On July 22, 2021, a Magistrate Judge in the U.S. District Court for the Middle District of Pennsylvania (the “Court”) ordered Rutter’s, a convenience-store chain, to produce an investigative report prepared by a security consultant regarding a suspected data breach event, as well as all communications between the party and the company performing the investigation. In the ruling, Rutter’s Data Sec Breach Litig, No. 1:20-cv-000382-JEJ-KM, the Court held that the report and related communications were not protected from disclosure by the work product doctrine or the attorney-client privilege.

In striking the claim of work product protection advanced by Rutter’s counsel, the Court’s decision hinged on a few factors, including (1) the description of services in the statement of work executed between the retaining law firm and the security consultant, (2) testimony by Rutter’s 30(b)(6) designee that he was not anticipating litigation when he signed the agreement for the investigative services, and (3) a lack of evidence of the investigation report being provided to outside counsel for an assessment of legal risk prior to delivering it to Rutter’s. Without showing that the investigation was conducted because of a reasonable anticipation of litigation, Rutter’s could not establish that the work product doctrine protected the report from disclosure. The Court also held Rutter’s could not establish the investigative report, and communications between the consultant and Rutter’s, had the primary purpose of providing or obtaining legal assistance for Rutter’s, thereby denying the claim of attorney-client privilege.

The Court’s ruling underscores the need to involve outside legal counsel early, as well as clearly define the scope and purpose of any data breach investigation.