Preserving Privilege in Data Breach Investigations

Forensic examination of data systems is critical when responding to a data breach. However, with lawsuits under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) emerging as an additional threat, companies doing business in California are well-advised to undertake these investigations in a way that shields them from discovery. A decision from a CCPA case, In re Blackbaud, Inc., stands as a timely reminder.

Blackbaud, Inc. is a cloud computing, account management and billing services company that was the victim of a ransomware attack in early 2020. The company paid the ransom in exchange for return of customer personal data and a promise that the hackers would destroy any and all copies of the data. Despite that promise, whether and to what extent personal data was divulged or retained remains unknown.

The incident, unsurprisingly, spawned several lawsuits, including a CCPA class action filed in the Central District of California. The named plaintiff alleged that Blackbaud had not taken reasonably available steps to prevent the breach. These suits are currently proceeding in multi-district litigation in the District of South Carolina. The district court ordered Blackbaud to produce a forensic report its consultants had prepared while investigating the breach. The court ruled that plaintiffs should be able to consult the forensic report in preparation for their consolidated complaint. 

Unfortunately for Blackbaud, there is no argument about the report’s relevance. An investigatory report detailing how the breach occurred, what data was compromised, what security measures failed, and presumably what future steps should be implemented would be highly pertinent.

More problematic was that the report was prepared independent of potential litigation and disclosed to regulators. This precluded any argument that the report was attorney-client privileged material. Blackbaud tried to delay production of the report until after the pleading stage, arguing that plaintiffs’ needed to establish their standing prior to engaging in discovery, but the court was unpersuaded. Plaintiffs were able to prepare their consolidated complaint using Blackbaud’s own internal investigations as a roadmap.

Blackbaud cannot be faulted for its haste to investigate. However, with statutes such as the CCPA and the CPRA now part of the landscape, businesses responding to data breaches need always keep one eye toward future litigation. This requires treating a data breach as a legal problem much sooner than the first filing of a lawsuit.

Doing so entails more than nominal involvement of counsel in internal investigations. Recent decisions in data privacy litigation have compelled disclosures of breach investigations — despite being lawyer-proximate — where the investigation’s primary purpose was to provide business advice. This can be complicated in the context of a data breach. A business may need advice on its information systems as much as it does on its legal situation. Still, there are things that businesses can do to bolster the argument that their investigations should be privileged and undiscoverable. These include:   

• Involving litigation counsel early. If the business undertakes its investigations absent counsel, there can be no argument later that those investigations are subject to the attorney-client privilege;
• Having litigation counsel retain forensic experts. Litigation counsel’s retention, instruction and payment of outside experts maximizes the chances that the experts’ work product is privileged by allowing litigation counsel to direct the investigation with a view toward potential litigation;
• Limiting distribution of written reports. Limiting the number of personnel “looped-in” on the report — and eliminating those outside the organization — makes it easier to both maintain and assert privilege;
• Being strategic about disclosures to regulators and/or law enforcement. In certain industries, depending on what type of data is compromised, disclosures to regulatory and government agencies may be required. Similarly, there may be compelling reasons to involve law enforcement as part of an investigatory response. Companies may wish to do so despite the disincentives of looming CCPA and CPRA litigation. Businesses need to be cognizant of the risks associated with disclosure and make strategic choices about if, what, how much and when information is disclosed. 

Data attacks are escalating in scope and number, and so are data breach lawsuits. Including the above suggestions as part of a response plan can protect data breach investigations from future disclosure, and put businesses in the best position to respond to the breach itself and the litigation that follows.