Federal Court: Attorney-Client Privilege and Work-Product Doctrine Upheld for Materials Associated with Internal Data Breach Investigation
Time 4 Minute Read
Categories: Class Action, Consumer Protection, Privacy & Cybersecurity

As reported in the Privacy & Information Security Law blog, the United States District Court for the District of Minnesota, in large part, upheld Target’s assertion of the attorney-client privilege and work-product protections for information associated with a privileged, internal investigation of Target’s 2013 data breach.

The plaintiffs contended that the challenged information was not protected by the attorney-client privilege or the work-product doctrine because “Target would have had to investigate and fix the data breach regardless of any litigation, to appease its customers and ensure continued sales, discover its vulnerabilities, and protect itself against future breaches.”

Target countered that there was a two-track investigation. The first track was an ordinary-course-of-business investigation, involving, among other things, a forensic investigator’s non-privileged report for the card brands. The second track, part of which included a different team from the same forensic investigator, was created at the request of Target’s in-house lawyers and its retained outside counsel. The purpose of the second-track investigation was to educate the attorneys about aspects of the breach so that they could provide Target with informed legal advice.

Although the same forensic investigator was used for both tracks, Target explained that it only claimed privilege and work-product protections for certain information related to the second-track investigation. Target provided evidence that the forensic teams did not communicate with each other about the substance of the second-track, attorney-directed investigation.
After an in-camera inspection, the court found that the majority of the information was shielded from disclosure. The most notable findings were:

  • Communications from CEO to Board of Directors. Neither the attorney-client privilege nor work-product doctrine applied to communications made by Target’s CEO to its Board of Directors.
  • Attorney-Client Privilege. The evidence did not show that the communications: (a) involved any confidential communications between attorney and client; (b) contained requests for, or discussion necessary to obtain legal advice; or (c) included the provision of legal advice.
  • Work Product. None of the materials appeared to be provided due to reasonably anticipated litigation within the meaning of Federal Rule of Civil Procedure 26(b)(3).
  • Emails related to Data Breach Task Force. The attorney-client privilege and the work-product doctrine protected emails regarding the work of Target’s attorney-directed Data Breach Task Force. The Data Breach Task Force informed Target’s in-house and outside counsel about the breach so that Target’s attorneys could provide the company with legal advice and prepare to defend the company in litigation that was already pending and reasonably anticipated.
  • Emails from in-house counsel to client. Emails between a Target in-house attorney and his clients were created for the purpose of obtaining legal advice and made in anticipation of litigation. Therefore, they were protected by both the attorney-client privilege and work-product doctrine.
  • Emails regarding breach occurrence. Certain emails regarding how the breach occurred were protected by the work-product doctrine. Moreover, the plaintiffs failed to demonstrate that, without these work-product protected materials, they would be deprived of any information about how the breach occurred or how Target conducted its investigations. The court noted that Target produced information from which the plaintiffs could learn about how the data breach occurred and about Target’s breach response.
  • Emails regarding legal advice. Certain emails were protected by the attorney-client privilege because Target demonstrated the information in those communications was transmitted for the purpose of obtaining legal advice regarding the investigation.

The court did not cite the United States Court of Appeals for the D.C. Circuit’s 2014 and 2015 opinions about the application of the attorney-client privilege and work-product protection in corporate internal investigations. Although those decisions were outside the data breach context, this most likely was due to the double-track structure of the Target investigative teams, which helped to separate information that was protected and information that was not. In any event, the D.C. Circuit has previously held that blended reasons for a corporate internal investigation do not invalidate the privilege, as long providing legal advice was a “significant purpose” of the investigation.

Tags: Compliance, Data Breach, Enforcement, Illinois, Litigation, Minnesota
Print Email Twitter/X Linkedin Facebook

You May Also Be Interested In

Time 2 Minute Read
Illinois’ Damages Limitation for Biometric Privacy Violations Applies Retroactively  

On April 1, 2026, the U.S. Court of Appeals for the Seventh Circuit held that the 2024 amendment to Illinois’ Biometric Information Privacy Act, limiting damages, applies retroactively to pending cases.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 1 Minute Read
CalPrivacy Issues $1.1 Million Fine for CCPA Violations Involving Student Privacy 
By

The California Consumer Privacy Act continues to drive significant enforcement activity—particularly when minors’ data is involved. In a recent action, the California Privacy Protection Agency imposed a $1.1 million fine on youth sports platform PlayOn Sports for alleged violations involving student data and inadequate opt-out mechanisms. The case highlights growing regulatory scrutiny around how companies collect, share, and provide transparency about personal information—especially when schools and students are involved. 

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 3 Minute Read
Trends in Employment Litigation Filings: Retailers Take Notice
By and

The results are in: attorneys are filing more employment law cases in court.  Indeed, year-end reporting from legal databases like LexMachina confirm that the pace of filing new employment discrimination cases reached its highest level in 2025, surpassing 20,000 new filings nationwide.  Though overtime and minimum wage lawsuits under the Fair Labor Standards Act (FLSA) have continued to decline since 2015, discrimination cases under laws like Title VII of the Civil Rights Act of 1964 and the Americans with Disabilities Act are on the rise.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 1 Minute Read
What to Watch for in 2026: Court Rejects Privilege Claim Over AI-Generated Documents
By

A recent federal court decision determined that documents created by a criminal defendant using AI and subsequently shared with legal counsel were not shielded by attorney-client privilege or the work product doctrine. In USA v. Heppner, Judge Jed S. Rakoff of the U.S. District Court for the Southern District of New York compelled the disclosure of 31 documents created with Anthropic’s Claude. This order was issued despite the defendant including information from counsel in the AI tool’s input and later providing the resulting outputs to his attorneys. The ruling offers early judicial perspective on privilege concerns involving AI-generated materials, an area where case law remains sparse.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Authors

Archives

Jump to Page