Federal Court Holds Outside Cybersecurity Response Report Not Privileged

White and Williams LLP
Contact

White and Williams LLP

On May 26, 2020, in the matter In re Capital One Consumer Data Security Breach Litigation, MDL 1:19md2915 (Ed. Va.), the Federal District Court for the Eastern District of Virginia ordered Capital One to produce its cybersecurity incident response report, rejecting the contention that the report was privileged. Capital One contended that the report, produced by FireEye, Inc. d/b/a Mandiant (Mandiant), was prepared in anticipation of litigation following discovery of Capital One’s March 2019 data breach, and therefore protected by the work product doctrine. The court disagreed.

In finding against Capital One, the federal district court concluded that the Mandiant report had business and regulatory compliance purposes, and that Capital One failed to produce sufficient evidence showing that the report would not have been produced in a “substantially similar form” in the absence of anticipated litigation. The case turned on several controversial facts, including: (1) that Capital One had entered into a Statement of Work (SOW) with Mandiant for cybersecurity services in January 2019, several months before the breach, and (2) that a retainer paid to Mandiant pre-breach and exhausted for the work had been designated internally by Capital One as a “Business Critical” expense rather than a “Legal” expense.

That the work performed under the SOW ultimately manifested as an investigative assignment related to the March 2019 breach did not matter. Further, the court determined that a letter agreement among Capital One, the company’s outside data breach legal counsel, and Mandiant, entered into in July 2019 (after the breach was confirmed to have occurred) under which the SOW work would be directed by, and delivered directly to, outside legal counsel was insufficient to render the Mandiant report work product. The court also highlighted the distribution list for the report, which included Capital One’s internal regulatory team and outside accountants, as further evidence that the report had regulatory and business purposes beyond litigation. A more thorough analysis of this order is forthcoming.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© White and Williams LLP | Attorney Advertising

Written by:

White and Williams LLP
Contact
more
less

White and Williams LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.