A recent order by a federal court in Virginia rejected arguments that a cybersecurity consultant’s data breach report, which had been prepared at the direction of outside legal counsel, qualified for work product protection. The court primarily relied on the fact that Capital One, which suffered a major data breach in March 2019, had already engaged the consulting firm as part of its pre-existing incident response plan to conduct an investigation in the event a cybersecurity incident occurred. The ruling raises concerns about conflicting incentives for companies that want to plan ahead for potential cybersecurity incidents, but want to ensure their investigations of those events retain privilege protection. By taking some simple precautions, companies may be able to do both.
The court’s order requires Capital One to disclose a report about its March 2019 data breach prepared by cybersecurity firm Mandiant to plaintiffs who are suing over that breach. The ruling follows highly contested motion practice regarding whether the work product protection should apply to the report. The work product doctrine protects materials “prepared in anticipation of litigation or for trial.”1 Despite the immediate risk of pending litigation created by the breach, and the fact that the report was prepared at the direction of outside legal counsel, the court found that Capital One failed to meet its burden to show the work product doctrine applied.
In 2015 Capital One retained Mandiant to, among other things, investigate a cybersecurity incident should one occur. This was part of Capital One’s incident response plan, which is considered a best practice for safeguarding consumer data trusted to financial institutions. Capital One’s arrangement with Mandiant included a Master Services Agreement (“MSA”) and subsequent Statements of Work (“SOW”) that outline services Mandiant would perform in the event of a cybersecurity incident. Immediately upon confirming the 2019 data breach, Capital One hired outside counsel to provide legal advice in connection with the data breach, including preparing for anticipated litigation and inquiries by regulators. Before Mandiant performed any response work, outside counsel executed a Letter Agreement with Mandiant referencing the same services and terms of Mandiant’s pre-existing MSA and SOW, but stating that “the work would be done at the direction of counsel and the deliverables would be provided to counsel instead of Capital One.” Pursuant to its agreement with outside counsel, Mandiant prepared a report “detailing the technical factors that allowed the criminal hacker to penetrate Capital One’s security.”
The court reasoned that there was no question that “there was a very real potential that Capital One would be facing substantial claims” at the time Mandiant performed its “incident response services” under the agreement with outside counsel, but in order to gain work product protection, Capital One needed to show that the report “would not have been prepared in substantially similar form but for the prospect of that litigation.”
On that point, the court found that Capital One likely would have asked Mandiant to perform the same services and prepare a similar written report under the pre-existing SOW. It highlighted the “long-standing relationship” and pre-existing agreements with Mandiant to “perform essentially the same services that were performed in preparing the subject report,” and noted that the retainer paid to Mandiant was accounted for as a “business-critical expense” and not a “legal expense” at the time it was paid.
The court also emphasized that the full Mandiant report was provided to and used by other internal groups at Capital One for business and regulatory purposes outside of the pending litigation. For example, Mandiant’s report was used internally for Sarbanes Oxley disclosures and was referenced in draft FAQs prepared by a senior VP of finance before the public announcement of the data breach. Capital One also provided the report to several members of its “cyber technical, enterprise services, information security and cyber teams,” as well as “four regulators (Federal Deposit Insurance Corporation, Federal Reserve Board, Consumer Financial Protection Bureau, and Office of the Comptroller of the Currency), and an accounting firm (Ernest & Young),” for various business and regulatory purposes.
Accordingly, the court held that Capital One failed to meet its burden to show that Mandiant’s scope of work under direction of counsel was any different than it would have been for services under the pre-existing agreements, or that the work would not have been performed absent the risk of litigation.
The Capital One decision is specific to the facts of that case and should not discourage companies from developing comprehensive incident response plans and retaining consultants before cybersecurity incidents occur, conducting thorough investigations, or preparing incident reports (which are often required under various privacy laws). Rather, the decision provides a baseline for some cautionary guidance for how to increase the likelihood that a court will apply the work product protection to internal investigation materials.
- Contact outside counsel before directing work by vendors during internal investigations. Even though Capital One found that hiring of outside counsel alone was insufficient, it is still an important factor in establishing that a vendor’s work is done in anticipation of litigation and that the cost is a legal, rather than a business, expense. Retaining outside counsel before you retain your technical forensics consultant may make a difference. Indeed, Capital One distinguished its circumstances from a previous case, In re Experian Data Breach Litig., where the court held a similar report was protected as work product in part because the company hired outside counsel first, and that counsel then retained the cybersecurity consultant to prepare a report.2
- Consider retaining a vendor without any pre-existing relationship to your company, and clearly delineate the scope of work. When evaluating vendors to assist with an internal investigation, it is important to distinguish work performed in anticipation of litigation from work that would be performed in the ordinary course of business. There may be times when it is useful to hire a vendor with prior knowledge of the company’s systems. And there are good reasons for your incident response plan to include the engagement of a pre-determined specific vendor. This allows for rapid response without waiting to assess vendor qualifications, negotiate terms, or clear conflicts.
However, if you are retaining a pre-existing vendor for incident response, make clear in a separate retention agreement or scope of work that the specific services will be in response to a litigation risk. If possible, pay the incident response retainer out of your legal budget.
- Draft your incident response plan to support your privilege and work product claims. Think about your litigation strategy in advance. Every data breach carries the risk of litigation, so your incident response plan should consider the involvement of outside counsel and contemplate that litigation-sensitive reporting would be directed by counsel. If possible, delineate what type of system review will be used for helping to assess liability and what type of review will be used for system repair and remediation. Ideally, use separate vendors for each, but at least request separate reports, and limit the information in each report to the intended purpose.
- Limit distribution of potentially privileged information or work product to necessary persons. A company may bolster work product protection by limiting distribution of investigation reports to its legal team. The court in Capital One did not reach the question of waiver, but suggested that even if the Mandiant report had been work product, the privilege may have been destroyed because Capital One distributed it to several parties without sufficient access restrictions. In contrast, the Experian court reasoned that because a full report was not provided to the company’s incident response team, the report was more relevant to litigation strategy than remediation efforts. Thus, a company should limit distribution of privileged reports to internal groups on a need-to-know basis, and include confidentiality instructions for maintaining the privilege. It should also maintain records of exactly who has access to the reports so you can prove their limited use. Using separate reports that segregate business-critical information from work done in anticipation of litigation may be helpful, though keep in mind that any information disclosed in a non-privileged report will not be protected just because it also appears in work product. Also, when disclosing information to government or regulatory agencies, companies should consider entering into non-waiver agreements.
1 Fed. R. Evid. 502(g).
2 No. 15-cv-01592, 2017 WL 4325583 (C.D. Cal. May 18, 2017).