In a decision issued late last Friday, the United States District Court for the District of Minnesota rejected an effort by class action Plaintiffs to access materials created in the course of Target’s investigation of its 2013 payment card breach that Target claimed were protected by the attorney-client privilege and work product doctrine.
Plaintiffs, a class of financial institutions, asserted that Target improperly asserted attorney-client privilege and work-product claims over documents relating to the “Data Breach Task Force,” which Target established in response to the data breach in 2013 that resulted in as many as 40,000,000 payment cards being stolen by hackers. Plaintiffs also challenged claims of privilege and work-product for communications with and documents prepared by Verizon, which was retained by Target to investigate the data breach. Plaintiffs argued that these communications and documents were not protected by the attorney-client privilege and the work-product doctrine because “Target would have had to investigate and fix the data breach regardless of any litigation, to appease its customers and ensure continued sales, discover its vulnerabilities, and protect itself against future breaches.”
With the exception of a limited number of documents that reflected updates provided by Target’s CEO to its Board of Directors, and which the court found were not provided in anticipation of litigation, the court rejected Plaintiffs’ claims. The court appears to have adopted Target’s argument that Target established the Data Breach Task Force at the request of Target’s in-house lawyers and its outside counsel so that the task force could educate Target’s attorneys about aspects of the breach and counsel could provide Target with informed legal advice.
To support that argument, Target’s Chief Legal Officer submitted a declaration stating that shortly after discovering the possibility that a data breach had occurred, Target retained outside counsel to obtain legal advice about the breach and its possible legal ramifications. Once Target publicly announced the breach and it became clear that Target would face numerous class action lawsuits, the Data Breach Task Force was charged “to coordinate activities on behalf of [Target’s in-house and outside] counsel to better position the Target Law Department and outside counsel to provide legal advice to Target personnel to defend the company.”
With respect to the Verizon documents, Target stated that it used a two-track approach to the retention of experts. Target’s outside counsel engaged Verizon Business Network Services to conduct a technical investigation in order to “enable counsel to provide legal advice to Target, including legal advice in anticipation of litigation and regulatory inquiries.” Meanwhile, another team from Verizon also conducted a separate non-privileged investigation into the data breach on behalf of several credit card brands so that the brands and Target could learn how the breach happened. This two-tracked approach meant that the work done by the Task Force and Verizon at the behest of Target’s counsel was protected by the privilege and by the work product doctrine.
Although the Target court does not explicitly state so, it appears to follow the “substantial purpose” version of the “primary purpose” test used by the court in In re Kellogg Brown & Root, Inc., 756 F. 3d 754 (D.C. Cir. 2014) to determine the applicability of the privilege. In that case the D.C. Circuit stated that “the primary purpose test, sensibly and properly applied, cannot and does not draw a rigid distinction between a legal purpose on one hand and a business purpose on the other.” As long as “obtaining or providing legal advice was one of the significant purposes of the internal investigation” the privilege applies even if other purposes exist. For more information about this test, see our article in Corporate Compliance Insights, Protecting the Attorney-Client Privilege in Investigations: Lessons from General Motors and Kellogg Brown & Root.
The decision in Target, read together with the KBR case, highlights the need for careful legal planning in advance of data breach incidents. In each case, the company was able to maintain the privilege over a significant part of its data breach investigation because it had considered the long term implications of a data breach investigation. Key to this was the use of outside counsel, a factor explicitly recognized in KBR as justifying maintenance of the privilege and recounted in Target as part of the explanation for the two-track system which was upheld by the court. Also important to confidentiality was the retention of outside experts by outside counsel, which appears to have been a major consideration of the court in Target. Finally in both cases, the company had given significant advance thought to how to structure the investigation to preserve privilege and moved quickly from the first report of breach to conduct their investigation under privilege.