.e., whether the prospect of litigation was a motivating factor in requesting the report. The court found nothing in the SOW signaling a belief that litigation was on the horizon, and a corporate designee for the chain testified to the same effect during a deposition.

Further, the court found that the report was factual — rather than tactical — in nature, taking it out from under the umbrella of attorney-client privilege. “The SOW shows that [the consultant] was employed to collect data from defendant’s equipment, to monitor defendant’s equipment, to determine whether defendant’s equipment was compromised and to what extent, and to ‘work alongside [the defendant’s] IT personnel to identify and remediate any potential vulnerabilities,’” the court’s opinion notes.

The bottom line for the court was this: The SOW made clear that the report was commissioned to determine whether a breach had occurred, and if so, the extent of the breach. And unless and until a breach had been established, the defendant had no reason to think it would be sued. Therefore, the report was unprotected and discoverable. While the extent to which this decision is followed by other courts remains to be seen, it gives companies one more thing to think about in the wake of a data breach.

The case is In re Rutter’s Data Sec. Breach Litigation, Civ. A. No. 1:20-CV-382 (M.D. Pa. July 22, 2021). A copy of the court’s opinion can be found here.