Chief Magistrate Judge Karoline Mehalchick issued a ruling this morning in our data breach action pending against Defendant Rutter’s, Inc., granting our motion to compel Rutter’s to produce an investigative report completed by Kroll Cyber Security, LLC (“Kroll”) which was created after Rutter’s was notified of a potential data breach. Rutter’s had withheld the Kroll Report on the basis of privilege, claiming that the Report was protected by both the work product doctrine and the attorney-client privilege. Chief Judge Mehalchick disagreed. Particularly, Chief Judge Mehalchick rejected Rutter’s contention that the “primary motivating purpose” behind the creation of the Kroll Report was the anticipation of litigation, pointing to the description of services in the “statement of work” and Rutter’s own corporate deponent’s deposition testimony as supporting the fact that Rutter’s did not have a unilateral belief that litigation would result at the time it requested the Kroll Report. Since Rutter’s corporate designee testified that “Kroll would have … done this work and prepared its incident response investigation regardless of whether or not lawsuits were filed six months later,” the Chief Judge reasoned, it cannot be said that the “primary motivating factor” behind the creation of the Kroll Report was to aid in identifiable or impending litigation. Chief Judge Mehalchick also concluded that the Kroll Report was not protected under the attorney-client privilege because Rutter’s did not establish that the Kroll Report and related communications involved “presenting opinions and setting forth … tactics” rather than discussing facts. Thus, Rutter’s did not carry its burden of establishing that the Kroll Report and related communications between Kroll and Rutter’s had a primary purpose of providing or obtaining legal assistance for Rutter’s. Accordingly, Chief Judge Mehalchick ordered production of the Kroll Report and corresponding communications within fourteen days of the July 22, 2021 order.
The case is In re Rutter’s Data Security Breach Litigation, No. 20-cv-382, pending in the Middle District of Pennsylvania before Chief Judge John E. Jones III and Chief Magistrate Judge Karoline Mehalchick. A link to the opinion can be found here.