Michael H. Simon, United States District Judge *1237Plaintiffs bring this putative class action against Defendant Premera Blue Cross ("Premera"), a healthcare benefits servicer and provider. On March 17, 2015, Premera publicly disclosed that its computer network had been breached. Plaintiffs allege that this breach compromised the confidential information of approximately 11 million current and former members, affiliated members, and employees of Premera. The compromised confidential information includes names, dates of birth, Social Security Numbers, member identification numbers, mailing addresses, telephone numbers, email addresses, medical claims information, financial information, and other protected health information (collectively, "Sensitive Information"). According to Plaintiffs, the breach began in May 2014 and went undetected for nearly a year. Plaintiffs allege that after discovering the breach, Premera unreasonably delayed in notifying all affected individuals. Based on these allegations, among others, Plaintiffs bring various state common law claims and state statutory claims.

Before the Court is Plaintiffs' motion to compel. Plaintiffs request an order requiring Premera to produce certain documents, described by category, that Premera has withheld based on assertions of attorney-client privilege or protection under the attorney work-product doctrine. For the reasons discussed below, Plaintiffs' motion is granted in part and denied in part.

STANDARDS

A. Applicable Law

Plaintiffs originally argued that Oregon law, as the law of the forum state, applies to the parties' dispute regarding the scope of the attorney-client privilege. Premera responds that Washington law applies. In supplemental briefing, Plaintiffs concede that there is no material conflict between Oregon and Washington law on the specific issues of attorney-client privilege relevant to the pending motion. Thus, Plaintiffs do not oppose the application of Washington law. The parties also agree that federal law governs the work-product doctrine in federal court.

B. Attorney-Client Privilege

Washington law recognizes that "in our open civil justice system, parties may obtain discovery regarding any unprivileged matter that is relevant to the subject matter of the pending action" and that the attorney-client privilege is "an *1238exception to the general duty to disclose." Newman v. Highland Sch. Dist. No. 203 , 186 Wash.2d 769, 777, 381 P.3d 1188 (2016). "A party claiming that otherwise discoverable information is exempt from discovery on grounds of the attorney-client privilege carries the burden of establishing entitlement to the privilege." Id. In Newman , the Washington Supreme Court explained the attorney-client privilege as follows:

Washington's attorney-client privilege provides that "[a]n attorney or counselor shall not, without the consent of his or her client, be examined as to any communication made by the client to him or her, or his or her advice given thereon in the course of professional employment." RCW 5.60.060(2)(a). But the attorney-client privilege does not automatically shield any conversation with any attorney. To qualify for the privilege, communications must have been made in confidence and in the context of an attorney-client relationship. It is a narrow privilege and protects only communications and advice between attorney and client. The privilege extends to corporate clients and may encompass some communications with lower level employees, as both the United States Supreme Court and this court have recognized.

The attorney-client privilege does not shield facts from discovery, even if transmitted in communications between attorney and client. Rather, only privileged communications themselves are protected in order to encourage full and frank communication between attorneys and their clients and thereby promote broader public interests in the observance of law and administration of justice. The attorney-client privilege recognizes that sound legal advice or advocacy serves public ends and that such advice or advocacy depends upon the lawyer being fully informed by the client. However, because the privilege sometimes results in the exclusion of evidence which is otherwise relevant and material, contrary to the philosophy that justice can be achieved only with the fullest disclosure of the facts, the privilege cannot be treated as absolute; rather, it must be strictly limited to the purpose for which it exists.

Id. at 777-78, 381 P.3d 1188 (quotation marks and citations omitted) (alteration in original).

It is well accepted that "[t]he attorney client privilege is limited to information related to obtaining [legal] advice." Mechling v. City of Monroe , 152 Wash. App. 830, 853, 222 P.3d 808 (2009). The privilege "applies to any information generated by a request for legal advice, including documents created by clients with the intention of communicating with their attorneys." Doehne v. EmpRes Healthcare Mgmt., LLC , 190 Wash. App. 274, 281, 360 P.3d 34 (2015). It does not, however, "protect documents that are prepared for some other purpose than communicating with an attorney." Morgan v. City of Fed. Way , 166 Wash.2d 747, 755, 213 P.3d 596 (2009) (quotation marks omitted). Thus, "a document prepared for a purpose other than or in addition to obtaining legal advice and intended to be seen by persons other than the attorney, does not become subject to the privilege merely by being shown to the attorney." Mechling , 152 Wash. App. at 853, 222 P.3d 808 (emphasis added). Further, "if a portion of a document is not covered by the attorney-client privilege, under the civil rules of discovery it must be disclosed." Id.

In evaluating assertions of the attorney-client privilege in a corporate setting, the Washington Supreme Court has adopted the U.S. Supreme Court's "flexible" approach set forth in *1239Upjohn Co. v. United States , 449 U.S. 383, 101 S.Ct. 677, 66 L.Ed.2d 584 (1981). See Newman , 186 Wash.2d at 779, 381 P.3d 1188. This analysis allows non-managerial employees to qualify as the "client" for purposes of privilege protection, based on considerations including:

whether the communications at issue (1) were made at the direction of corporate superiors, (2) were made by corporate employees, (3) were made to corporate counsel acting as such, (4) concerned matters within the scope of the employee's duties, (5) revealed factual information not available from upper-echelon management, (6) revealed factual information necessary to supply a basis for legal advice, and whether the communicating employee was sufficiently aware that (7) he was being interviewed for legal purposes, and (8) the information would be kept confidential.

Id. at 778-779, 381 P.3d 1188 (quotation marks omitted). The corporate attorney-client privilege, however, does not extend to former employees. Id. at 779, 381 P.3d 1188.

C. Work-Product Doctrine

The work-product doctrine "is not a privilege but a qualified immunity protecting from discovery documents and tangible things prepared by a party or his representative in anticipation of litigation." Admiral Ins. Co. v. U.S. Dist. Court for the Dist. of Ariz. , 881 F.2d 1486, 1494 (9th Cir. 1989) (citing Fed. R. Civ. P. 26(b)(3) ). Documents or the compilation of materials prepared by agents of the attorney in preparation for litigation may be covered by the work-product doctrine. U. S. v. Richey , 632 F.3d 559, 567 (9th Cir. 2011). To qualify for work-product protection, materials must: "(1) be prepared in anticipation of litigation or for trial and (2) be prepared by or for another party or by or for that other party's representative." Id. (quotation marks omitted).

When materials are prepared for a "dual purpose," meaning they are not prepared exclusively for litigation, then the "because of" test applies. Id. at 568. Under that test, "[d]ual purpose documents are deemed prepared because of litigation if 'in light of the nature of the document and the factual situation in the particular case, the document can be fairly said to have been prepared or obtained because of the prospect of litigation.' " Id. Courts, however, must view "the totality of the circumstances and determine whether the document was created because of anticipated litigation, and would not have been created in substantially similar form but for the prospect of litigation." Id. (quotation marks omitted).

The work-product doctrine also affords special or heightened protection to materials that reveal an attorney's mental impressions and opinions, i.e. , "opinion" or "core" work product. Admiral Ins. Co. , 881 F.2d at 1494 ; Fed. R. Civ. P. 26(b)(3)(B). Work-product that does not rise to the level of opinion or core work product may be ordered produced to an opposing party upon a showing of substantial need for the information or that the information cannot be otherwise obtained without undue hardship. Admiral Ins. Co. , 881 F.2d at 1494 ; Fed R. Civ. P. 26(b)(3)(A)(ii). To obtain the opinion or core work product, however, an opposing party must show that the mental impressions of counsel are at issue in the case and the need for the material is compelling. Holmgren v. State Farm Mutual Auto. Ins. Co. , 976 F.2d 573, 577 (9th Cir. 1992).

The primary purpose of the work-product doctrine is to "prevent exploitation of a party's efforts in preparing *1240for litigation." Admiral Ins. Co. , 881 F.2d at 1494. Work-product protection, like the attorney-client privilege, is waivable. Richey , 632 F.3d at 567.

D. Common Interest Doctrine

"The 'common interest' doctrine provides that when multiple parties share confidential communications pertaining to their common claim or defense, the communications remain privileged as to those outside their group." Sanders v. State , 169 Wash.2d 827, 853, 240 P.3d 120 (2010) ; see also C.J.C. v. Corp. of Catholic Bishop of Yakima , 138 Wash.2d 699, 716, 985 P.2d 262 (1999) (noting that under the common interest or joint defense rule, "communications exchanged between multiple parties engaged in a common defense remain privileged under the attorney-client privilege"). "The common interest doctrine is an exception to the general rule that the voluntary disclosure of a privileged attorney client or work product communication to a third party waives the privilege." Kittitas Cty. v. Allphin , 195 Wash. App. 355, 368, 381 P.3d 1202 (2016), review granted in part , 187 Wash.2d 1001, 386 P.3d 1089 (2017).

DISCUSSION

Plaintiffs move to compel production of four categories of documents. Plaintiffs seek: (1) documents that Premera asserts incorporate the advice of counsel, but were not prepared by or sent to counsel; (2) documents that Premera asserts were prepared at the request of counsel, but were not prepared by or sent to counsel and appear to be business documents not prepared because of litigation; (3) documents that relate to third-party vendor work on the data breach investigation and remediation, including Mandiant's work for Premera and other third-party vendors working on technical and public relations aspects of the investigation and analysis; and (4) documents that Premera is withholding, despite being sent to third-parties, based on what Plaintiffs contend is an improper assertion of the joint defense or common interest exception to waiver of privilege. Premera responds that the first three categories involve documents prepared by either Premera employees or third party vendors hired by outside counsel at the request of counsel or under the supervision of counsel. Thus, argues Premera, they are properly withheld as privileged or as protected under the work-product doctrine. Premera further responds that it properly entered into common interest agreements with other Blue Cross-related entities, and thus there was no waiver of privilege for documents sent to those entities.

Plaintiffs also argue that Premera is required to produce certain documents based on the fiduciary exception to the attorney-client privilege because Premera admits that some of the plans involved are governed by the Employee Retirement Income Security Act of 1974 ("ERISA"). Premera responds that the Court's earlier decisions on Premera's motions to dismiss render this argument without merit, that Washington has not yet adopted the fiduciary exception, and that even if the exception applies in Washington it would not apply to the specific documents being withheld in this case.

A. Application of Attorney-Client Privilege and Work-Product Doctrine

1. Documents that Premera asserts incorporate advice of counsel, but were not prepared by or sent to counsel (Category 1)

The documents in Category 1 were drafted by persons who are not attorneys and were sent to and from persons who are not attorneys. Although these documents contain or reference business, *1241technical, or public relations information, Premera argues that they are properly withheld as privileged because they are "drafts" that incorporate the advice of counsel. Some of these documents include edits or "redlines" from counsel. Others are drafts prepared by counsel that include edits or redlines by Premera personnel who are not attorneys. For some of these drafts, Premera has produced to Plaintiffs the final version, e.g. , certain press releases and notices.

Premera argues that Washington's law on attorney-client privileged communications is broader than the law governing other jurisdictions. Premera asserts that under Washington law any communication made during the course of an attorney-client relationship, regardless of whether the communication pertains to business or legal advice, is protected. In support of this broad proposition, Premera primarily relies on a state trial court's opinion in Sanders v. State , 2007 WL 7774753, at *13 (Wash. Superior Ct., Thurston Cty., Jan. 12, 2007). The Court in the pending case, however, generally relies upon and follows the articulation of Washington law announced by the Washington Supreme Court or the Washington Court of Appeals, rather than by a state trial court in Washington.

The Washington Supreme Court recently reiterated, after quoting Washington's privilege statute, that the attorney-client privilege is a "narrow privilege," that it "does not shield facts from discovery, even if transmitted in communications between attorney and client," and that it "must be strictly limited to the purpose for which it exists." Newman , 186 Wash.2d at 777-78, 381 P.3d 1188. The Washington Supreme Court also has explained that the attorney-client privilege "does not protect documents that are prepared for some other purpose than communicating with an attorney." Morgan , 166 Wash.2d at 755, 213 P.3d 596. Additionally, the Washington Court of Appeals has explained that the privilege is limited only "to information related to obtaining [legal] advice" and that documents "prepared for a purpose other than or in addition to obtaining legal advice and intended to be seen by persons other than the attorney, does not become subject to the privilege merely by being shown to the attorney." Mechling , 152 Wash. App. at 853, 222 P.3d 808 (emphasis added). Thus, the Court rejects Premera's broad construction of Washington's law of attorney-client privilege.

Considering the attorney-client privilege as explained by Washington's appellate courts, it appears that many of the documents in Category 1 being withheld by Premera are not protected under the attorney-client privilege. Premera has withheld entire drafts of documents that it was required as a business to prepare in response to the data breach. Premera prepared press releases and notices to be sent to its customers. The fact that Premera planned eventually to have an attorney review those documents or that attorneys may have provided initial guidance as to how Premera should draft internal business documents does not make every internal draft and every internal communication relating to those documents privileged and immune from discovery.

All of the withheld documents are not internal factual or investigatory reports prepared at the request of counsel to inform counsel of the underlying facts so that counsel can provide adequate legal advice or representation, such as was the case in Doehne , relied on by Premera. Instead, the Category 1 documents include business documents that the company would have prepared regardless of any concern about litigation. Placing them under the supervision of outside counsel and then labelling all communications relating to them as privileged does not properly *1242establish an attorney-client privilege. The focus of the privilege must be the purpose for which a document was created. See Doehne , 190 Wash. App. at 282-83, 360 P.3d 34. The primary purpose of drafting press releases, notices to customers, and similar documents was not to communicate with counsel or prepare for litigation.

There may be some documents, however, that contain protected attorney-client communications, such as drafts that include edits or redlines by an attorney communicating legal advice. If underlying edited or redlined documents contain legal advice from counsel, those documents (or at least the edits or redlines) are entitled to protection. Although an attorney may wear "two hats" when reviewing a document for both a business and a legal purpose, some of the documents described in Category 1 appear to have been created with anticipated litigation in mind. Therefore, when an edit or redline was not done solely for a business purpose and the edit or redline communication appears to constitute legal advice under Washington's law of attorney-client privilege, that edit or redline need not be disclosed. Additionally, if there are documents for which the primary purpose was to prepare for litigation, to advise counsel of underlying facts to help with counsel's legal representation, or otherwise to communicate with counsel for the purpose of receiving legal advice or representation, those documents would be protected under the attorney-client privilege.

2. Documents that Premera asserts were prepared at the request of counsel, but were not prepared by or sent to counsel and appear to be business documents not prepared because of litigation (Category 2)

The documents in Category 2 include those prepared by Premera employees and third-party vendors who are not attorneys. According to Premera, these documents contain information requested by counsel, including information relating to technical aspects of the breach and its mitigation, company policies, public relations and media matters, and remediation activities. The third-party vendors were retained by Premera's outside counsel. Premera argues that the documents are properly withheld as both privileged and protected under the work-product doctrine. Premera asserts that these are documents that were prepared primarily in anticipation of litigation and for the purpose of facilitating legal advice.

a. Attorney-client privilege

As with the Category 1 documents, the Court finds that the primary purpose of many of the documents in Category 2 was not to communicate with counsel or obtain legal advice, Morgan , 166 Wash.2d at 755, 213 P.3d 596, but instead to perform a business function. For example, one of the third-party vendors is Edelman, a public relations firm. As discussed above, drafting press releases relating to a security breach is a business function that Premera would have engaged in, regardless of actual or potential litigation. Having outside counsel hire a public relations firm is insufficient to cloak that business function with the attorney-client privilege. See Brawner v. Allstate Indem. Co. , 2007 WL 3229169, at *4 (E.D. Ark. Oct. 29, 2007) ("Defendant may not generally assert a blanket privilege as to those facts that were generated by its investigation merely because those facts were subsequently incorporated into a communication to counsel, or because they elected to delegate their ordinary business obligations to legal counsel." (quotation marks omitted));

*1243Lumber v. PPG Indus., Inc. , 168 F.R.D. 641, 646 (D. Minn. 1996) (noting that the plaintiffs could not "shield their investigation ... merely because they elected to delegate their ordinary business obligations to legal counsel"); SCM Corp v. Xerox Corp. , 70 F.R.D. 508, 515 (D. Conn. 1976) ("Legal departments are not citadels in which public, business or technical information may be placed to defeat discovery and thereby ensure confidentiality."); cf. Simon v. G.D. Searle & Co. , 816 F.2d 397, 403 (8th Cir. 1987) (noting that the "attorney-client privilege does not protect client communications that relate only [to] business or technical data"); United States v. Heine , 2016 WL 6138245, *1-2 (D. Or. Oct. 21, 2016) (noting the "vexing legal challenge" of corporate entities "exaggerat[ing] attorney-client privilege claims" by including attorneys on email communications and making "blanket, sweeping invocations of the privilege" that "ignore the principle that communications received by an attorney are protected by the privilege only if the primary purpose of the communications (or segregable portions of them) was to obtain legal advice or assistance" and not when "the communication's primary purpose is business, not legal"); Becker v. Willamette Cmty. Bank , 2014 WL 2949334, at *3 (D. Or. June 30, 2014) ("While a corporation is certainly free to seek business advice from counsel, business advice does not become legal advice simply because it is rendered by counsel."); Kaufman & Broad Monterey Bay v. Travelers Prop. Cas. Co. of Am. , 2011 WL 2181692, at *6, n.3 (N.D. Cal. June 2, 2011) (noting that an insurer cannot delegate a coverage investigation to an attorney, which is part of the insurer's business and then claim "work product privilege"). The fact that litigation may have been reasonably anticipated to occur at some point in the future does not convert these business functions into legal functions or make all communications relating to these functions privileged or subject to work product protection. See Piatkowski v. Abdon Callais Offshore, L.L.C. , 2000 WL 1145825, at *2 (E.D. La. Aug. 11, 2000) ("[C]ourts have routinely recognized that the investigation and evaluation of claims is part of the regular, ordinary, and principal business of insurance companies. Thus, even though litigation is pending or may eventually ensue does not cloak such routinely generated documents with work product protection.").

Premera relies primarily on In re Copper Market Antitrust Litig. , 200 F.R.D. 213 (S.D.N.Y. 2001), to support its argument that press releases and media relations, when supervised by attorneys, are legal advice and privileged. Copper Market , however, involved different facts and different types of communications. In CopperMarket , the public relations firm was hired by the corporation, not the attorneys. Id. at 215. The court found that the public relations firm was the "functional equivalent of an in-house public relations department," id. at 216, and "was, essentially, incorporated into [the corporation's] staff to perform a corporate function." Id. at 219. Because the public relations firm was an agent of the corporation, it could step into the shoes of the corporation for purposes of asserting the corporation's attorney-client privilege. Id. at 219. Thus, the court found that confidential communications between the public relations firm and the corporation, inside counsel, or outside counsel "that were made for the purpose of facilitating the rendition of legal services to [the corporation] can be protected from disclosure by the attorney-client privilege." Id. The Cooper Market case, thus, does not support Premera's contention that its outside counsel can hire a public relations firm and then exclude from discovery under the attorney-client *1244privilege all communications relating to public relations.

The same is true of the other business functions that Premera delegated to its outside counsel for supervision. Premera has not met its burden of demonstrating that all of these documents are privileged. Accordingly, drafts of documents prepared by Premera employees and third-party vendors relating to the business functions that Premera had to perform regardless of litigation, including preparing press releases, media interactions, and notices, are not privileged. Communications relating to those drafts similarly are not automatically privileged. If, however, communications were sent to or from counsel seeking or providing actual legal advice, such as about possible legal consequences of proposed text or an action being contemplated by Premera, then such communications would be privileged. See Dawson v. New York Life Ins. Co. , 901 F.Supp. 1362, 1367 (N.D. Ill. 1995) (noting that there is a difference between providing "legal information" and "legal advice," that privilege only attaches to the latter, that the latter would include consultation "concerning the legal consequences of what they might say in their speeches or ... advice on the legal consequences of what was included" in a document, but finding that because such information was not sought "the attorneys were acting more as courier[s] of factual information, rather than legal advisers" and the communications were not privileged (alterations in original) (quotation marks omitted)).

b. Work-product protection

Assuming without deciding that the Category 2 draft documents and communications had a dual purpose-both business and legal, the Court must consider whether the communications and documents were prepared "because of" the prospect of litigation. Richey , 632 F.3d at 568. Looking at the totality of the circumstances, the Category 2 documents generally are not protected by the work-product doctrine. Premera has not shown that the documents were created because of litigation rather than for business reasons, or that the documents "would not have been created in substantially similar form but for the prospect of litigation." Id. (quotation marks omitted). Moreover, as discussed above, delegating business functions to counsel to oversee does not provide work-product protection to the materials created for those business functions. See Kaufman , 2011 WL 2181692, at *6, n.3 ; Brawner , 2007 WL 3229169, at *4 ; Piatkowski , 2000 WL 1145825, at *2 ; Lumber , 168 F.R.D. at 646. If Premera can show that a particular document was prepared specifically in anticipation of litigation, contains the mental impressions of counsel, and would not have been prepared in substantially the same form but for the prospect of litigation, then Premera may assert work-product protection for that specific document.

3. Documents that relate to Mandiant's work for Premera, including the Mandiant Remediation Report, and other third-party vendors' technical and public relations aspects of the investigation and analysis (Category 3)

a. Mandiant

The facts surrounding the Mandiant report(s) are not particularly clear to the Court. Plaintiffs move to have Premera produce the Mandiant "Remediation Report." Premera states that it already has produced the Mandiant "Intrusion Report," subject to an agreement that such production does not constitute a waiver of privilege, but adds that drafts and other *1245documents relating to that report are privileged and protected by the work-product doctrine. It is not clear to the Court whether the "Intrusion Report" and "Remediation Report" are two different documents.

Mandiant was hired by Premera in October 2014 to review Premera's data management system. On January 29, 2015, Mandiant discovered the existence of malware in Premera's system. On February 20, 2015, Premera hired outside counsel in anticipation of litigation as a result of the recently discovered data breach. On February 21, 2015, Premera and Mandiant entered into an amended statement of work that shifted supervision of Mandiant's work to outside counsel. The amended statement of work, however, did not otherwise change the scope of Mandiant's work from what was described in the Master Services Agreement between Mandiant and Premera entered into on October 10, 2014. Several weeks after the February 21st agreement, Mandiant issued a report.

Premera argues that Mandiant is the equivalent of a private investigator or other investigative resource hired by an attorney to conduct an investigation on behalf of an attorney, and thus that Mandiant's work is privileged and protected as work-product. The flaw in Premera's argument, however, is that Mandiant was hired in 2014 to perform a scope of work for Premera, not outside counsel. That scope of work did not change after outside counsel was retained. The only thing that changed was that Mandiant was now directed to report directly to outside counsel and to label all of Mandiant's communications as "privileged," "work-product," or "at the request of counsel." Premera argues that, with respect to Mandiant, after the breach was discovered and outside counsel was hired it became an entirely different situation. The amended statement of work, however, does not support that assertion. The only thing that appears to have changed involving Mandiant was the identity of its direct supervisor, from Premera to outside counsel. The amended statement of work confirms that the scope of the work remained the same. Thus, Premera's argument that Mandiant's focus shifted in February 25, 2015, and that Mandiant then became more like an investigator working on behalf of outside counsel instead of performing its original role on behalf of Premera, is not supported by the amended statement of work.

This situation is unlike the Target data breach case relied upon by Premera. In Target , the company performed its own independent data breach investigation that was produced in discovery and the attorneys performed a separate investigation through a retained expert company that was privileged and protected from discovery. In re Target Corp. Customer Data Sec. Breach Litig. , 2015 WL 6777384, at *2 (D. Minn Oct. 23, 2015). With Premera, however, there was only one investigation, performed by Mandiant, which began at Premera's request. When the supervisory responsibility later shifted to outside counsel, the scope of the work performed did not change. Thus, the change of supervision, by itself, is not sufficient to render all of the later communications and underlying documents privileged or immune from discovery as work product.

This situation also is unlike the Experian case relied on by Premera. In re Experian Data Breach Litig. , Case No. 8:15-cv-01592-AG-DFM (C.D. Cal.). In that case, outside counsel was hired by the company and outside counsel then hired Mandiant. Id. ECF 239 at 3. Here, Premera had already hired Mandiant, which was performing an ongoing investigation under Premera's supervision before outside counsel became involved. Premera has the burden *1246of showing that Mandiant changed the nature of its investigation at the instruction of outside counsel and that Mandiant's scope of work and purpose became different in anticipation of litigation versus the business purpose Mandiant was performing when it was engaged by Premera before the involvement of outside counsel. Premera has not made that showing.

Considering work-product protection, the Court looks at the "dual-purpose" test. Looking at the totality of the circumstances, particularly the fact that the amended statement of work did not change the scope of work and there is no evidence that Mandiant changed its scope or purpose at the direction of outside counsel, the Court concludes that Premera has not shown that all of the underlying documents relating to the Mandiant reports were created because of anticipated litigation and "would not have been created in substantially similar form but for the prospect of litigation." Richey , 632 F.3d at 568. Premera, however, has expressed concern, which the Court shares, that given Mandiant's role in working with outside counsel, there may be some privileged communications or work-product protected information in the withheld documents. Thus, if there are specific documents or portions of documents that Premera contends contain privileged information (in the sense that they were prepared for the purpose of communicating with an attorney for the provision of legal advice) or work-product information (in the sense that they contain the mental impressions of counsel prepared in anticipation of litigation, communications to counsel to provide factual information so that counsel can prepare for litigation, or involve a factual investigation done solely at the behest of counsel for purposes of litigation and no longer under the scope of work as originally agreed upon with Premera), then they may properly be withheld.

b. Third-party vendors

The analysis for these Category 3 documents is the same as for the documents in Categories 1 and 2. These are the documents created by the third-party vendors hired by outside counsel. Many of these documents appear to be related to business functions delegated to counsel. There appear to be some documents, however, that are or may be related to legal functions and are thus properly protected by the attorney-client privilege or work-product doctrine. The documents relating to Epiq appear to be legal in nature and thus not a business function; they may be withheld. There also appear to be several electronic discovery vendors for whom it is unclear whether the work performed is of a legal or business nature. Premera provided the Court with the written agreement between Altep, Inc. and Premera, which references a statement of work, but Premera did not provide a copy of the statement of work. Without reviewing the statement of work, it is not clear whether Altep was performing litigation discovery services for counsel or computer technical assistance services for Premera. If it was the former, then Altep would not be performing a business function and the information would be privileged or protected by the work-product doctrine. Similarly, e-Discovery, iDiscover, LLC, and Navigant are vendors that appear to be providing services relating to electronic discovery or discovery-related computer forensic assistance. If those services are being performed for counsel as litigation-support for discovery, they would not constitute non-legal business functions and would be privileged or protected by the work-product doctrine. If, however, they are services being performed for the benefit of Premera as part of the investigation or remediation *1247of the breach, they likely would be a business function and thus discoverable. The other third-party vendors appear to be performing business functions and thus their documents and communications would not be protected by privilege or work-product.

Premera argues that under Upjohn and Washington law attorneys are entitled to obtain factual information from third parties in order to be able to provide legal advice. First, the Court notes that the Washington Supreme Court, although noting that Washington has adopted Upjohn , also expressly noted that "[t]he attorney-client privilege does not shield facts from discovery, even if transmitted in communications between attorney and client." Newman , 186 Wash.2d at 778, 381 P.3d 1188. Second, the Court notes that it appears that Premera has withheld as privileged all communications relating to press releases, notifications, remediation, and the like, and not just communications to counsel that constitute "the giving of information to the lawyer to enable him to give sound and informed advice." Upjohn , 449 U.S. at 390, 101 S.Ct. 677. As discussed above, Premera's attempt to label all communications on these subjects as necessary investigative steps required to give information to Premera's counsel in connection with legal advice is not persuasive.

4. Documents that Premera is withholding, despite being sent to third-parties, based on what Plaintiffs contend is an improper assertion of the joint defense (or common interest) exception (Category 4)

The documents described in Category 4 involve Premera's assertion of a common interest or joint defense exception to waiver of privilege for other entities, such as Blue Cross Blue Shield, CareFirst,1 and Anthem entities, all of which have suffered data breaches and are facing similar litigation. The purported common interest is that defendants are defending different cases and government investigations throughout the country with common issues. These cases and investigations include, among others, In Re Anthem, Inc. Data Breach Litigation , MDL 2617, Case No. 15-md-02617-LHK (N.D. Cal.); Ross v. Blue Cross Blue Shield Association, et al. , Case No. 1:15-cv-2006 (N.D. Ill); and Ames, et al. v. Anthem, Inc. , Case No. 1:15-cv-465-SEB-TAB (S.D. Ind.). Premera and these entities have entered into common interest agreements that purport to allow them to share confidential and privileged information without waiving attorney-client privilege. Plaintiffs argue that because Premera and these entities are not defendants in the same litigation, they cannot assert the common interest or joint defense exception to waiver of privilege, and thus any documents that have been provided to these third parties have had the privilege waived for those communications, and all other communications on the same subject matter.

Generally, joint defense or common interest parties are parties within the same litigation. Cf. C.J.C. , 138 Wash.2d at 716, 985 P.2d 262 (noting that the joint defense or common interest rule applies where "multiple parties [are] engaged in a common defense" (emphasis added)); Kittitas Cty. , 195 Wash. App. at 368, 381 P.3d 1202 (noting that the communications must be "made by separate parties in the course of a matter of common interest or joint defense" (emphasis added) (quoting *1248Avocent Redmond Corp. v. Rose Elecs., Inc. , 516 F.Supp.2d 1199, 1203 (W.D. Wash. 2007) )). Some of the entities with whom Premera has asserted a common interest are not only not part of this litigation, but they are not subject to potential liability from the same data breach. The lawsuits that they face may involve similar legal theories, claims, and defenses, but they arise from different facts and, most importantly, different data breaches. Premera relies primarily upon Broyles v. Thurston County , 147 Wash. App. 409, 195 P.3d 985 (2008), to argue that defendants in different lawsuits involving different underlying facts but similar claims can rely on the common interest doctrine. Premera, however, reads too much into Broyles.

Broyles involved a situation where a group of four employees visited two attorneys to discuss a situation at work and decide whether to bring claims of sexual harassment and hostile work environment. Id. at 417, 441, 195 P.3d 985. Three of the group pursued the case with those two attorneys and the fourth decided not to pursue the case and later attempted to testify about the original meeting. Id. at 442, 195 P.3d 985. The trial court found that because all four people went "as a group with a common problem, statements of all are protected" under the common interest doctrine. Id. at 443, 195 P.3d 985. The Washington Court of Appeals found no error in that conclusion. Id.

Broyles , however, does not support Premera's contention that defendants in separate lawsuits based on separate data breaches occurring on separate occasions nevertheless can invoke the common interest doctrine when they discuss related legal issues and concepts. Broyles supports the traditional interpretation of "common" interest-that the parties share either a claim or potential liability in "common," which depends on a common nucleus of operative facts. Generally, this means that the common interest parties are in the same lawsuit, or at the minimum may share a common or related liability or claim. See also Mockovak v. King Cty. , 197 Wash. App. 1013, 2016 WL 7470087, at *11 (Dec. 19, 2016) (unpub.) (finding common interest doctrine applied when federal and state agencies shared privileged investigative and prosecuting information, even though only the state agency ended up prosecuting), rev. denied , 188 Wash.2d 1009, 394 P.3d 1015 (2017), and cert. denied , 2017 WL 3386658, --- U.S. ----, 138 S.Ct. 328, 199 L.Ed.2d 212 (U.S. Oct. 10, 2017).2

Premera stretches the definition of "common interest" beyond reasonable bounds. Under Premera's interpretation, different people or entities around the country that have a similar alleged product defect, or allegedly engaged in similar fraudulent schemes, or have been accused of similar forms of misconduct generally can claim a common interest and enter into common interest agreements. Under Premera's argument, as long as the claims asserted against those parties are the same or reflect the same the theory of liability, then they would have a "common" defense. That is not, however, how the common interest or joint defense doctrine works.

The common interest agreement between Premera and the Anthem entities fails under the proper definition of a "common"

*1249interest because that agreement involves different underlying data breaches. The common interest agreement between Premera and the Blue Cross and Blue Shield Association, however, states that its underlying matters "involve claimed liability for and as a result of a recent criminal intrusion into Premera's computer systems" (emphasis added). This appears to indicate that the potential shared liability is specific to the intrusion that is the subject matter of this pending litigation. To the extent that there are other matters arising out of the very same intrusion at issue in this case, and thus involving the same nucleus of operative facts that are part of this case, they would be part of the common liability and subject to the protections of the common interest doctrine. The agreement continues, however, to state that it includes litigation and investigations "involving other conduct alleged to be similar to or connected with" the intrusion (emphasis added). Data breaches that merely are "similar to" the underlying data breach or otherwise somehow "connected with" it are not a common liability, properly understood, with this case and thus are not properly subject to the common interest doctrine. From the Court's review of the matters identified or described in Schedule A that was attached to the purported common interest agreement, they are all cases that are included in the multi-district litigation before this Court concerning the data breach at Premera. Thus, those parties are properly part of a common interest agreement. To the extent, however, that any documents were shared with any third party whose purported common interest is not based on the same underlying data breach as is the subject matter in this case, there is no common interest doctrine protection for those disclosures.

As discussed above, communications between Premera and entities with data breaches other than the data breach that is the subject of this case, even if the data breach is "similar" or "connected to," are not protected by the common interest doctrine. Thus, those communications are not privileged, and otherwise privileged information contained in such communications has had the privilege waived. Regarding the scope of this waiver, "[t]he widely applied standard for determining the scope of a waiver of attorney-client privilege is that the waiver applies to all other communications relating to the same subject matter." Fort James Corp. v. Solo Cup Co. , 412 F.3d 1340, 1349 (Fed. Cir. 2005). The party asserting privilege bears the "burden to show that fairness does not require waiver of the privilege over documents relating to the same subject matter as the documents disclosed." Theranos, Inc. v. Fuisz Techs., Ltd. , 2013 WL 2153276, at *3 (N.D. Cal. May 16, 2013). The Court finds that because Premera believed in good faith that it and these entities were subject to the common interest exception to waiver, under the unique circumstances of this case, fairness requires that the waiver of privilege extend only to the communications actually shared among the entities and not to all documents relating to the same subject matter that was addressed in the communications that were shared.

Plaintiffs also move to compel production of the common interest agreements themselves, relying on federal case authority. Although there is no Washington case on point, the Washington Court of Appeals has cited with approval federal cases discussing the common interest doctrine. See Kittitas Cty. , 195 Wash. App. at 368, 381 P.3d 1202 ; Sharbono v. Univ. Underwriters Ins. Co. , 162 Wash. App. 1050, 2011 WL 2848801, at *8-9 (2011)

*1250(unpub.). Premera does not specifically respond to this argument or legal authority, other than to state that it has described the agreements and that it has produced a "sample" agreement. This response is neither persuasive nor sufficient. Moreover, in light of the fact that the Court finds most of the claim of common interest not to be valid and that the Court has reviewed the agreements and finds them not to contain privileged information, the Court directs that the agreements themselves be produced.

B. Redactions

Plaintiffs argue that Premera may redact documents that contain some privileged and some nonprivileged information and must then produce the nonredacted portions. The Court agrees. When an email chain contains an email that is privileged or contains privileged information and the remaining emails in that chain do not contain privileged information, the privileged material may be redacted but the remaining material must be produced.

The Court notes that Premera represents that some email chains contain no more than "FYI" or the like for the nonprivileged portion and that it would be burdensome to redact the entire privileged portion to only produce a document containing "FYI." The Court agrees. But that was done before this Court issued this Opinion and Order, in which many of Premera's privilege assertions have been rejected. Going forward, if there is an email string and the only nonprivileged portion is something without substance such as "FYI," Premera need only identify it as such on the privilege log and need not redact and produce the meaningless nonprivileged portion.

C. Fiduciary Exception to the Attorney-Client Privilege

Plaintiffs argue that, for purposes of the attorney-client privilege in the ERISA context, the "real client" on matters of plan administration is not the trustee but the plan beneficiaries, citing to United States v. Mett , 178 F.3d 1058, 1063 (9th Cir. 1999). Thus, argue Plaintiffs, the holder of the attorney-client privilege is not Premera and, therefore, Premera may not withhold documents from plan beneficiaries on matters of plan administration on the basis of privilege. Premera responds that the Court has already found that no fiduciary relationship exists in this case, that Washington law has not recognized the fiduciary exception and the Court should not expand the law of privilege in Washington, and that even if the exception were recognized in Washington the privilege is not being asserted on matters of plan administration.

The Court previously ruled that Plaintiffs failed to state a claim under state law for breach of fiduciary duty. In re Premera Blue Cross Customer Data Sec. Breach Litig. , 198 F.Supp.3d 1183, 1203 (D. Or. 2016). The Court did not, however, find that Premera did not owe any duties as an ERISA fiduciary. That issue was not before the Court. Similarly, when the Court decided that ERISA did not preempt Plaintiffs' state law claims, the Court did not find that Premera was not an ERISA fiduciary. In fact, the Court found that ERISA applied and that some of Plaintiffs' claims could have been brought under ERISA, but that Plaintiffs' claims were not preempted because Plaintiffs alleged an independent duty based on state law. In re: Premera Blue Cross Customer Data Sec. Breach Litig. , 2017 WL 539578, at *20-22 (D. Or. Feb. 9, 2017).

Regarding whether the so-called fiduciary exception to attorney-client privilege applies in Washington, Plaintiffs argue that it is not an exception at all. Plaintiffs *1251quote Mett , in which the Ninth Circuit explained that "the fiduciary exception is not an 'exception' to the attorney-client privilege at all. Rather, it merely reflects the fact that, at least as to advice regarding plan administration, a trustee is not 'the real client' and thus never enjoyed the privilege in the first place." Mett , 178 F.3d at 1063.

The Court need not reach the issue of the scope of Premera's fiduciary obligations under ERISA or whether the so-called fiduciary exception applies in Washington. Even assuming that Premera has fiduciary obligations and that the so-called fiduciary exception applies in Washington, the types of documents that the Court has allowed Premera to maintain as privileged, as more fully described above, are all documents that are "defensive on the trustees' part and aimed at advising the trustees how far they were in peril." Mett , 178 F.3d at 1064 (quotation marks omitted). Thus, "the attorney-client privilege remains intact" because the "plan fiduciary [had] retain[ed] counsel in order to defend herself against the plan beneficiaries." Id. As discussed earlier in this decision, the Court has already ordered to be produced documents that could be considered related to benefitting plan members (where the "client" could be ERISA-covered Plaintiffs) and not as constituting legal advice for the trustees.

CONCLUSION

Plaintiffs' Motion to Compel (ECF 110) is GRANTED IN PART AND DENIED IN PART as described in this Opinion and Order.

IT IS SO ORDERED.