On June 25, 2020, a federal district court in the Eastern District of Virginia held that a bank must produce in discovery a report generated by its cybersecurity forensic investigator following a 2019 data breach involving unauthorized access to personal information of customers and individuals who had applied for accounts.[1]  Even though the report was produced at the direction of outside counsel, the court rejected arguments that the forensic report is protected from disclosure by the work product doctrine.  Instead, the court determined that the report was not produced primarily in anticipation of litigation based on several factors, including the similarity of the report to past business-related work product by the investigator and the bank’s subsequent use and dissemination of the report.  This decision raises questions about the scope of work product protection for forensic expert and other similar reports in the context of an internal investigation.

Background

In early 2019, Capital One was subjected to a cyber-attack in which a third party obtained unauthorized access to certain personal information of approximately 100 million individuals.[2]  Shortly after becoming aware of the breach, Capital One entered into a Letter Agreement with cybersecurity consulting firm, FireEye, Inc. d/b/a Mandiant, to investigate the breach at the direction of outside counsel in anticipation of litigation.  A complaint initiating litigation was in fact filed shortly after the bank’s public announcement of the breach.

Since 2015, Capital One had engaged Mandiant under a Master Services Agreement to assist in its ongoing routine data protection efforts, including incident response, remediation, and digital log analysis.  In contrast to the 2015 Master Services Agreement, the 2019 Letter Agreement was signed by outside counsel and provided for Mandiant’s work to be directed by and produced directly to counsel.  The scope of work described in the 2019 Letter Agreement was nearly identical to that set forth in the 2015 agreement and prior statements of work.

Pursuant to the 2019 Letter Agreement, Mandiant issued a forensic report detailing the factors and circumstances contributing to the breach.  The findings were initially provided to outside counsel but later were circulated to numerous employees on a corporate governance email distribution list, the Board of Directors, four federal regulators, and Capital One’s external auditor.

In ruling on plaintiffs’ motion to compel disclosure of the Mandiant report, the district court concluded that the report was not protected by work product privilege.  Under a two-factor test set forth in RLI Insurance Co. v. Conseco, Inc., to establish work product privilege over the report, Capital One must have (1) faced an actual or potential claim following an event that “reasonably could result in litigation” and (2) shown that the report “would not have been prepared in substantially similar form but for the prospect of litigation.”[3]  The court held that Capital One failed to satisfy the second prong based on two primary factors: (1) the similarity in scope of work between the 2019 Letter Agreement and prior statements of work; and (2) the broad dissemination of the report for regulatory and business purposes.  Because of these facts, the court concluded that the report was prepared to satisfy a business need and would have been prepared in the same form regardless of the prospect of litigation.

Takeaways

Federal courts have previously held that forensic investigation reports produced in the aftermath of a cyber-attack or other data breach incidents are protected by the work product doctrine where the reports were prepared primarily in anticipation of litigation, rather than in the ordinary course of business.[4]  In recent years, however, some courts have denied work product protections for such reports, even when companies have taken affirmative steps to protect them such as tasking outside counsel with the responsibilities of retaining and managing third party investigators and outlining the litigation-oriented purpose of the investigator’s work product.[5]

While the ruling was issued in the context of data breach litigation, its impact may extend to the work product of any third-party investigator in other contexts.  The court’s decision generally highlights the challenges in maintaining protection over the work product of investigators who have broad retainer agreements, and in cases where the product is used for multiple purposes.

The Eastern District of Virginia’s ruling would appear vulnerable to appeal, based on other federal case law.  In the meantime, however, the ruling suggests that additional proactive measures could help to preserve privilege and minimize the risk of court-ordered disclosure:

  • Distinguish the terms of engagement from prior engagements – An agreement that governs retention and work product in the aftermath of a breach should distinguish the nature of the engagement, scope of work, payment arrangement and required deliverables from ordinary course retainer agreements. Companies should take care to limit referencing or incorporating prior agreements that were intended to serve a business purpose and designate payments for work product as legal, not business expenses.  Both the Eastern District of Virginia Magistrate Judge and District Court Judge suggested that it should still be possible to retain work product privilege even where a consultant is on a standing retainer, including by distinguishing the scope of work and by clarifying the legal nature of expenses incurred.
  • Tailor the work product to litigation preparation – Counsel should take precautions to ensure the actual documents produced in anticipation of litigation are not substantially similar in substance or form to work product created in normal course engagements. This may include tailoring the scope of work based on the litigation risk or having outside counsel take on a more collaborative and engaged role in the third party work product, rather than just directing the delivery and timing of the relevant reports.  Close involvement by outside counsel in the creation, nature, and coverage of the report can help refute subsequent claims that the report does not warrant work product protections.
  • Restrict distribution of work product – In order to maximize the protections afforded to work product, companies should carefully consider distribution of the relevant work product and to the extent possible restrict distribution within their institutions to in-house counsel and others who are directly involved in directing litigation strategy.  If the report’s analysis, findings or consideration factors are shared with auditors or business personnel within the company, it may be advisable to summarize only relevant portions and keep in mind that there is risk that plaintiffs may attack privilege protection.  In particular, companies should carefully consider distributing reports prepared in anticipation of litigation to internal teams or units tasked with coordinating the business or public relations response to the data breach, as courts may not consider such activities to fall within the work product protection.

[1] In Re: Capital One Consumer Data Security Breach Litigation, MDL No 1:19 MD 2915 (AJT) (JFA), 2020 WL 3470261 (E.D. Va. Jun. 25, 2020).

[2] Press Release, Capital One Fin. Corp. Newsroom, Information on the Capital One Cyber Incident (Sept. 23, 2019), https://www.capitalone.com/facts2019/.

[3] 477 F. Supp. 2d 741 (E.D. Va. 2007).

[4] See, e.g., In re Target Corporation Customer Data Security Breach Litigation, MDL No. 14 2522 (PAM/JJK), 2015 WL 6777384 (D. Minn. Oct. 23, 2015); see also In re Experian Data Breach Litigation, SACV 15-01592 AG DFMX, 2017 WL 4325583, *2 (C.D. Ca. May 18, 2017).

[5] See, e.g., In re Dominion Dental Services USA, Inc. Data Breach Litigation, 429 F. Supp. 3d 190 (E.D. Va. 2019); see also In re Premera Blue Cross Customer Data Security Breach Litigation, 296 F. Supp. 3d 1230 (D. Or. 2017).