Last week, a magistrate judge in the Eastern District of Virginia held that a breach report prepared by Mandiant (a digital forensics investigator, among other things) in response to the Capital One data breach was not protected by the attorney work product doctrine.
First some background: In 2019, a hacker “gained unauthorized access” to Capital One’s network. According to the company, the event “affected approximately 100 million individuals in the United States.” Capital One says no credit card numbers or log-in credentials were compromised; less than one percent of those affected had their Social Security Numbers compromised; and the individual who took the data was caught by the FBI.
Customers filed putative class actions after Capital One announced the breach, and the Judicial Panel on Multidistrict Litigation consolidated those cases in the Eastern District of Virginia. Discovery followed, and the plaintiffs demanded that Capital One turn over an investigation report about the breach prepared by Mandiant under the direction of Capital One’s outside counsel. Capital One declined to produce the report, asserting that it was protected attorney work product, and motion practice followed.
In his decision, Magistrate Judge Anderson first provided some context on how Mandiant was engaged to conduct its work and in preparing the report. In 2015 and again in 2019, before the breach occurred, Capital One entered into a retainer with Mandiant to provide incident response services in the event of a breach. Capital One designated those expenses as “Business Critical” instead of “Legal.” After Capital One discovered the breach in July 2019, it immediately hired outside counsel, which in turned signed a letter agreement with Mandiant. That letter agreement with outside counsel provided that Mandiant would be paid according to the terms of its prior agreement with Capital One, and that outside counsel and Mandiant would abide by the terms of Mandiant’s prior agreement with Capital One. It also said that Mandiant’s work would be done under the direction of counsel and any reports generated by Mandiant would be provided to counsel, not Capital One.
Mandiant went to work, ultimately producing a report that “detail[ed] the technical factors that allowed the criminal attacker to penetrate Capital One’s security.” The report was first shared with outside counsel, and then Capital One’s legal department and its board of directors. The magistrate judge’s decision also states that the contents of the report were additionally disclosed to Capital One’s auditor, dozens of business personnel, and four of Capital One’s regulators.
Following briefing and argument, the magistrate judge agreed with the plaintiffs that Capital One had not carried its burden to establish the work product privilege applied to the report. To qualify for protection under that doctrine in the Fourth Circuit, a party must prove (1) it faced an event that “reasonably could result in litigation,” and (2) the document “would not have been prepared in substantially similar form but for the prospect of that litigation.” In other words, the report would only be protected from disclosure if Capital One could establish that it was prepared “because of” the prospect of litigation.
Magistrate Judge Anderson found that Capital One met the first prong (not only did Capital One reasonably fear litigation after the breach, but it had already been sued before the report was finalized), but not the second. At the bottom, the court concluded that the report was not prepared because of litigation: the court reasoned that, even without the threat of litigation, Capital One would have “called upon Mandiant to perform” the same services and “prepare a [substantially similar] written report.” Critical to the magistrate judge’s conclusion was that (a) Capital One had a long-standing and pre-existing agreement with Mandiant to provide incident response services and (b) Mandiant’s investigation “was significant for regulatory and business reasons.” Magistrate Judge Anderson considered the fact that Mandiant’s work was “at the direction of outside counsel” and “the report was initially delivered to outside counsel,” but ruled those facts “did not alter the business purposes of the work” done by Mandiant.
The magistrate judge recognized that other courts had reached the opposite conclusion when faced with similar facts. But Magistrate Judge Anderson distinguished those cases because “Capital One had an existing [Statement of Work] and [Master Services Agreement] with Mandiant at the time of the data breach that was effectively transferred to outside counsel.” Although the court did compel the production of Mandiant’s final report, it denied the plaintiffs’ motion to compel materials “related” to that report. Those materials, the court explained, may be protected under the attorney-client privilege and work-product doctrine, even if the final report is not.
Good corporate governance and responsible incident-response planning requires the creation of an incident response plan that includes the names and contact information for key advisors, including outside experts. Indeed, best practices generally suggest that companies—especially ones in the financial services industry of the size and sophistication of Capital One—identify in advance outside computer forensic experts who can assist at a moment’s notice with incident response, remediation and investigation. The court’s decision in Capital One creates a dilemma for such companies: Should they have a forensic shop on retainer so that it can provide an immediate response while putting the work product privilege at risk? Or should it leave the selection of a forensic shop to part of its incident response and run the risk of delaying the response? Given the court’s conclusion, companies might consider having a pre-selected cybersecurity counsel, who will in turn have a forensics investigator on retainer. In the event of a breach, counsel can quickly inform and coordinate with the cybersecurity investigator.
As we’ve written about in our blog, the Capital One opinion is not the first to consider whether a forensic breach report can be protected by the work product doctrine. And it won’t be the last. We’ll continue monitoring the emerging (and conflicting) legal landscape.