Data breach investigation reports may not be privileged, Wash. federal court rules

By Erin Ayers, Front Page News

A U.S. District Court judge in Washington state ordered a ransomware attack victim to turn over an investigation report to plaintiffs in a related data breach class action, finding that in this case, the information does not qualify for protection under attorney-client privilege or the work product doctrine.

McMenamins, a hospitality chain including breweries, pubs, hotels, and theaters, experienced a ransomware event in December 2021 that resulted in the breach of personally identifiable information of current and former employees. McMenamins hired Stoel Rives LLP to respond to the event. Stoel Rives then retained cybersecurity service vendor Stroz Friedberg “provide consulting and technical services.”

In January 2022, the affected employees filed a class action against the McMenamins in the U.S. District Court in Seattle, alleging negligence and breaches of contract, implied contract, fiduciary duty, confidence, unjust enrichment/quasi-contract, and violations of the Washington Consumer Protection Act.

Plaintiffs later sought access to the investigation report prepared by Stroz Friedberg as well as other documents related to the case. McMenamins provided “heavily redacted” copies of some of the requested documents, according to the Court’s order, but plaintiffs filed a motion to compel the release of all documentation.

It’s a question that has been considered by breach counsel, courts, and cyber insurance industry often in recent years.

“Numerous courts have considered similar disputes over cybersecurity consultant reports in the context of data breach litigation,” wrote Judge Kymberly K. Evanson in the opinion, adding that the Court evaluated several factors, including “whether the report would have been prepared in a substantially similar form absent the anticipation of litigation.”

Evanson noted, “To be attorney-client privileged, the communications with employees, counsel, and Stroz Friedberg must be related to legal advice … The evidence demonstrates Stroz Friedberg was providing a business service, by seeking and providing factual information to McMenamins and their counsel. And factual information contained in an email is not protected merely because an attorney was copied.”

The case, proceeding in the U.S. District Court, Western District of Washington at Seattle, is Andrew Leonard et al. v. McMenamins Inc., Case No. C22-0094-KKE.