Opinion
Civil Action 23-3055(CPO)(EAP)
07-31-2024
IN RE: SAMSUNG CUSTOMER DATA SECURITY BREACH LITIGATION This Document relates to: ALL ACTION
OPINION AND ORDER
Hon. Freda L. Wolfson (ret), Special Master
The Court appointed me as a Special Master in this Multidistrict Litigation ("MDL") for discovery purposes. In this consolidated putative class-action MDL, Plaintiffs, who are individual consumers from various states, allege that Defendant Samsung Electronics American, Inc. ("Samsung" or "Defendant") failed to properly secure and safeguard Plaintiffs' sensitive and confidential personally identifiable information registered on Samsung's electronic system. While a motion to dismiss is pending, the Court nevertheless permitted targeted discovery. During this early phase of discovery, Plaintiffs are seeking production of documents from Samsung that were prepared by a third-party cybersecurity firm, Stroz Friedberg LLC ("Stroz"). Asserting attorney-client privilege and work product doctrine over those documents from disclosure, Defendant moves to shield the documents. For the reasons set forth below, Defendant's motion is GRANTED in part and DENIED in part. Defendant is directed to produce the following documents: 1) Stroz PowerPoint; 2) Stroz Analysis; and 3) FBI Update. The Stroz Draft Memorandum is subject to attorney client privilege.
The allegations referenced in this Opinion are recounted from the redacted Amended Complaint filed on April 19, 2024. (See Am. Compl., ECF 150.) A sealed and unredacted version was filed on April 11, 2024. (See ECF 146.) I will only recount relevant facts necessary to resolve this motion.
The production of the FBI Update must contain the redactions that were directed by the FBI for the purposes of protecting the integrity of the agency's ongoing criminal investigation.
BACKGROUND AND PROCEDURAT HISTORY
I. Procedural History
This MDL is at its infancy. While a dispositive motion is pending before the Court the Court permitted early discovery to begin, including the completion of fact sheets, such that the exchange of some documents may streamline the parties' disputes and aid in early settlement discussions. In the midst of this targeted discovery, Plaintiffs sought certain documents, as set forth in more detail infra, from Samsung that were created by its cybersecurity consulting firm, Storz, who was retained by Samsung's attorneys at Hunton Andrews Kurth LLP ("Hunton"). In response, Defendant has moved to shield the disclosure of these materials based on its assertion of the attorney client privilege and work product doctrine; Plaintiff has opposed the motion.
I held oral argument on the motion on March 12,2024. During the hearing, because of several unanswered factual questions I posed to Defendant, I requested Defendant to submit additional certifications. Since receiving those certifications, I permitted the parties to submit supplemental briefing to discuss the impact of the certifications on Defendant's motion. All submissions have been received and reviewed, and the motion is ready for disposition.
As part of the parties' motion practice, Defendant submitted its moving brief along with two declarations from Adam H. Solomon and Lisa J. Sotto, partners at Hunton. In response, Plaintiffs submitted an opposition brief, and Defendant filed a reply. After the motion hearing, pursuant to my instructions, Defendant submitted two additional certifications, both from Samsung's Head of Engineering for Digital Commerce, Manikandan Sundaram. To address those newly asserted facts, I gave leave for Plaintiffs to file a supplemental brief, and a 4-page response by Defendant.
II. Retention of Stroz
In late July 2022, an unauthorized third-party accessed Samsung's electronic system and exfiltrated and misappropriated a substantial quantity of certain personally identifiable information ("PII"). (See Am. Compl., ¶ 4.) According to Samsung, after the data breach incident, in anticipation of litigation and regulatory inquiries, it retained Hunton to provide advice regarding Samsung's legal obligations arising from the cyberattack. (See Decl. of Adam H. Solomon ("Solomon Decl."), ¶ 4.) In turn, Hunton retained Stroz, an expert in the field of cybersecurity incident response and digital forensics. Samsung maintains that Stroz provided forensics information to Hunton such that the firm could provide legal advice to Samsung.
Hunton directed Stroz to conduct a forensic investigation into the data breach incident. Stroz had not previously performed any services for Hunton or Samsung related to the subject data breach. (Id. ¶ 3.) According to Hunton, a forensic investigator was necessary to provide its attorneys technical background and knowledge for rendering informed legal advice to Samsung. (See Decl. of Lisa J. Sotto ("Sotto Decl."), ¶ 4.) Stroz did not perform any services to contain or remediate the breach. (Id. ¶ 3.)
Hunton and Stroz entered into a Letter of Engagement, which states that Hunton has requested Stroz to "provide consulting and technical services [Redacted]" (Letter of Engagement Dated August 8, 2022 ("Engagement Letter"), p.1.) The Engagement Letter goes on to state:
The purpose of the Engagement is to enable Counsel to render legal advice to Client regarding a potential security issue and/or, where applicable, in anticipation of litigation, a regulatory inquiry, or an internal investigation. [Redacted](Id. p. 2.)
In terms of the scope of work, the Engagement Letter sets forth the following: 1) assist with collecting forensic images and logs from [Redacted] 2) forensic analysis of [Redacted]; 3) various log review; 4) threat intelligence support and OpenCTI ingestion; and 5) automated triage analysis of suspected malware samples. (Id. p. 14.)
In addition to a forensic investigation, Hunton later retained Stroz to perform external investigations and monitoring. (Sotto Decl., ¶ 15.) These investigations involved 1) performing a deep and dark web scan [Redacted] 2) conducting threat intelligence monitoring [Redacted]. (Id.) Admittedly, this work was not part of the forensic investigation into Samsung's systems as contemplated by the Engagement Letter. (Id. ¶ 16.)
III. Documents at Issue
To conduct its investigation, Stroz was provided with [Redacted]. [Redacted] to develop its findings and conclusions on the potential causes and scope of the breach. [Redacted] Rather, Stroz's initial investigation was confined to determine which files were exfiltrated and how they were likely accessed; [Redacted]
[Redacted].
Throughout the course of its investigation, Stroz provided updates to not only Hunton but also to select Samsung personnel on its investigative findings. These updates were presented in the form of 13 PowerPoint presentations ("Stroz PowerPoint") shown on a screen during video conferences between August 13, 2022 and October 7, 2022. (See Decl. of Manikandan Sundaram ("Sundaram Decl."), ¶ 2.) According to Samsung, 13 of its personnel were included in one of more of these virtual conferences. (Id. ¶¶ 3-4.) These employees consisted of, inter alia, in-house counsel, senior security and data executives, a consumer marketing director and manager, and senior e-commerce representatives. (Id. ¶ 3.) These PowerPoint slides were not sent to Hunton or Samsung; copies were presented to me for in camera review.
In addition to the PowerPoint, Stroz prepared a draft one-page Cloud and Host Analysis, outlining Stroz's conclusions regarding the background and potential scope of the data breach incident ("Stroz Analysis"). This document was sent to Hunton, as well as to select Samsung personnel on August 30, 2022. (Sotto Decl., ¶ 11.) The Stroz Analysis was sent to 15 different personnel, including in-house counsel and senior security and privacy executives. (See Sundaram Decl., ¶¶ 5-6.)
In January 2023, after the completion of Stroz's investigation and review, and in connection with Hunton providing legal advice to Samsung, Hunton requested Stroz to assist Hunton with the preparation of a memorandum detailing Stroz's investigation findings and analysis. (Solomon Decl., ¶ 6.) In that regard, Stroz prepared, but did not finish, a draft memorandum summarizing its investigation analysis and conclusions ("Stroz Draft Memorandum"). Stroz showed Hunton portions of the Stroz Draft memorandum during a video call. (Id. ¶ 7.) Samsung did not participate in this call. (Id.) This document was also provided to me for my in camera review.
Based on the Stroz Draft Memorandum, Hunton drafted a legal memorandum and provided it to two members of Samsung's in-house litigation team in February 2023. Plaintiffs are not seeking to compel production of this memorandum.
Finally, as part of its engagement, Hunton assisted Samsung in interactions with the government, including the Federal Bureau of Investigation ("FBI") and regulators. (Sotto Decl., ¶ 12.) The FBI sought from Samsung an explanation of certain issues related to the data breach, [Redacted]. (Id.) In response, Hunton requested
Stroz to draft a document to share with the FBI (the "FBI Update"). After Stroz prepared the FBI Update, it was provided to Hunton for Hunton's review before submitting it to the Agency. (Id. ¶ 13.)
IV. Parties' Arguments
Plaintiffs seek the production of the Stroz PowerPoint, Stroz Analysis, FBI Update (collectively, "Stroz Materials") and Stroz Draft Memorandum. Plaintiffs submit that these documents contain facts about the nature and scope of Samsung's data breach incident, not legal advice or conclusions. Plaintiffs stress that the Stroz investigative facts were shared with Samsung, and indeed, the Stroz investigation is the only one commissioned for this incident. In that regard, Plaintiffs argue that the attorney client privilege does not apply, because the materials do not reflect communications between Samsung and its lawyers, but rather non-privileged communications related to Stroz. Similarly, Plaintiffs claim that the work product doctrine has no applicability, because the investigation conducted by Stroz was a necessary business function, and having Hunton oversee the factual investigation does not somehow transform ordinary business documents into work product deserving of protection. In other words, Plaintiffs maintain that Hunton's involvement in Stroz's investigation should not shield the requested documents because Stroz was not engaged solely to assist Hunton in providing legal advice.
At the outset, although Samsung asserts the attorney-client privilege and work product doctrine, it does not argue why each protection is separately applicable. Rather, it combines both theories when making its arguments that the requested documents are protected. In that respect, Defendant argues that several factors weigh in favor of a finding that the overall investigation and the documents generated from it are protected. These include: 1) Samsung had no ongoing or prior contractual relationship with Stroz; 2) Samsung retained Hunton to provide confidential legal advice in connection with Samsung's response to the data breach; 3) in anticipation of litigation, Hunton retained Stroz to assist Hunton with providing confidential legal advice to assist with Samsung's regulatory compliance and interaction with law enforcement agencies; 4) neither Hunton nor Samsung engaged Stroz for a business purpose, such as real time monitoring of a live database for active threat or remediation recommendations; 5) Hunton directed Stroz's development of written work product during its investigation; and finally, 6) the Stroz Materials and the Stroz Draft Memorandum reflect analyses and conclusions about the potential causes and scope of the data breach-not purely factual recitations.
DISCUSSION
I. Standard of Review
A. Attorney Client Privilege
One of the oldest recognized privileges, the attorney client privilege was developed long ago to encourage "full and frank communication[s] between attorneys and their clients." Upjohn Co. v. United States, 449 U.S. 383, 389 (1981). The privilege protects "confidential client-to-attorney or attorney-to-client communications made for the purpose of obtaining or providing professional legal advice." Hydrojet Servs. v. Sentry Ins. Co., No. 20-4727, 2022 U.S. Dist. LEXIS 107325, at *10 (E.D. Pa. June 16, 2022) (citations and quotations omitted). However, while the privilege protects attorney-client communications, the facts underlying the communications are not subject to any protection. See Upjohn, 449 U.S. at 395 ("[Protection of the privilege extends only to communications and not to facts.").
The party invoking attorney client privilege bears the burden of proving the privilege applies and must show: "(1) that it submitted confidential information to a lawyer, and (2) that it did so with the reasonable belief that the lawyer was acting as the party's attorney," Montgomery Acad. v. Kohn, 50 F.Supp.2d 344, 350 (D.N.J. 1999), and (3) that the purpose of the communications was to secure legal, as opposed to business, advice. Kelly v. Ford Motor Co., 110 F.3d 954,965 (3d. Cir 1997) (citation omitted); Legends Mgmt. Co. v. Affiliated Ins. Co., No. 16-1608, 2017 U.S. Dist. LEXIS 154773, at *6 (D.N.J. Sep. 22, 2017). Importantly, confidentiality is the central focus of this privilege. See Republic of Philippines v. Westinghouse Elec. Corp., 132 F.R.D. 384, 388 (D.N.J. 1990) (citing Permian Corp. v. United States, 665 F.2d 1214, 1222 (D.C. Cir. 1981) ("[A] litigant who wishes to assert confidentiality must maintain genuine confidentiality.")).
Communications related to business matters do not qualify for the protection of the privilege. To that end, the general rule is "'while legal advice given to a client by an attorney is protected by the privilege, business advice generally is not/" La Mun. Police Emps. Ret. Sys. v. Sealed Air Corp., 253 F.R.D. 300, 305 (D.N.J. 2008) (quoting In re Nat'l Smelting of New Jersey, Inc. Bondholders' Litig., No. 84-3199, 1989 U.S. Dist. LEXIS 16962, at *18 (D.N.J. June 29, 1989)). Indeed, the attorney client privilege does not attach simply because a statement is made to an attorney or a party's counsel is copied on emails. In re Riddell Concussion Reduction Litig., No. 13-7585, 2016 U.S. Dist. LEXIS 168457, at *7 (D.N.J. Dec. 5, 2016) (citations omitted). In other words, routine, non-privileged business-related communications between corporate officers or employees do not attain privileged status because in-house or outside counsel is copied on a correspondence or memoranda. Id. (citing Andritz Sprout-Bauer, Inc. v. Beazer East, Inc., 174 F.R.D. 609, 633 (M.D. Pa. 1997)). The fact"[t]hat a person is a lawyer does not, ipso facto, make all communications with that person privileged." United States v. Chen, 99 F.3d 1495, 1501 (9th Cir. 1996).
When a client voluntarily discloses privileged communications to a third party, the privilege is generally waived. Westinghouse Elec. Corp. v. Republic of Phil, 951 F.2d 1414, 1424 (3d Cir. 1991). However, "[t]he attorney-client privilege insulates from disclosure a discrete category of communications between attorney, client, and in some instances, third parties that assist the attorney to formulate and render legal advice." HPD Labs., Inc. v. Clorox Co., 202 F.R.D. 410, 414 (D.N.J. 2001) (citing United States v. Kovel, 296 F.2d 918, 922 (2d Cir. 1961) and Westinghouse, 951 F.2d at 1424). In this context, the privilege extends to disclosures that are necessary to obtain informed legal advice, which might not have been made absent the privilege. Id. (citations and quotations omitted). "The privilege, therefore, often extends to necessary intermediaries and agents through whom the communications are made such that there is no reason to distinguish between 'a person on the corporation's payroll and a consultant hired by the corporation if each acts for the corporation and possesses the information needed by attorneys in rendering legal advice." Lifescan, Inc. v. Smith, No. 17-5552, 2022 U.S. Dist. LEXIS 246177, at *29 (D.N.J. May 5,2022) (quoting In re Ridell Concussion Reduction Litig., 2016 U.S. Dist. LEXIS 168457, at *14 (Dec. 5, 2016)). Such an extension of the privilege fosters communication between attorneys and their clients "to protect not only the giving of professional advice to those who can act on it but also the giving of information to the lawyer to enable him to give sound and informed advice." In re Processed Egg Prods. Antitrust Litig., 278 F.R.D. 112, 117 (E.D. Pa. 2011); see E.I. Du Pont de Nemours & Co. v. MacDermid, Inc., No. 06-3383, 2009 U.S. Dist. LEXIS 85436, at *8 (D.N.J. Sept. 17, 2009) ("The attorney-client privilege also protects communications made to an attorney's agent where the communication is necessary for the client to obtain informed legal advice from the attorney." (citing Westinghouse, 951 F.2d at 1424)).
Importantly, statements to and from third parties must "be made in confidence for the purpose of obtaining legal advice from the lawyer." Kovel, 296 F.2d at 922; United States v. Adlman, 68 F.3d 1495, 1499 (2d Cir. 1995) (recognizing that "the privilege .. . can extend to shield communications to others when the purpose of the communication is to assist the attorney in rendering advice to the client"). In Kovel, a seminal case from the Second Circuit, the court found that an attorney did not waive the attorney client privilege by sharing the client's financial information with an accountant. Kovel, 296 F.2d at 921-22. The court equated the accountant with an interpreter who assists an attorney in understanding information his client has given him. Id. at 922-23.
Importantly, however, the Kovel doctrine must be applied narrowly 'Test the privilege be construed to engulf 'all manner of services' that should not be summarily excluded from the adversary process." Linde Thomson Langworthy Kohn & Van Dyke, P.C. v. Resolution Tr. Corp., 5 F.3d 1508, 1514-15, (D.C. Cir. 1993) (quoting Fed. Trade Com. v. TRW, Inc., 628 F.2d 207, 212 (D.C. Cir. 1980); see also In re Lindsey, 158 F.3d 1263, 1272 (D.C. Cir. 1998) ("The attorney-client privilege must be strictly confined within the narrowest possible limits consistent with the logic of its principle.") (cleaned up); In re G-I Holdings, Inc., 218 F.R.D. 428, 435 (D.N.J. 2004) (holding that Kovel does not protect all third party communication "necessary to assist the lawyer in rendering legal service to the client," and rejecting "findings of an attorney-client privilege based [solely] on the necessity or value of the provided assistance" but rather adopting a requirement that the third-party be acting as a "translator or interpreter of client communications").
The Kovel court itself made clear that, for instance, "if the advice sought [by the client] is the accountant's rather than the lawyer's, no privilege exists" over the accountant's report. Kovel, 296 F.2d at 922; see also TRW, 628 F.2d at 212 (same)." [W]hen the third party is a professional . . . capable of rendering advice independent of the lawyer's advice to the client, the claimant must show that the third party served some specialized purpose facilitating the attorney-client communications and was essentially indispensable in that regard." Cellco P'ship v. Certain Underwriters at Lloyd's London, No. 05-3158, 2006 U.S. Dist. LEXIS 28877, at *2 (D.N.J. May 11, 2006) (citation and quotation omitted). Privilege does not apply merely based on counsel's communications with a third party-such as actuaries, accountants, or federal agencies-to obtain information, seek advice, or attain professional services. See United States v. Ackert, 169 F.3d 136,139 (2d Cir. 1999) (stating that gaining information to "better advise" a client is insufficient for attorney-client privilege to attach and that "a communication between an attorney and a third party does not become shielded by the attorney-client privilege solely because the communication proves important to the attorneys' ability to represent the client"). Indeed, a precursor to determining whether third parties assisted counsel with legal advice, is understanding the role of counsel, see Hydrojet Servs., 2022 U.S. Dist. LEXIS 107325 at *14, and whether the third-party advisor's services were "necessary to 'translate' or 'interpret' information for the attorney to allow the attorney to provide legal advice." UPMC v. CBIZ, Inc., No. 16-204, 2018 U.S. Dist. LEXIS 52810, at *21 (W.D. Pa. Mar. 29, 2018) (citing Kovel, 296 F.2d at 922).
"Where a lawyer provides non-legal business advice, the communication is not privileged." Wachtel v. Health Net, Inc., 482 F.3d 225, 231 (3d Cir. 2007). Courts have recognized that "business and legal advice may often be inextricably interwoven" Hercules, Inc. v. Exxon Corp., 434 F.Supp. 136, 147 (D. Del. 1977). For this reason, courts look to the documents' primary purpose to determine whether attorney client privilege applies. Id. at 147. If the advice is predominantly concerned with corporate business, technical issues, or public relations, it is not protected. United States v. Coburn, No. 19-00120, 2022 U.S. Dist. LEXIS 21429, at *8 (D.N.J. Feb. 1, 2022); see e.g., Dejewski v. Nat'l Beverage Corp., No. 19-14532, 2021 U.S. Dist. LEXIS 6083, at *4 (D.N.J. Jan. 12, 2021).
Finally, the application of the privilege is decided on a case-by-case basis, and the party asserting the privilege bears the burden to show it applies. Matter of Bevill, Bresler & Schulman Asset Mgmt. Corp., 805 F.2d 120, 124 (3d Cir. 1986). Because the attorney-client privilege obstructs the truth-finding process, it is construed narrowly. Westinghouse, 951 F.2d at 1423-24 (quoting Fisher v. United States, 425 U.S. 391, 403 (1976)).
B. Work Product Doctrine
The work product doctrine safeguards documents from discovery where such documents are "materials prepared or collected by an attorney 'in the course of preparation for possible litigation." In re Grand Jury Investigation, 599 F.2d 1224, 1228 (3d Cir. 1979) (quoting Hickman v. Taylor, 329 U.S. 495, 505 (1947)); see also Fed. R. Civ. P. 26(b)(3)(A) ("Ordinarily, a party may not discover documents and tangible things that are prepared in anticipation of litigation or for trial by or for another party or its representative. . . ."). The doctrine also extends to "[a]n attorney's mental impressions, conclusions, opinions or legal theories." In re Diet Drugs Prods. Liab. Litig., MDL No. 1203, 2001 U.S. Dist. LEXIS 5494, at *11-12 (E.D. Pa. Apr. 19, 2001) (citing In re Ford Motor Co. v. Kelly, 110 F.3d 954, 967 (3d Cir. 1997), abrogated on other grounds by Mohawk Indus., Inc. v. Carpenter, 558 U.S. 100 (2009)). The party asserting work product protection bears the burden of showing that the doctrine applies. See Conoco, Inc. v. U.S. Dep't of Justice, 687 F.2d 724, 730 (3d Cir.1982).
Courts apply a two-step inquiry to determine whether a document is considered work product. In re Gabapentin Litig., 214 F.R.D. 178, 183-84 (D.N.J. 2003). The first step is to ascertain whether the document in question was created "in anticipation of litigation/' and second, whether the document was created "primarily for the purpose of litigation." Id.; In re Am. Med. Collection Agency, Inc., No. 19-2904, 2023 U.S. Dist. LEXIS 223286, at *32 (D.N.J. Oct. 16, 2023) (citing In re Gabapentin Litig., 214 F.R.D. at 183). As to the first prong, courts focus on the motive behind the document's creation. In re Am. Med., 2023 U.S. Dist LEXIS 223286, at *33. A party must establish more than just the "remote prospect" of litigation. In re Gabapentin Litig., 214 F.R.D. at 183. In that regard, the proponent must establish the "existence of an identifiable specific claim or impending litigation at the time the materials were prepared." SmithKline Beecham Corp. v. Apotex Corp., 232 F.R.D. 467, 473 (E.D. Pa. 2005). "The mere involvement of, consultation with, or investigation by an attorney does not, in itself, evidence the 'anticipation of litigation.'" In re Gabapentin Litig., 214 F.R.D. at 183.
This decision, authored by Hon. Michael A. Hammer, U.S.M.J., was recently affirmed by Hon. Madeline Cox Arleo, U.S.D.J.
As to the second prong, courts look to whether the material was produced because of the prospect of litigation and for no other purpose. See In re Grand Jury, 604 F.2d at 803. In that sense," [t]he proper inquiry is whether 'in light of the nature of the document and the factual situation in the particular case, the document can fairly be said to have been prepared or obtained because of the prospect of litigation.'" In re Gabapentin Litig., 214 F.R.D. at 184 (quoting In re Grand Jury, 604 F.2d at 803. "Documents created for other purposes that prove useful in subsequent litigation are not attorney work product; similarly, documents that are routinely prepared in the ordinary course of business are outside the scope of work product protection." Id.
II. Survey of Data Breach Cases
Litigation, like the cases filed in this MDL, has become common place when a company's electronic system is hacked. During the course of these litigations, the parties invariably have disputes over privilege issues involving investigatory reports, such as the Stroz Materials in this case. Before I discuss whether the documents sought to be protected here, in part or in whole, are entitled to protection, I first survey the various relevant data breach cases, most of which the parties have relied upon to support their positions. Each of these cases, while not binding, analyzes whether the attorney client privilege and/or the work product doctrine apply to documents prepared by a third-party cybersecurity firm in differing factual circumstances. Through these courts' reasoning, I will delineate the factors that I find helpful in determining the outcome of the dispute here.
I note that while the parties have cited to other breach-related cases, I only recount those helpful in my analysis.
In In re Experian Data Breach Litig., No. 15-01592, 2017 U.S. Dist. LEXIS 162891 (CD. Cal. May 18, 2017), the court denied the plaintiffs' motion to compel a third-party investigator's report and documents related to the investigation of a data breach event In that case, when Experian learned that one of its systems was breached, it retained the law firm Jones Day for legal advice regarding the attack. Id. at *20. In turn, Jones Day retained Mandiant to conduct an analysis of the attack. According to Experian, the only purpose of that report was to assist Jones Day in providing legal advice to Experian regarding the attack, realizing that Experian's own experts lacked sufficient resources. Id. By way of their motion to compel, the plaintiffs primarily argued that because Experian had independent business duties to investigate any data breaches and it hired Mandiant to do such work, the expert report was not work product. Id. at *22. The court rejected that argument, reasoning that
Mandiant was hired by Jones Day to assist Jones Day in providing legal advice in anticipation of litigation. This is supported by declarations as well as the fact that Mandiant's full report wasn't given to Experian's Incident Response Team. If the report was more relevant to Experian's internal investigation or remediation efforts, as opposed to being relevant to defense of this litigation, then the full report would have been given to that team. The evidence here establish that Jones Day instructed Mandiant to do the investigation and, but for the anticipated litigation, the report wouldn't have been prepared in substantially the same form or with the same content.Id. at *22-23.
Next, the court determined that the plaintiffs did not have a substantial need, because "the evidence submitted by Experian shows that Mandiant [did not] have access to any of Experian's live systems, networks, or servers when it was investigating to prepare this particular report. Mandiant apparently only observed server images to create its report. And Plaintiffs can, through discovery, get those same exact server images and hire their own expert to perform the work Mandiant did." Id. at *24 (internal citation omitted).
In Wengui v. Clark Hill, PLC, No. 19-3195, 2021 U.S. Dist. LEXIS 5395 (D.D.C. Jan. 12, 2021), the plaintiff's personal information collected by his former law firm, defendant Clark Hill PLC, was hacked by a third party, and as a result, he filed suit against the firm. During discovery, the plaintiff filed a motion to compel reports of forensic investigations into the cyberattack. Id. at *1-2. The firm resisted, claiming that the documents sought by plaintiff were produced by external security-consulting firm Duff & Phelps, retained by outside litigation counsel, and therefore, were covered by both the attorney client privilege and work product. Id. at *2. The court found that the firm "has not met its burden to show that the Report, or a substantially similar document, 'would [not] have been created in the ordinary course of business irrespective of litigation.'" Id. at *5 (quoting Banneker Ventures, LLC v. Graham, 253 F.Supp.3d 64, 72 (D.D.C. 2017)) (alteration in original). After an in camera review, the court reasoned that" [i]t is . .. more likely than not, if not highly likely[,] that [Clark Hill] would have conducted [an] investigation into the attack's cause, nature, and effect irrespective of the prospect of litigation." Id. at *6-7 (quotations and citations omitted) (second, third, and fourth alterations in original).
Nonetheless, the firm argued that it had employed a two-track investigation; the first of which was conducted by another cybersecurity vendor and documents from that investigation were turned over to plaintiff. Id. at *7. The report and other documents from the second investigation, initiated by outside litigation counsel, should be protected since the investigation was purely for the prospect of litigation. Id. at *6-7. The court rejected that argument and explained:
The problem for the defense here is that its two-track story finds little support in the record. The firm offers no sworn statement averring that eSentire conducted a separate "investigation" with the purpose of "learn[ing] how the breach happened" or facilitating an "appropriate[]" response. The closest it comes is an equivocal statement by Eric Rouseau, its Director of Information Security, that "[b]ecause of eSentire's work, Clark Hill did not need the Duff & Phelps report for business continuity." That is not the same as stating that eSentire conducted its own inquiry to (in the words of Defendant's brief) help Clark Hill "ascertain the nature and remediate the effects of the attack."Id. at *8-9 (internal citations omitted) (alterations in original). The court went on to explain that "there is no evidence that eSentire ever produced any findings, let alone a comprehensive report like the one produced by Duff & Phelps, about 'the problem that allowed the breach to occur' or any recommendations to 'ensure such a breach [cannot] happen again.'" Id. at *6. Indeed, the court found that the subject report was shared not just with outside and in-house counsel, but also with select members of the firm's leadership and IT team, as well as the FBI. Id. at *12. Based on these facts, the court concluded that "the Report was shared this widely because it was the one place where [defendant] recorded the facts of what had transpired." Id. (quotations omitted). Indeed, the court was not convinced by the vendor's engagement letter with outside litigation counsel; rather, the court was persuaded that the vendor had a more far-reaching role than merely assisting outside counsel in preparation for litigation. Id. at *13. Importantly, the court found that "it is Clark Hill's burden to demonstrate that a substantially similar document to the Duff & Phelps Report would not have been produced in the absence of litigation, and it has fallen well short of doing so." Id. at *14.
With respect to attorney client privilege, the court found that it did not apply because the firm's "true objective was gleaning [vendor's] expertise in cybersecurity, not in 'obtaining legal advice from [its] lawyer.'" Id. (alteration in original). Importantly, the court expounded:" [a]t a minimum, Defendant has not demonstrated that the opposite is true. [Vendor] undertook a full investigation-the only one apparently commissioned by [the firm] - with the goal of determining how the attack happened and what information was exfiltrated .... And it was shared with both [the firm's] IT staff and the FBI, presumably with an eye toward facilitating both entities' further efforts at investigation and remediation." Id. at *16.
In In re Target Corp. Customer Data Sec. Breach Litig., the plaintiffs sought documents prepared by Verizon, the third-party cybersecurity vendor hired by Target as a result of a cyberattack No. 14-2522, 2015 U.S. Dist. LEXIS 151974, at *3-4 (D. Minn. Oct. 23, 2015). Target initiated a two-track investigation. Id. at *7. "On one track, it conducted its own ordinary-course investigation, and a team from Verizon conducted a non-privileged investigation on behalf of credit card companies." Id. The first track was initiated such that Target and Verizon could learn how the breach occurred and how Target could appropriately respond. Id. "On the other track, Target established its own task force and engaged a separate team from Verizon to provide counsel with the necessary input." Id. Target claimed that any information gathered by the latter task force is protected by the attorney client privilege and the work-product doctrine. Id.
The court denied the plaintiffs' motion to compel, reasoning that "the work of the [second track investigation] was focused not on remediation of the breach, as Plaintiffs contend, but on informing Target's in-house and outside counsel about the breach so that Target's attorneys could provide the company with legal advice and prepare to defend the company in litigation that was already pending and was reasonably expected to follow." Id. at *11. The court found that"[p]laintiffs have not demonstrated that without these work-product protected materials they have been deprived of any information about how the breach occurred or how Target conducted its non-privileged or work-product protected investigation. Target has produced documents and other tangible things, including forensic images, from which Plaintiffs can learn how the data breach occurred and about Target's response to the breach." Id. at *12.
In In re Premera Blue Cross Customer Data Sec. Breach Litig., 296 F.Supp.3d 1230, 1240 (D. Or. 2017), as with other data breach cases, the plaintiffs sought documents related to third-party vendor (Mandiant) work on a data breach investigation and remediation, including the vendor's work for defendant. According to the defendant these documents contained information requested by counsel, including information relating to technical aspects of the breach and its mitigation, company policies, public relations and media matters, and remediation activities. Id. at 1242. The third-party vendors were retained by the defendant's outside counsel. Id. The defendant argued that the documents were properly withheld as privileged. Id.
Based on the totality of the circumstances, the court rejected defendant' privilege argument, explaining that defendant "has not shown that the documents were created because of litigation rather than for business reasons, or that the documents would not have been created in substantially similar form but for the prospect of litigation." Id. at 1244 (quotations and citations omitted). Indeed, the court cautioned that "delegating business functions to counsel to oversee does not provide work-product protection to the materials created for those business functions." Id. at 1245. The court found significant that "Mandiant was hired in 2014 to perform a scope of work for [defendant], not outside counsel. That scope of work did not change after outside counsel was retained. The only thing that changed was that Mandiant was now directed to report directly to outside counsel and to label all of Mandiant's communications as 'privileged/ 'work-product/ or 'at the request of counsel/" Id.
In Maldondo v. Solara Med. Supplies, LLC, No. 20-12198, 2021 U.S. Dist. LEXIS 258382 (D. Mass. June 2, 2021), the plaintiffs moved to compel non-party Charles River Associates ("CRA") to comply with a subpoena issued by the United State District Court for the Southern District of California. The underlying case concerned a data breach. Immediately after the breach was discovered by defendant-company, the company began preparing for the inevitable lawsuits that were to follow by engaging a law firm, Mullen Coughlin LLC, to provide legal counsel in relation to the incident. Id. at *2. According to the company, Mullen Coughlin hired CRA to perform a privileged forensic investigation into the incident to assist the attorneys in providing legal advice to the company. Id. Importantly, CRA never provided the company and Mullen Coughlin with a report, rather, it communicated findings verbally throughout the investigation, which guided Mullen Coughlin in providing legal advice to the company as to its rights and obligations. Id. at *3.
However, the company also had a separate track investigation from the same vendor. This investigation's primary purpose was to prepare a report for the Federal Trade Commission ("FTC") with information to assist FTC for regulatory purposes. Id. at *4. The company did not dispute that the plaintiffs should receive the reports produced under this second investigation, and all the data the investigator relied on in writing those reports. Id. at *5.
The court credited the company's assertion that Mullen Coughlin was hired in order to prepare for the inevitable lawsuits that followed the data breach, and that Mullen Coughlin required the services of experts at CRA to perform a forensic investigation into the cyberattack to assist it in providing legal advice to the company. Id. at *12-13. The court commented that "one cannot imagine an attorney providing advice to a company faced with the complex litigation and regulatory issues resulting from a data breach, particularly where individuals' personal medical data is involved, without having a technical expert assist the attorney in investigating the facts." Id. at *13. As for the business purpose, the court found persuasive that the company instituted a second investigation that informed the company of regulatory matters stemming from the FTC's request. Id. at *12.
Cited earlier, a recent District of New Jersey case is helpful. See In re Am. Med. Collection Agency, Inc., 2023 U.S. Dist. LEXIS 223286. In this case, a suit arose from an alleged data breach of non-party American Medical Collection Agency ("AMCA"), a medical billing collection company that defendants, which are clinical diagnostic laboratories and related entities, retained as their collections vendor. After the alleged breach, AMCA's outside counsel, Hinshaw & Culbertson LLP ("Hinshaw"), engaged Charles River to perform a forensic review of AMCA's internal systems. Id. at *25. "During its investigation, Charles River generated at least three reports concerning its findings, including: (1) a two-page 'AMCA Summary Analysis'; (2) the five-page Forensic Analysis; and (3) the full CRA Report." Id. "The Forensic Analysis, which was characterized as a summary of the longer CRA Report," was previously produced to the plaintiffs and defendants. Id. The CRA Report is "a second, more substantive forensic analysis report" that provides further detail regarding Charles River's investigation of the breach and the circumstances surrounding it. Id. at *26. Both the plaintiffs and defendants sought production of the CRA Report and all underlying factual materials that Charles River relied on in creating the Report, including the materials referenced in the five-page Forensic Analysis. Id. at *28.
As indicated supra, authored by the Magistrate Juge, this opinion was recently affirmed by the District Court.
AMCA argued that the CRA Report is protected by the attorney client privilege because AMCA's outside counsel, Hinshaw, engaged Charles River pursuant to a Kovel agreement. Id. at *40. AMCA explained that "Hinshaw retained Charles River to act as a translator of AMCA's technical data to help counsel provide legal advice in anticipation of litigation." Id. at *41. The plaintiffs responded that the CRA Report is not privileged, because it was created for a business purpose, not made for litigation. Id. Specifically, the plaintiffs argued that Charles River was engaged to discover the scope and manner of the breach such that AMCA could comply with its contractual obligations to notify its clients, the defendants, of the breach, and to make a determination as to how it could augment its data security and continue as a business. Id.
The court explained that the first inquiry is to carefully scrutinize "whether the third-party is intrinsic to the communication and understanding of legal advice, as opposed to acting in some other capacity." Id. at *42. On this point, the court held that "AMCA has not provided reliable evidence to demonstrate that Hinshaw retained Charles River either to translate or interpret attorney-client communications between AMCA and Hinshaw." Id. at *45. Instead, the court found that the record establishes that Charles River conducted a full-scale forensic analysis of the data breach to determine its manner, scope, and whether personal identifying information and personal health information had been compromised and, if so, the extent of the compromise. Id. It was clear to the court then that Charles River assisted AMCA in understanding how the breach occurred and its scope, and endeavored to develop improvements to AMCA's systems to allow AMCA to continue its business operations. Id. at *46. Accordingly, the court found that by Charles River's own account, its role was investigatory, not to translate or interpret information that AMCA gave to Hinshaw. Id. at *46-47. The court further noted that "AMCA had to conduct this investigation in order to protect its own interests and operations. But beyond that, AMCA also had a contractual obligation to Defendants to investigate and remediate the breach." Id. at *47. Ultimately, the court found that the documents sought by the parties were not protected by attorney client privilege. Id. at *66-67.
In In re Dominion Dental Servs. United States, plaintiffs sought to compel Dominion National defendants to produce a report created by Mandiant in the wake of a data breach. 429 F.Supp.3d 190 (E.D. Va. 2019). Defendants opposed the motion, claiming that the Mandiant report was created to inform legal counsel and for litigation strategy, and is therefore privileged and protected work product. Id. at 191. Mandiant had an ongoing relationship with defendants before the data breach occurred. Id. Indeed, based on this relationship, defendants relied on Mandiant to provide computer incident response support, digital forensics support, advanced threat actor support and advance threat/incident assistance. Id. The court noted that when Dominion received an alert regarding a potential intrusion of its computer systems, Dominion and Mandiant's relationship existed and their agreement had not expired. Id. at 192. After the data breach Mandiant entered into another statement of work with the law firm BakerHostetler. Id. at 191. This document incorporated the existing statement of work between Mandiant and defendants. Id. at 191-92. Mandiant concluded its investigation and submitted its final report, which defendants used to form talking points with their clients and discussions with state regulators. Id. at 192. Based on these particular facts, the court found that the driving force in rendering the Mandiant Report was not litigation, but for business purposes. Id. at 194.
Finally, and more recently, the court, in Lenoard v. McMenamins Inc., rejected defendant's claim of attorney client privilege and work product doctrine to a report prepared by Stroz. No. 22-0094, 2023 U.S. Dist. LEXIS 217502, at *2 (W.D. Wash. Dec. 6, 2023). In December 2021, defendant suffered a ransomware attack that may have affected the personal information of certain current and previous employees. Id. at *1. The defendant retained Stoel Rives LLP to represent it for the purposes of the ransomware attack. Id. at *1-2. That same month, Stoel Rives hired Stroz to provide consulting and technical services. Id. at *2. In May 2022, Stroz published an investigative report. Id. In January 2022, plaintiffs, current and former employees of defendant, filed a putative class action against defendant, and sought production of the Stroz report, which defendant argued was protected under the attorney client privilege and work product doctrine. Rejecting the assertion of privilege, the court granted plaintiffs' motion. Id. at *2-3.
As to work product, the court advised that it reviewed "the totality of the circumstances to determine whether the document was created because of anticipated litigation, and would not have been created in substantially similar form but for the prospect of litigation." Id. at *5 (internal quotations, citations and brackets omitted). The court further noted that "[u]nder this standard, where a document would have been created in a substantially similar form regardless of potential litigation, work product protection does not apply." Id. at *5-6. Similarly, the court rejected defendant's assertion of attorney client privilege for the same reason: the subject report does not provide legal advice. Id. at *12.
III. Analyses of Attorney Client Privilege and Work Product Doctrine
A. Attorney Client Privilege as Applied to the Stroz Materials
The inquiry as to the attorney client privilege focuses on "if the advice sought [by Samsung] is [Stroz's] rather than [Hunton's], no privilege exists" over the Stroz Materials. Kovel, 296 F.2d at 922. Indeed, because Stroz is a professional consulting firm capable of rendering advice independent of counsel's advice to Samsung, Defendant, as it bears the burden of showing the privilege applies, must demonstrate that Stroz served some specialized purpose facilitating the attorney client communications and was essentially indispensable in that regard. See Cellco P'ship, 2006 U.S. Dist. LEXIS 28877, at *5. In other words, I must scrutinize whether the Stroz Materials were intrinsic to the attorney client communication and the understanding of legal advice being rendered to Samsung, as opposed to some other business purpose. See In re Am. Med., 2023 U.S. Dist. LEXIS 223286, at *42.
As the data breach cases, including this case, demonstrate, facts matter in these privilege disputes. Because the Third Circuit has instructed that the attorney client privilege must be assessed on a case-by-case basis and construed narrowly, having surveyed nationwide data breach cases, I find helpful to delineate various factors that shape my determination:
1. Type of services rendered by the third-party consulting firm to outside counsel;
2. The purpose and scope of the investigation as evidenced by the investigative materials or the services contract between outside counsel and third-party consulting firm;
3. Existence of a two-track investigation commissioned by the impacted company;
4. The extent of a preexisting relationship between the impacted company and the third-party consulting firm;
5. The extent to which the third-party consulting firm's investigative materials were shared with members of the impacted company and/or any other outside entities, including the government; and
6. Whether the third-party consulting firm's investigative services assisted the law firm in providing legal advice to the impacted company; put differently, whether the purported privileged materials would not have been created in the ordinary course of business irrespective of litigation.
While this list is certainly not exhaustive, it serves as my starting point in the analysis.
In Samsung's telling, it retained Hunton to provide legal advice on Samsung's obligations in response to the cybersecurity incident and in anticipation of litigation and regulatory inquires. There is no dispute that law firms routinely hire third-party consultants to advise them on the technical aspects of a cyberattack in order to render legal advice to the impacted entity. But the mere fact that Hunton hired Stroz to perform an investigation is not dispositive. Rather, the inquiry often centers on whether the services performed by the consulting firm went beyond merely interpreting the technical aspect of the data breach for the purpose of assisting counsel in forming legal advice. On this point, Plaintiffs insist that the record establishes that Samsung's true objective was to solicit Stroz's expertise in cybersecurity, not in obtaining advice from its lawyer.
To begin, I start with the Engagement Letter between Hunton and Stroz. Based on the parties' engagement, they agreed that Stroz's work is to "enable Counsel to render legal advice to Client [Samsung] regarding a potential security issue and/or, where applicable, in anticipation of litigation, a regulatory inquiry or an internal investigation." (Engagement Letter, p. 2.) Based on attorney client privilege, they further agreed to keep their communications and documents confidential. (Id.) The language of the agreement suggests that Hunton engaged Stroz to support "counsel's rendering of informed legal advice to [Samsung]." (Id.) And, Samsung stresses that Stroz was not retained for business purposes as evidenced by the fact that Stroz did not assist in any remediation efforts or active threat monitoring of a live database. Rather, Stroz was given only [Redacted] to determine how the cyberattack occurred. While the Engagement Letter may have set forth Hunton's intention in hiring Stroz, the actual services performed, and the documents prepared, must also be considered to determine the purpose of the Stroz Materials. See In re Am. Med., 2023 U.S. Dist. LEXIS 223286, at *45 ("But the agreement notwithstanding, AMCA still bears the burden of establishing that application of Kovel is proper.").
In its initial briefing and certifications, except for the work subject to the Engagement Letter, there was no information as to whether Stroz had a preexisting or prior relationship with Samsung. This fact, of course, is important in my assessment as is evident from caselaw. I inquired about this issue during the hearing and it was one of the open questions that Samsung addressed in its supplemental certification from Sundaram According to Sundaram, "Stroz was not engaged by Samsung or doing any work related to Samsung when it was approached by Hunton to assist Hunton with the Security Incident." (Sundaram Decl., ¶ 6.) [Redacted], Defendant did not have any services agreement or ongoing relationship with Stroz during the subject data breach. (Id.).
In this context, Samsung falls short of its burden. Although Samsung carefully cabins Stroz's investigative objectives, it is evident from my in camera review of the Stroz Materials that Stroz conducted a forensic analysis of the data breach to determine: 1) what data was accessed or exfiltrated; 2) what malware or other mechanisms were placed in the system; 3) the scope of the security breach; 4) indicators of compromise; and 5) the initial entry point. The Stroz Materials detailed each of these findings, and Stroz assisted Hunton and Samsung in understanding how the breach occurred and its scope.
It is noteworthy that while Samsung claims that Stroz was not involved in any remediation efforts during its initial investigation, Stroz was later retained to perform threat monitoring. In fact, appended to its Engagement Letter, is a list of services to be performed by Stroz; one of the items is [Redacted] which includes “Threat Intelligence Support & OpenCTI Ingestion.” (Engagement Letter, Ex. B, “Statement of Work.”).
Samsung argues that Stroz's investigation was necessary, because its counsel had to rely on Stroz's technical knowledge and investigative conclusions to give legal advice in anticipation of, and during, litigation. This would include, for example, who should receive notice of the breach and the scope of that notice. As a general matter, it is often the case that attorneys solicit the assistance of a technical expert in these data breach matters to effectively provide legal representation, both at the outset and as the facts develop. However, assuming the Stroz Materials assisted Hunton, there may nonetheless also be dual purposes underlying the preparation of a particular document, i.e., for both litigation and business purposes. In this instance, I am tasked with determining "the driving force behind the preparation of the requested documents" and "whether the document would have been created in essentially the same form in the absence of litigation, or the alternative, whether the document would not have been prepared in substantially similar form but for the prospect of that litigation." In re Dominion, 429 F.Supp.3d at 193 (quoting Adlman, 134 F.3d at 1195)(quotations omitted).
As my in camera review of the Stroz Materials revealed, the documents contain investigative facts. Indeed, "discovering how [a] breach occurred [is] a necessary business function regardless of litigation or regulatory inquiries." Wengui, 338 F.R.D. at 11. In re Premera, 296 F.Supp.3d at 1245. On this point, Samsung, in its supplemental certification from Sundaram, Head of Engineering for Digital Commerce, states that Samsung itself "conducted an internal investigation into the potential causes and scope of the [Cyberattack], and remediated issue. As part of this internal investigation, Samsung discovered on August 4, 2022, that certain personal information of its customers was affected." (Sundaram Decl., ¶ 2.) This is the sum total of Samsung's description of its purported internal investigation that preceded Stroz's work. Comparing its investigative efforts to those in In re Target, Samsung argues that because the Stroz investigation is separate and apart from Samsung's internal investigation, it is evident that Stroz's subsequent examination was not undertaken for a business purpose. Based on the current record, I cannot agree.
The separateness of the investigations is not the only relevant inquiry. As the court in In re Target explained, Target's two track investigation was well documented and the non-privileged investigations conducted by Target itself and Verizon, the third-party consulting firm, were "set up so that [they]... could learn how the breach happened and Target (and apparently the credit card brands) could respond to it appropriately," while the other track educated Target's lawyers about the breach such that they could provide Target with legal advice. In re Target, 2015 U.S. Dist. LEXIS 151974, at *7. Here, the Stroz Materials clearly set forth Stroz's process in determining how the data breach occurred, indicators of compromise and initial point of entry by the hacker. In other words, Stroz conducted what appears to be a comprehensive examination of the breach and its scope using [Redacted] The substance of this third-party investigation calls into question Samsung's argument that its own internal inspection, not described in any detail, overlapped with Stroz's, particularly since there is no indication that Samsung generated a separate, non-privileged report for its business use.
Samsung argues that because the parties are not engaged in full discovery, the privilege analysis, here, does not depend on whether documents were prepared as part of a separate, non-privileged internal investigation. While Samsung need not produce any non-privileged report at this time, knowing its burden on the assertion of attorney client privilege, identifying the existence of an internal report or the existence of documents underlying its investigation, would certainly buttress its argument that the Stroz Materials were generated for a separate and distinct purpose-for litigation or legal purposes. However, Samsung has not made such a proffer, even after having been given another opportunity to describe its two-track investigative efforts.
More compellingly, the number of, and positions held by, the Samsung personnel who appeared at more than ten PowerPoint presentations conducted by Stroz also cast doubt on Samsung's position that the outside investigation was not for a business purpose. As indicated above, and it bears repeating, the following Samsung employees were present during one or more of the presentations: Security specialist, Chief Privacy Officer, Head of Engineering for Digital Commerce, General Counsel, Principal Legal Counsel, Director & Senior Counsel, Security Policy Planning, Senior Security Manager, Senior Vice President eCom Platform, Senior Director of Data Platform, Principal Architect, Senior Director of Consumer Driven Marketing and Senior Product Manager of Consumer Driven Marketing. (Sundaram Decl., ¶ 3.) Moreover, the Stroz Analysis, which contains conclusions regarding the background and potential scope of the data breach incident, was shared with fifteen different high-level executives, including Samsung's security response team. (Id., ¶¶ 5-6.) The breadth of Samsung's involvement or participation in Stroz's process and the wide dissemination of the Stroz Analysis undermine Samsung's assertion that Stroz was only retained to provide technical interpretation for the benefit of Hunton. See Lenoard, 2023 U.S. Dist. LEXIS 217502, at *9, *11-12 (considering as a factor that the third-party consulting report was shared with leadership and IT of the impacted company in concluding that the report was not protected work product or shielded by the attorney client privilege); Wengui, 338 F.R.D. at 13 (finding probative that the impacted company "admit[ed] that the [third-party] Report was shared not just with outside and in-house counsel, but also with 'select members of [the company's] leadership and IT team'").
I am not persuaded by Samsung's contention that it was necessary for non-legal executives to be involved in the Stroz's investigative process, because their involvement was necessary to share information with Stroz to "facilitate legal advice." (See Samsung Supp. Br., p. 3.) Based on my review of the Stroz PowerPoint, at each of the meetings with Stroz, Samsung personnel were seemingly receiving information from Stroz based upon reviews of [Redacted]. While I was not provided any insight as to the communications or exchanges during these meetings, I have no basis on which to find that these various employees were providing information to Stroz or otherwise facilitating Hunton during these substantive presentations. Indeed, Sotto described that during these meetings, "Stroz presented and summarized its cumulative findings to Hunton and 'select' Samsung personnel... ."(Sotto Decl., ¶ 8.) Contrary to Samsung's position, it is also of no moment that during these presentations, Stroz did not share any remedial recommendations or involve itself in any active monitoring of Samsung's databases. As caselaw makes clear, and as a matter of logic, after a cyberattack, companies must be apprised of how data compromise occurred in order to properly remediate the issue. In re Premera, 296 F.Supp.3d at 1245 ("discovering how breach occurred [is] a necessary business function regardless of litigation or regulatory inquiries"). In other words, the fact that Stroz did not provide any remediation services does not diminish the business purpose of the investigation it conducted. The critical missing fact here is that Samsung never represented that it was fully aware and informed from its own investigation as to the how the breach occurred, the scope of the breach, the point of entry and the indicators of compromise, such that Stroz's work was performed to primarily benefit the company's counsel-rather, the opposite is true.
Samsung further argues that Hunton retained Stroz to enable Hunton to understand detailed technical information already in Samsung's possession. Although I have no doubt that Stroz did in fact perform that function, the evidence also strongly indicates that the consulting firm provided the same service to Samsung.
Finally, another indicator that the Stroz Materials, particularly the FBI Update, were prepared for business reasons-even if also to advise counsel-is that the conclusion, manner and scope of Stroz's investigation were used to draft the FBI Update, which was sent in response to the FBI's inquiry of the data breach. By disclosing this information to the FBI, it is evident that Stroz's investigation is more likely the only one that detailed how the breached occurred. Indeed, if Samsung had conducted its own investigation, it could have utilized those findings to respond to the FBI's inquiry. Instead, Hunton relied on Stroz to draft answers to the FBI's questions. See Wengui, 338 F.R.D. at 14 ("[the third-party report] was shared with both Clark Hill IT staff and the FBI, presumably with an eye toward facilitating both entities' further efforts at investigation and remediation"). This further belies Samsung's position that Stroz's investigation served no business purpose.
Separately, I note that the FBI Update, itself, is not protected by attorney client privilege. As a regulatory matter, after the data breach, the FBI requested Samsung to provide [Redacted] (Sotto Decl., ¶ 12.) With Stroz's assistance, Hunton responded on Samsung's behalf. For the FBI Update to qualify for attorney client privilege, Samsung cannot simply rely on the fact that Hunton corresponded with the FBI on its behalf; instead, Samsung must show that the information contained in the FBI Update is confidential information subject to the privilege. On this showing, Samsung has not met its burden. As I have explained supra, the underlying information forming the basis of the FBI Update was more likely created for a business purpose. Samsung has not explained how Hunton used that information to somehow transform non-privileged investigative facts and conclusions into attorney-client communications. Rather, the sole reason that Samsung argues that the FBI Update is a privileged communication stems from its unpersuasive contention that all of the Stroz Materials should be shielded as they are created for Hunton's benefit. Beyond that, the only other reason Samsung provides is that Hunton "reviewed" Stroz's draft of the Update before it was submitted to the FBI. Samsung does not provide any details or context of what the review entailed or how the counsel's review of the draft Update related to a litigation purpose. Furthermore, Samsung does not cite to any authority to support the position that as a general matter, regulatory disclosures made by companies to a governmental agency are privileged. In that respect, the communications with the FBI or the creation of the FBI Update was not for a litigation purpose or otherwise related to any attorney legal advice. As such, the attorney client privilege does not apply.
Relatedly, the Third Circuit has held that in certain circumstances, disclosure of otherwise protected documents to government agencies waives the attorney-client privilege and the work-product doctrine. See Westinghouse, 951 F.2d at 1431. The threshold issue here is whether the FBI Update is a privileged document.
For the same reasons, the work product doctrine is also inapplicable, because the FBI Update was not created in anticipation of litigation.
Based on the foregoing, this case is unlike the facts presented in both Experian and Target, decisions on which Samsung heavily relies. As mentioned above, Target had engaged in a two-trackinvestigation of the subject data breach. On one track, it conducted its own business investigation to learn "how the breach happened and [how] Target could respond to it appropriately." In re Target, 2015 U.S. Dist. LEXIS 151974, at *7. Information from this investigation was not privileged and was produced. On the second track, "Target established its own task force and engaged a separate team from Verizon to provide counsel with the necessary input." Id. Materials from this second track were withheld as privileged. While Samsung attempts to draw similarities to Target by having conducted its own internal investigation, as discussed above, the evidence suggests otherwise. Unlike Target, there are no details, here, on what the internal investigation entailed that would either be different or similar to Stroz's and the results of any such investigation. Put differently, on this motion, Samsung has failed to establish that its internal investigation generated information that is separate and apart from the Stroz investigation. As such, Target does not lend support to Samsung's position. See Wengui, 338 F.R.D. at 10 ("there is no evidence that eSentire, [which conducted an internal investigation], ever produced any findings, let alone a comprehensive report like the one produced" by the third-party consulting firm).
Likewise, Experian does not counsel a different result. As discussed earlier, the court, there, held that because the third-party consultant's full report was not shared with Experian, it was more likely that the report was created to aid the firm in providing legal advice. In re Experian, 2017 U.S. Dist. LEXIS 162891, at *22. Here, the same is not true. As previously discussed, the involvement of Samsung's high-level executives, including security and privacy personnel, in Stroz's PowerPoint presentations, and their receipt of the Stroz Analysis, distinguishes this case from Experian.
In conclusion, while Samsung maintains that Hunton directed and controlled Stroz's investigation, the mere delegation of certain business functions to an attorney is insufficient to shield otherwise unprotected factual investigation from discovery. Allied Irish Banks v. Bank of Am., N.A., 240 F.R.D. 96, 99 (S.D.N.Y. 2007) ("That [the plaintiff] hired a law firm to 'assist' in the investigation is of no moment.... A party may not insulate itself from discovery by hiring an attorney to conduct an investigation that otherwise would not be accorded [with] protection.") (cleaned up). Here, Samsung has not provided sufficient evidence that Hunton retained Stroz to create the Stroz Materials in order to either translate or interpret attorney client communications between Samsung and Hunton; rather, the fact that Hunton hired Stroz to perform that particular business function does not shield the Stroz Materials from production based on attorney client privilege.
B. Application of the Work Product Doctrine to the Stroz Materials
For substantially the same reasons why the Stroz Materials are not protected by attorney client privilege, they are not protected under the work product doctrine. To qualify as work product, I must ascertain whether the Stroz Materials were created "in anticipation of litigation" and whether they were created "primarily for the purpose of litigation." As I have found, the Stroz Materials were created primarily for business purposes even if there was also a litigation purpose; indeed, "[t]he fact that 'the [Materials were] used for a range of non-litigation purposes' reinforces the notion that [they] cannot be fairly described as prepared in anticipation of litigation." Wengui, 338 F.R.D. at 12 (quoting Dominion Dental, 429 F.Supp.3d at 194). Accordingly, the Stroz Materials also do not qualify as work product.
Because Defendant has not met its burden in establishing that the Stroz Materials are work product, I need not decide whether Plaintiffs would have a substantial need for the documents. But, if I were to reach that question, I would most likely answer in the negative, because Plaintiff would be able to conduct its own expert analyses of the [Redacted], just as Stroz had done. See In re Target, 2015 U.S. Dist LEXIS 151974, at *11.
C. The Stroz Draft Memorandum
The Stroz Draft Memorandum stands on a different footing than the Stroz Materials. After Stroz's investigation was completed at the end of 2022, Hunton asked Stroz to prepare-five months after litigation began-a memorandum setting forth its investigative analyses, such that Hunton may rely upon it to provide legal advice to Samsung. Stroz, in turn, prepared the draft memorandum and showed only portions of it during a video call with Hunton. According to Samsung, the Hunton Memorandum, which Plaintiffs acknowledge is protected and have not sought its production, contains counsel's "mental impression and determinations of the information that [counsel] deemed important to convey to Samsung regarding the Security Incident... ." (Solomon Decl., ¶ 9.) Significantly, the Stroz Draft Memorandum was not shared with any Samsung personnel. As I have found, supra, Stroz created documents, i.e., Storz Materials, that were for business purpose, but it also drafted documents that assisted Hunton in providing legal advice. The Stroz Draft Memorandum is one such example. I find that the Stroz Memorandum is protected by attorney client privilege.
Because I find that the Stroz Draft Memorandum need not be produced based on the attorney client privilege, I do not separately analyze whether it is protected under the work product doctrine.
IV. Waiver
"A party may waive privilege, whether attorney-client or work product, through various actions including purposeful disclosure, partial disclosure, and careless disclosure." In re Am. Med., 2023 U.S Dist. LEXIS 223286, at *50. In that regard, "a client generally waives the privilege if he or she voluntarily discloses the privileged communication to a third party/' id. (citation omitted), or "fails to take reasonable measures to ensure the confidentiality of communications with counsel." Id.
If the court determines that a waiver has occurred, it must then determine the scope of that waiver. "When a disclosure waives privilege or work-product protection, that waiver will extend to undisclosed documents or communications if: (1) the waiver is intentional; (2) the disclosed and undisclosed communications or information concern the same subject matter; and (3) they ought in fairness be considered together." Shire LLC v. Amneal Pharms., LLC, No. 11-3781, 2014 U.S. Dist. LEXIS 53802, at *18 (D.N.J. Jan. 10, 2014).
Here, Plaintiffs argue that by sending the FBI Update to the Agency, Samsung has waived its privilege under attorney client and work product. In response, Samsung does not rely on common law principles of waiver; rather, it relies on 6 U.S.C. § 1504(d) in arguing that it has not effectuated a waiver. That statute provides:
(d) Information shared with or provided to the Federal government.
(1) No waiver of privilege or protection. The provision of cyber threat indicators and defensive measures to the Federal Government under this title [6 USCS §§ 1501 et seq.] shall not constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection.6 U.S.C. § 1504(d)(1).
There is no case law interpreting this provision of the statute. In fact, there is no decision commenting or discussing any provisions of 6 U.S.C. § 1504. Passed in 2015, the statute was enacted so that the Attorney General, along with Department of Homeland Security ("DHS"), can jointly "develop and submit to Congress [] policies and procedures relating to the receipt of cyber threat indicators and defensive measures by the Federal Government." Id. at § 1504 (a)(1), (2). Since the passage of this statute, DHS has issued guidance to non-federal agencies on sharing cyber threat indicators and defensive measures (the "Guidance"). The Guidance was last amended in October 2020.
The act defines a "cyber threat indicator" as information that is necessary to describe or identify: (A) malicious reconnaissance, including anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat or security vulnerability; (B) a method of defeating a security control or exploitation of a security vulnerability; (C) a security vulnerability, including anomalous activity that appears to indicate the existence of a security vulnerability; (D) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability; (E) malicious cyber command and control; (F) the actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat; (G) any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or (H) any combination thereof. Id. at § 1501(6) (referencing 6 U.S.C. § 650 (5)).
According to the Guidance, the statute's definitions of "cyber threat indicators" and "defensive measures" reflect categories of information used to protect and safeguard computer networks while assessing a threat, tracing the threat across the user's network and other networks, and mitigating and assessing harm. These definitions also include categories of information that may be useful to law enforcement. Examples include:
1. malware;
2. information regarding the intrusion vector and method of establishing persistent presence;
3. information regarding when unauthorized access occurred;
4. information regarding how the actor moved laterally within a network and how network protections were bypassed;
5. information regarding the type of servers, directories, and files that were accessed;
6. information regarding what was exfiltrated and the method of exfiltration; and
7. information regarding the damage or loss caused by the incident, including remediation costs.(Guidance, pp. 30-31.)
Relevant here, the Guidance further provides:
CBA 2015's protection against a waiver of privilege is broad and covers common law privileges. CBA 2015 provides that "[t]he provision of cyber threat indicators and defensive measures to the Federal Government under this subtitle shall not constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection." Section 1504(d)(1). CBA 2015's privilege protections apply to cyber threat indicators and defensive measures shared in accordance with CBA 2015 ..
Because the waiver provision reaches "any applicable privilege or protection," it applies in all circumstances where state or Federal privileges and protections may be invoked, to the extent a claim of waiver is based on disclosure of the information to the Federal Government. This includes protections recognized under common law, such as the attorney-client and work product privileges.(Id. p. 35.)
Here, to invoke the protection under § 1504(d)(1), Samsung must establish that the information it shared (1) falls within the definition of either "cyber threat indicators" or "defensive measures; and (2) the information was shared with a federal governmental entity. Both the plain language of the statute and DHS's Guidance confirm that the information in the FBI Update satisfies the requirements. Indeed, [Redacted] These types of information fall within the ambit of the statute. As such, I find that no general waiver of privilege occurred by sharing the Update with the FBI.
Based on my findings, the wavier argument has limited applicability here since I have found that privilege only attaches to the Stroz Draft Memorandum. Because I conclude that § 1504(d)(1) creates an exception to waiver in this instance, the Stroz Draft Memorandum need not be produced based on waiver.
CONCLUSION
For the reasons set forth above, Defendant' motion is GRANTED in part and DENIED in part. Defendant is directed to produce the following documents: 1) Stroz PowerPoint; 2) Stroz Analysis; and 3) FBI Update, with the appropriate redactions directed by the FBI. Stroz Draft Memorandum, however, is subject to attorney client privilege. Pursuant to Fed.R.Civ.P. 53(f), the parties have 21 days to object to this Order.