Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

In re Target Corporation Customer Data Security Breach Litigation

United States District Court, D. Minnesota

October 23, 2015

In re Target Corporation Customer Data Security Breach Litigation. This document relates to Financial Institution Actions.

          ORDER

          JEFFREY J. KEYES, UNITED STATES MAGISTRATE JUDGE

         This matter is before the Court on the Plaintiffs' request for the Court's intervention in compelling Target to produce certain documents that Target withheld from production and identified on its privilege log. Plaintiffs assert that Target improperly raised claims of attorney-client privilege and work-product protection for the items identified on the privilege log. (Doc. No. 593, Pls.' Letter Br.; see also id., Appendix A, Pls.' Privilege Log Challenges (raising challenges to 370 entries on Target's initial privilege log).) Plaintiffs assert that Target improperly asserted privilege and work-product claims for items relating to a group called the Data Breach Task Force, which Target established in response to the data breach that precipitated this multi-district litigation. Plaintiffs also contend that Target improperly asserted privilege and work-product claims for communications with and documents prepared by Verizon. Target retained Verizon to investigate the data breach. Plaintiffs argue that these communications and documents at issue are not protected by the attorney-client privilege and the work-product doctrine because “Target would have had to investigate and fix the data breach regardless of any litigation, to appease its customers and ensure continued sales, discover its vulnerabilities, and protect itself against future breaches.” (Pls.' Letter Br. 3-4.)

         Target opposes the Plaintiffs' motion to compel production of these allegedly privileged and work-product protected communications and documents, and filed a letter brief (Doc. No. 599, Target's Letter Br.), along with several declarations and exhibits to substantiate Target's privilege and work-product claims (Doc. Nos. 600-04). Target asserts that the Data Breach Task Force was not involved in an ordinary-course-of-business investigation of the data breach. Rather, Target alleges that it established the Data Breach Task Force at the request of Target's in-house lawyers and its retained outside counsel so that the task force could educate Target's attorneys about aspects of the breach and counsel could provide Target with informed legal advice. (See Target's Letter Br. 1-2.) Target's Chief Legal Officer, Timothy Baer, Esq., explains that shortly after discovering the possibility that a data breach had occurred, Target retained outside counsel to obtain legal advice about the breach and its possible legal ramifications. (Doc. No. 600, Decl. of Timothy Baer, Esq. (“Baer Decl.”) ¶¶ 4-5.) Once Target publicly announced the breach, consumers filed several class action lawsuits against Target (id. ¶ 8), and in early January 2014, Target established the Data Breach Task Force “to coordinate activities on behalf of [Target's in-house and outside] counsel to better position the Target Law Department and outside counsel to provide legal advice to Target personnel to defend the company” (id. ¶ 9).

         With respect to Verizon, Target also explains that it has only claimed privilege and work-product protection for documents involving one team from Verizon Business Network Services, which Target's outside counsel engaged to “‘enable counsel to provide legal advice to Target, including legal advice in anticipation of litigation and regulatory inquiries.'” (Target's Letter Br. 4 (quoting Doc. No. 603, Decl. of Miriam Wugmeister, Esq. (“Wugmeister Decl.”) ¶ 11; see also Doc. No. 604, Decl. of Michelle Visser, Esq. (“Visser Decl.”) ¶ 3 n.1 (explaining that Ropes & Gray LLP was a party to an engagement letter entered into with a team from Verizon Business Network Services).) Meanwhile, another team from Verizon also conducted a separate investigation into the data breach on behalf of several credit card brands. (See Wugmeister Decl. ¶ 11; see also Doc. No. 602, Decl. of David Ostertag ¶ 10 (describing a separate investigation conducted by Verizon “on behalf of the payment card brands” and explaining that the Verizon teams did not communicate with each other about the substance of the attorney-directed investigation).)

         In other words, Target asserts that following the data breach, there was a two-track investigation. On one track, it conducted its own ordinary-course investigation, and a team from Verizon conducted a non-privileged investigation on behalf of credit card companies. This track was set up so that Target and Verizon could learn how the breach happened and Target (and apparently the credit card brands) could respond to it appropriately. On the other track, Target's lawyers needed to be educated about the breach so that they could provide Target with legal advice and protect the company's interests in litigation that commenced almost immediately after the breach became publicly known. On this second track, Target established its own task force and engaged a separate team from Verizon to provide counsel with the necessary input, and it is for information generated along this track that Target has claimed attorney-client privilege and work-product protection.

         Given the scope of the communications and documents at issue and so the Court would not be evaluating the parties' positions in a vacuum, on October 13, 2015, the Court ordered Target to provide certain documents for in camera inspection. (Doc. No. 618.) Specifically, the Court instructed Target to provide it with the documents identified in the bulleted list on pages 4 and 5 of the Plaintiffs' Letter Brief. Target provided the documents[1] in camera, and the Court has completed its in camera review. Based on that in camera review, the Court concludes that no hearing is required to decide the privilege and work-product issues raised as to the specific examples listed in Plaintiffs' Letter Brief. The Court limits its ruling in this Order to the specific privilege log entries that Target submitted for in camera review. The Court makes no ruling about any other entry on Target's privilege log. The parties may take guidance from this Order in their attempts to resolve their remaining disputes concerning Target's other claims of privilege and work-product protection.

         Accordingly, IT IS HEREBY ORDERED that Plaintiffs' Motion to Compel (Doc. No. 593) is GRANTED IN PART and DENIED IN PART as follows:

         1. The motion is GRANTED IN PART to the extent it seeks production of the redacted information corresponding to Target's privilege log entries 763-64, and 988-89. Target redacted information in these email communications that are updates to Target's Board of Directors in the aftermath of the data breach. These redacted communications from Target's Chief Executive Officer merely update the Board of Directors on what Target's business-related interests were in response to the breach. Nothing in the record supports a claim for attorney-client privilege for these communications as they do not involve any confidential communications between attorney and client, contain requests for or discussion necessary to obtain legal advice, nor include the provision of legal advice. Nor does anything in the record support a claim of work-product protection for this Board of Directors update. None of Target's declarations demonstrates that this Board of Directors update was provided because of any anticipation of litigation within the meaning of Fed.R.Civ.P. 26(b)(3). Target must provide unredacted versions of the emails corresponding to privilege log entries 763-64 and 988-89 within 3 days of this Order.

         2. Otherwise, based on the Court's in camera review, and the declarations in support of Target's opposition, Plaintiffs' motion is DENIED with respect to the other privilege log entries that were included in Target's in camera submission:

a. The motion is moot with respect to entries 1360-65 on Target's privilege log. Target represented that the emails corresponding to those entries were produced without redactions on August 19, 2015, and the plaintiffs withdrew their motion as to those entries in a letter to the Court dated September 28, 2015.
b. The motion is moot with respect to entry 588 on Target's privilege log as Target has represented that it produced the corresponding email communication on October 19, 2014.
c. The motion is moot with respect to entries 744-45 on Target's privilege log as Target has represented that it produced the corresponding email communication on October 19, 2014.
d. The email communication corresponding to entry 89 on Target's privilege log is protected by the attorney-client privilege.
e. The email communications corresponding to entries 172-82 on Target's privilege log are protected by the attorney-client privilege and the work-product doctrine. In particular, Target has demonstrated, through the Declaration of Timothy Baer (Baer Decl. ¶¶ 8-9), that the work of the Data Breach Task Force was focused not on remediation of the breach, as Plaintiffs contend, but on informing Target's in-house and outside counsel about the breach so that Target's attorneys could provide the company with legal advice and prepare to defend the company in litigation that was already pending and was reasonably expected to follow. See Rabushka v. ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.