Internal investigations merit privilege protection if their primary motivation is legal advice, and work product protection if primarily motivated by anticipated litigation. The U.S. District Court in Oregon, however, recently rejected a company’s privilege and work product claims arising from an internal data breach investigation. Premera Blue Cross had hired consultant Mandiant to review its claims data management system. When Mandiant discovered malware, Premera quickly retained outside counsel and shifted supervision of Mandiant’s work to them. The company argued that Mandiant was working on behalf of an attorney and therefore merited protection. The court, however, disagreed, noting that the scope of Mandiant’s work did not change after outside counsel was retained, only the identity of its supervisor. The lesson, therefore, of In re Premera Blue Cross Customer Data Security Breach Litigation is that maximizing protection for internal investigations requires careful documentation of the company’s need for legal advice or anticipation of litigation. That starts, of course, with its retainer letters for law firms and consultants, but all documents created before, during and after investigations should help establish the necessary motivational elements.
Published March 6, 2018.