Data breach litigation inherently involves a significant amount of information, so it is no surprise to see discovery issues in breach cases. The typical data breach lawsuit may include discovery requests for pre-breach information (response plans, audits), response information (notification letters and phone scripts) and post breach information (remediation and vendor information). Suffice it to say, there is ripe opportunity for discovery disputes with this amount of information needing to be exchanged between the parties.
The Blue Cross breach, or Premera breach, occurred in 2015 and involved the unauthorized disclosure of confidential information of approximately 11 million current and former members, affiliated members, and employees of Premera. The compromised data included members’ personal, medical and financial information. The breach on Premera’s computer network was publicly disclosed on March 17, 2015. A class action lawsuit was filed in the District Court for Oregon based on claims that the breach began in May of 2014 and went without detection for nearly a year. In Re: Premera Blue Cross Customer Data Security Breach Litigation, 2019 WL 464963 (D. Ct. Or. Feb. 6, 2019), the District Court for Oregon addressed motions to compel discovery or documents and other information filed by the class action plaintiffs and Premera.
First, the District Court addressed the class action plaintiffs’ motion seeking the production of documents withheld by Premera based on the attorney-client privilege and the attorney work-product doctrine. The District Court provided the following analysis which can provide insight to data collectors:
- Email Communications: Based on the large body of law concerning attorney-client privilege, the District Court held only emails from Premera’s attorneys containing legal advice were protected. Emails “containing merely a factual discussion” would not be protected.
- Draft Documents: The District Court found documents prepared by attorneys, at the request of attorneys or sent to attorneys would most-likely be protected from discovery. The District Court specifically noted that drafts of breach notification letters or press releases about the breach may not be protected if the documents are merely sent to the attorney to be included in the attorney’s file and do not solicit legal advice.
- Documents Related to Press Releases, Notices and Remediation: Once again, in reviewing the various documents discussing the breach, the District Court relies on the fundamental rule that protected communication must provide or solicit legal advice. All communication simply discussing articles in the press may be discoverable unless the discussion “involves seeking advice about how that particular article might affect Premera or litigation, or how from a legal perspective Premera should comment on the article…”
Likewise, the District Court held drafts of scripts to be used to discuss the breach with members or FAQ documents would be protected as long as legal advice is being provided or sought. Additionally, scripts were found to be protected to the extent they are prepared “in anticipation of litigation.” That is, the District Court noted that Premera would not have taken the time to prepare scripts unless they anticipated litigation or regulatory inquiries. Therefore, while the drafts of scripts were prepared by counsel, the “actual final scripts” were not protected.
Plaintiffs argued documents related to remediation are considered a business function and, therefore, would not be protected. The District Court found all documents provided by vendors that contain or solicit legal advice are protected. However, in a discussion concerning “attachments provided to counsel that were prepared by third-party vendors,” the District Court noted that “third parties performing general remediation efforts, even if hired by counsel, are performing a business function.” Therefore, a vendor’s report by itself may not be protected if it is found to not provide “factual information to counsel so that counsel can provide sound and informed legal advice or have been sent to the attorney requesting the attorney’s legal advice and input.”
- Business and Technical Documents: Obviously, a substantial amount of technical data would be expected with a breach of this size. The District Court found information related to Premera’s audits, investigations and their security may be discoverable because “[a]s a business, Premera needs periodically to audit its information technology and security and training.” And, audits would have been done regardless of the breach. Therefore, information concerning these activities may be discovery to the extent they have a business purpose more than a legal purpose.” The District Court further noted that this information may be discoverable even if legal counsel relies on the information while formulating their advice since “[t]hese audits…are normal business functions performed on a regular basis, to enable Premera to assess the state of its technology and security.” The District Court also found the information related to the investigation of the cause of this breach or into the corporation’s “physical security” was discoverable since Premera needed to conduct the investigation as a business anyway. A document drafted by counsel using this data would be protected.
Importantly, the District Court found information related to “Premera’s response to the breach” would not be discoverable since it “was likely affected by the anticipation of litigation and regulatory inquiries.” The District Court summarizes its ruling that documents related to the response to the breach may not be discoverable as: “Other than the initial business steps of remediation, notifying customers, and making public statements, which Premera would have had to do regardless, the later actions by Premera were likely guided by advice of counsel and concerns about potential liability.”
- Documents Disclosed to Third Parties. The District Court held that documents turned over to third-party vendors, including Mandiant, may not be discoverable. These documents remain privileged as long as “an attorney is being asked to give legal advice about something to a third-party vendor is working on does not extinguish the attorney-client protection.”
Premera’s motion was far less complicated and merely sought an Order requiring the Plaintiffs produce their computers or other devices in order to investigate the “actual causal link between the Defendant data breach and their alleged harm.” Specifically, Premera wanted to confirm each class action plaintiff could establish they suffered harm from Premera’s breach. Premera claims plaintiffs cannot establish this causal link if their devices have “malware or evidence of other intrusions” unrelated to this breach. Premara provided the following example of the information it needs to collect:
“…Plaintiff Mr. Chistopherson’s testimony that his bank account information was obtained by ‘scammers’ and that Premera is entitled to Mr. Christopherson’s Device ‘in order to determine precisely what the scammers took from Mr. Christopherson and whether such evidence disrupts the causal link that Plaintiffs allege exists between the Defendant breach and the alleged harm to Mr. Christopherson.’”
However, the District Court rejected this argument since “Plaintiffs are not alleging any identity theft-related injuries or seeking such damages.” Therefore, the causal link is irrelevant to the damages sought by Plaintiffs.
Data breach litigation has always posed unique issues to the extent that data collectors must prepare for an incident but there was always questions as to whether those preparation documents could be used against them by plaintiffs in a data breach case. For example, many data collectors struggle with whether breach response plans will be discoverable and used against them after a breach. While the Premera Court does not directly address documents generated before the incident, the case makes clear that documents providing or soliciting legal advice have the best chance of being protected from discovery. Consequently, if there were not enough reasons already to retain counsel for cyber security, data collectors must consider that operating without counsel may generate documents that will not be privileged.