Earlier this year, following oral argument and 16 amicus submissions, the Supreme Court dismissed as improvidently granted (“DIG”)[1] a writ of certiorari on the issue of whether communications involving both legal and non-legal advice are protected by the attorney-client privilege.[2]
This red-hot issue was granted review following the decision styled In Re Grand Jury, in which the 9th Circuit upheld a district court’s orders that certain dual-purpose communications were not privileged because the “primary purpose” of the documents was to obtain tax advice, not legal advice.[3] The appellants in the case, a law firm and client company, argued in the alternative; namely, that even if “the primary purpose” test applied, the court should adopt “a primary purpose” test instead, relying on the D.C. Circuit’s decision in the matter of In re Kellogg Brown & Root, Inc.[4] The D.C. Circuit articulated the test as follows, “[w]as obtaining or providing legal advice a primary purpose of the communication, meaning one of the significant purposes of the communication?”[5]
On January 23, 2023, the same day as the Supreme Court’s DIG, another case finally resolved from the Middle District of Pennsylvania involving the same issue on facts which are occurring all too often. The issue involved a 2021 decision by a Pennsylvania Magistrate Judge which called into question the often relied upon attorney-client privilege and work product doctrine. The decision concerned a discovery dispute stemming from a 2018 data breach at Rutter’s, a chain of gas stations and convenience stores.[6] The plaintiffs in this lawsuit sought the production of an investigative report created in response to the data breach by cybersecurity consultant, Kroll Cyber Security, LLC (“Kroll”), as well as communications between Kroll and Rutter’s. Rutter’s resisted, claiming that the material was protected by both the work product doctrine and attorney-client privilege.[7]
With Privilege Comes Precision
The facts surrounding the dispute are straightforward. Rutter’s received two Carbon Black Defense alerts detailing the execution of suspicious scripts and indications of the use of potentially compromised credentials. That same day, Rutter’s hired outside counsel to advise it on potential notification obligations. Outside counsel hired Kroll immediately to conduct a forensic analysis to determine the scope and character of the incident. Rutter’s and its counsel believed that Kroll’s work would be privileged in all respects. Not until Rutter’s company deposition did plaintiffs learn of Kroll’s investigation. The Statement of Work (“SOW”) in the Kroll contract contained a description of services “to determine whether unauthorized activity… resulted in the compromise of sensitive data, and to determine the scope of such compromise if it occurred.”[8] Nothing about the services suggested that Rutter’s believed litigation would result because it did not know whether, in fact, a data breach had yet occurred. At its deposition, Rutter’s stated that litigation was not contemplated at the time the Kroll report was ordered. Importantly, Rutter’s testified that it would have had Kroll conduct its incident response investigation and prepare a report regardless of whether lawsuits were later filed.
Whereas the attorney-client privilege protects attorney-client relations, the work product doctrine is designed to protect the confidentiality of documents prepared by or for attorneys in anticipation of litigation. It “promotes the adversary system by enabling attorneys to prepare cases without fear that their work product will be used against their clients.”[9] Indeed, our federal rules require that the document be prepared “in anticipation of litigation” to be afforded the work product protection.[10] Readily identifiable litigation or impending litigation must be the primary motivating purpose underlying the document. Given the SOW and Rutter’s deposition testimony, the Court reasoned that “anticipation of litigation” was not the “primary motivating purpose” and rejected Rutter’s objections.[11]
For the attorney-client privilege to attach, communications about the Kroll report needed to have been in furtherance of gaining or providing legal assistance.[12] Here, the Kroll SOW did not go far enough. Kroll was to “work alongside Rutter’s IT personnel to identify and remediate any potential vulnerabilities.”[13] Nothing about this description suggested attorney involvement to gain or provide legal assistance.
Best Practices to Document Privilege
Motions to compel investigative reports have become a familiar refrain in data breach cases, and our courts have expressed increasing skepticism over claims of attorney-client privilege or work product to shield those reports. Counsel must be prepared to explain exactly how the investigative report is being used; is it to understand how the breach occurred, is it to prepare for litigation, or is it being used for some broader purpose? The decision in Rutter’s and leading cases before it,[14] provide important guidance on best practices for outside counsel and their clients. First, counsel must properly identify and document the attorney-client relationship and purpose of the work to be completed, especially where there is already an ongoing attorney-client engagement. Assuming that work includes an investigative report, outside counsel should spearhead the investigation, order the report and identify the threat of litigation when hiring the vendor. The report, in turn, should be delivered directly to outside counsel and not to the client. All related communications with the vendor should go through outside counsel. If the client is desirous of a report to aid in its ongoing business operations, then the vendor should prepare a separate report for just that purpose, completely unrelated to the litigation.
How the Kovel Doctrine Can Extend Privilege
Data breach cases are easy targets because of the defendant’s need for immediate third-party consultants, pre-litigation. So, too, are cases involving third-party consultants acting as agents, where the client communication requires an understanding or interpretation of complex business advice, as in tax or accounting. Known as the Kovel doctrine, the Second Circuit extended the attorney-client privilege to third-party professionals acting as an agent of an attorney providing legal advice.[15] The agent’s communication must be made in confidence for the purpose of obtaining that advice, and the agent must be translating or interpreting client communications to assist the lawyer.[16] For Kovel protections to apply, the attorney should engage the consultant for the specific purpose of rendering legal advice to the client and should direct the consultant’s actions. Mixed communications, where the lawyer’s advice is merely incidental to the consultant’s business advice, will almost certainly be subject to scrutiny and may not be protected.
Conclusion
Counsel and their clients must not fall into the trap of presuming that their mixed communications will be protected by the attorney-client relationship. According to one scholar, the Supreme Court’s dismissal of the writ of certiorari in Grand Jury, “does not mean that the court has lost interest in the issue raised, only that the facts of the case were not the right vehicle for exploring it.”[17] The 9th Circuit court of appeals acknowledged, but did not need to address, the appellant’s argument from the D.C. Circuit’s reasoning in Kellogg that “the primary purpose test” would be satisfied if the law firm’s advice was one of the “significant purposes” of its communication. For now, counsel must assume that until the Supreme Court digs into this issue again, “the primary-purpose test” will apply when the communication does not have a single purpose.
——————————————————————–
This DarrowEverett Insight should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This Insight is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal question you may have. We are working diligently to remain well informed and up to date on information and advisements as they become available. As such, please reach out to us if you need help addressing any of the issues discussed in this Insight, or any other issues or concerns you may have relating to your business. We are ready to help guide you through these challenging times.
Unless expressly provided, this Insight does not constitute written tax advice as described in 31 C.F.R. §10, et seq. and is not intended or written by us to be used and/or relied on as written tax advice for any purpose including, without limitation, the marketing of any transaction addressed herein. Any U.S. federal tax advice rendered by DarrowEverett LLP shall be conspicuously labeled as such, shall include a discussion of all relevant facts and circumstances, as well as of any representations, statements, findings, or agreements (including projections, financial forecasts, or appraisals) upon which we rely, applicable to transactions discussed therein in compliance with 31 C.F.R. §10.37, shall relate the applicable law and authorities to the facts, and shall set forth any applicable limits on the use of such advice.
[1] The Supreme Court may grant a petition of the writ of certiorari, but retains the discretionary authority to DIG the case, meaning to later decide not to review the case after all.
[2] In re Grand Jury, 143 S. Ct. 543 (2023).
[3] 23 F.4th 1088, 1092 (9th Cir. 2021).
[4] Id. at 1094 citing In re Kellogg Brown & Root, Inc., 756 F.3d 754 (D.C. Cir. 2014).
[5] In re Kellogg Brown & Root, Inc., 756 F.3d at 760.
[6] In re: Rutter’s Data Security Breach Litigation, No. 1:20-CV-382, 2021 WL 3733137 (M.D. Pa. July 22, 2021).
[7] Id. at *1.
[8] Id. at *2.
[9] Id. citing Westinghouse Elec. Corp. v. Republic of Philippines, 951 F.2d 1414, 1428 (3d Cir. 1991).
[10] Fed. R. Civ. P. 26(b)(3).
[11] In re Rutter’s Data Sec. Breach Litig., 2021 WL 3733137 at *2; see United States v. Rockwell Int’l, 897 F. 2d 1255, 1266 (3d Cir. 1990).
[12] Id. at *4 citing Kramer v. Raymond Corp., 1992 WL 122856, at *1 (E.D. Pa. 1992).
[13] Id. at *4.
[14] See In re Experian Data Breach Litig., No. SACV1501592AGDFMX, 2017 WL 4325583, at *2 (C.D. Cal. May 18, 2017); In re Capital One Consumer Data Sec. Breach Litig., MDL No. 1:19md2915 (AJT/JFA) (May 26, 2020).
[15] United States v. Kovel, 296 F.2d 918 (2d Cir. 1961).
[16] U.S. v. Schwimmer, 892 F.2d 237, 243 (2d Cir. 1989); U.S. v. Ackert, 169 F.3d 136, 140 (2d Cir. 1999).
[17] Stephen Gillers, A “DIG” on attorney-client privilege: Why the court decided not to decide In re Grand Jury, SCOTUSblog (Jan. 25, 2023, 9:30 AM), https://www.scotusblog.com/2023/01/a-dig-on-attorney-client-privilege-why-the-court-decided-not-to-decide-in-re-grand-jury/ (offering one possible explanation that “a majority of the court wants to save the issue for a case whose public facts permit a serious evaluation of a question whose answer can expand secrecy and greatly affect the administration of justice.”).
