Magistrate Judge Jeffrey J. Keyes in the United States District Court for the District of Minnesota has protected from disclosure large portions of information held by Target Corporation related to its internal investigation of its 2013 data breach. In re: Target Corporation Customer Data Security Breach Litigation. The key to the protection was Target’s two-track procedure, its creation of a “Data Breach Task Force,” and its involvement of outside counsel.
Info Held by Task Force Protected: After the data breach, Target retained outside counsel, and established the Data Breach Task Force at the request of its in-house lawyers and outside counsel so that the task force could educate Target’s attorneys about aspects of the breach and counsel could provide Target with informed legal advice. This task force was separate from Target’s ordinary course investigation. Target also retained Verizon to investigate the data breach, but again did so in two tracks. According to the opinion, on one track, Target conducted its own ordinary course investigation, and a team from Verizon conducted a non-privileged investigation so that Target and Verizon could learn how the breach happened and Target (and apparently the credit card brands) could respond to it appropriately. On the second track, Target established its own task force and engaged a separate team from Verizon to provide counsel with the necessary input. Target claimed attorney-client privilege and work-product protection on the second track.
After an in-camera review of selected documents, the court generally agreed with Target, finding that the work of the Task Force was focused not on remediation of the breach (as Plaintiff’s contended), but on the informing Target and its in-house and outside counsel about the breach so that it could provide the Company with legal advice and prepare to defend the company in litigation that was already pending as well as reasonably expected to follow.
Role of Outside Counsel: The Court’s decision did not explicitly depend on the presence of outside counsel, but the tenor of it clearly demonstrated that outside counsel’s involvement was helpful in clearly delineated the two tracks, and thus creating the protection. Outside counsel hired one of the two Verizon teams for instance. In addition, the Court specifically cited the fact that Target’s Chief Legal Officer explained that shortly after discovering the possibility that a breach had occurred, Target retained outside counsel. Many courts have explained that the dual business advisor/legal advisor function of inside counsel can make privilege determinations murkier.
E-mail Update to Board Not Protected: The Court did order the production of redacted information within e-mail communications from Target’s Chief Executive Officer to the Board of Directors. The Court concluded that the redacted communication merely update the Board on what Target’s business-related interests were in response to the breach, and accordingly were not entitled to either attorney-client privilege or work product immunity protection.
The Court’s decision highlights the importance of a business preparing for the possibility of a data breach and having a plan that contemplates protection of the appropriate privileges. Our Data Privacy & Security Team can assist in creating such a plan.
For more on the applicability of these privileges, consider attending Attorney-Client Privilege: What It Is, What It Isn’t, and How and Why to Protect It, as part of Quarles & Brady’s annual legal ethics seminar on November 6, 2013.