A recent decision in the Target litigation over a data security breach that occurred during the 2013 holiday season has reaffirmed the validity of the well-established practice of conducting two- track investigations after a data security breach.
Two-track investigations permit a company to conduct a swift, non-privileged investigation of how a data breach occurred, while pursuing, with a different team, a separate privileged investigation to assist in-house and outside counsel to provide legal advice to the company. In the Target litigation, the court denied a motion to compel certain attorney-client and work-product privileged materials generated in the course of Target’s internal investigation because of Target’s two-track approach to investigating the breach.
Target faced the same problem confronted by many data security breach defendants: the struggle to protect from discovery privileged information developed in the course of internal investigations. To address this issue, many defendants engage in two-track investigations. However, defendants often believe it is impossible to maintain a two-track investigation in the midst of a massive, highly publicized data security breach. The Target decision demonstrates the viability of the two-track approach, and confirms the benefits and importance of considering a two-track investigation. With sufficient resources and planning, a defendant can invoke the protections of this investigative method, even when faced with a large data breach, litigation and press attention.
In re: Target Corporation Customer Data Security Breach, MDL No. 14-2522, Order (Dist. Ct. Minn. October 25, 2015)
70 million people and over 500 financial institutions fell victim to the Target data security breach that occurred between November 27 and December 15 of 2013. Computer hackers gained access to Target’s computer systems and extracted credit and debit card numbers and the personal information, including the names, addresses, emails and phone numbers of Target’s customers. The breach gave rise to consumer, financial institution, and shareholder class actions against Target. The class actions alleged violations of consumer protection laws, data breach notice requirements, negligence, breach of implied contract and unjust enrichment, among other claims. These claims were based on Target’s alleged failure to protect customer financial data.
Target launched an internal investigation, retaining outside counsel and Verizon, as a consulting expert, to conduct a two-track investigation of the data security breach. Working on behalf of a number of credit card companies, the Verizon team investigated how the security breach occurred. Verizon conducted the investigation as Target ordinarily would in its daily course of business. Materials generated in this investigation were not, and were never intended to be, privileged. Rather, Target undertook this investigation to understand how the breach happened and how to respond appropriately as a business, regardless of pending litigation.
Working with a different team from Verizon, completely insulated from the first investigation, Target launched a second investigation into the data security breach with a focus on the pending litigation. At the request of inside and outside counsel, Target formed an internal task force -- the Data Breach Security Task Force -- to address the breach. Target’s Chief Legal Officer, Timothy Baer, Esq. explained that Target established the Task Force “to coordinate activities on behalf of [Target’s inside and outside] counsel to better position the Target Law Department and outside counsel to provide legal advice to Target personnel to defend the company.” The second Verizon team provided counsel with the necessary information regarding the breach in order to provide legal advice to Target.
Target’s internal investigations were understandably of interest to the plaintiffs in lawsuits against Target. In the consolidated class actions brought by the financial institutions, plaintiffs sought discovery of certain documents related to the second investigation. Target withheld the materials from production, claiming attorney-client privilege and work-product protection. The financial institutions filed a motion to compel, which Target opposed. It argued that its two-track method of internal investigation clearly delineated the discoverable information (track 1 investigation) from the privileged information (track 2 investigation) not subject to discovery. Target specified that the first investigation, conducted in order to understand how the breach occurred, consisted of ordinary course of business information. By contrast, Target explained that the second investigation was conducted for the purpose of providing legal advice and that Verizon, as its consulting expert, provided the necessary information regarding the breach to permit counsel to provide informed advice. Target concluded by asking the court to find that the materials arising out of the second investigation were protected under the work product doctrine and attorney-client privilege.
Following an in camera review of the documents, the court denied all but one request within the Financial Institutions’ motion. The court agreed with Target’s argument regarding the two-track investigation. The court noted that the work of the Task Force and the second investigation did not focus on remediation of the breach; rather, Target conducted the investigation so that its attorneys could provide informed legal advice and prepare to defend against pending and anticipated litigation. Because the withheld materials were created for the purpose of providing legal advice, the court found the documents protected by the attorney-client privilege and work product doctrine.
What does this mean for companies faced with a data security breach?
In-house counsel should consider a two-track investigation as an effective means to address a data breach while insulating information that should be protected from disclosure under attorney-client privilege and work product doctrine. As detailed in the Target ruling, that investigation would consist of 1) a forensic investigation to determine how the breach occurred; and 2) a separate forensic investigation conducted by a team retained to provide consulting services and technical expertise in order to assist counsel in rendering legal advice to the company.
Because a two-track investigation involves a substantial amount of time, planning, and resources, it may not be the appropriate response to every data security breach. In-house counsel will need to engage in a quick and practical evaluation of the issues raised by a data security breach to see if the company would benefit from a two-track approach.
While there is no guarantee that other courts will follow the Target decision, the clarity of the court’s reasoning should be persuasive to other judges presented with questions regarding the scope of privilege in the context of addressing a data breach. Each track clearly delineates the information that is part of a company’s ordinary business, and develops separately the privileged information and advice required to render legal advice to the client. This analytical framework should help other courts to dispose of discovery disputes and to protect information that falls within a company’s attorney-client privilege and attorney work product.
The Target decision provides reassurance that two-track investigations can work effectively to protect privileged information in both large and small data security breaches, even when faced with the pressures of litigation and intense public scrutiny.