Privacy & Information Security Law Blog

Last month, in In re: Capital One Customer Data Security Breach Litigation, E.D. Va., No. 1:19-md-02915, U.S. Magistrate Judge John Anderson (the “Judge”) ordered Capital One Financial Corp. (“Capital One”) to disclose a forensic report to the plaintiffs in a lawsuit stemming from Capital One’s 2019 data breach. In doing so, the Judge rejected Capital One’s argument that the report is protected from disclosure to the plaintiffs by the work product doctrine.

In January 2019, Capital One entered into a non-privileged SOW with Mandiant to perform incident response services. Capital One suffered a data breach between March 2019 and July 2019. After becoming aware of the data breach, Mandiant, Capital One and Capital One’s outside counsel executed a tri-party letter agreement, which was found to have included the same scope of work as the January SOW. In September 2019, Mandiant issued a detailed report of its findings and recommendations.

After the data breach was announced publicly at the end of July 2019, a lawsuit was filed against Capital One related to the breach. In connection with the lawsuit, plaintiffs’ counsel sought to obtain the September 2019 report prepared by Mandiant. Capital One responded by asserting that the report was protected by the work product doctrine. Plaintiffs filed a motion to compel production of the Mandiant report, which the Judge granted. Capital One has objected to the Judge’s order to compel production, and the court has stayed the order until Capital One’s objections are resolved.

The question before the court was whether the work product doctrine permits a defendant in data breach litigation to withhold production of a forensic report developed by a third party investigator at the direction of outside counsel in relation to the data breach. In this case, the Judge found that the forensic report was not protected by the work product doctrine and granted plaintiffs’ motion to compel Capital One to produce the report.

In reaching this decision, the Judge noted that interpreting whether a particular document is protected from discovery by the work product doctrine is a fact-intensive inquiry and that courts generally will construe evidentiary privileges narrowly. Here, the Judge determined that Capital One did not carry its burden of establishing that the forensic report was entitled to work product protection. The Judge believed that Mandiant’s report would have been prepared in substantially similar form, whether or not litigation was to ensue.

In support of this determination, the Judge relied on the following key facts in the case: (1) Capital One and Mandiant executed a non-privileged SOW for data breach-related services prior to the occurrence of the data breach; (2) the post-breach tri-party letter agreement included the same scope of work as the non-privileged SOW that was executed prior to the data breach; and (3) evidence presented suggested that Mandiant’s breach response services were not specifically directed at litigation because, for example, the Judge found that Capital One distributed the report widely to four different regulators and to its accountant. The Judge found that, on the flip side, the only evidence Capital One offered in support of its position was that the work Mandiant performed was at the direction of outside counsel and the final report was initially delivered to outside counsel.

The Judge’s opinion in this case underscores the importance of establishing engagements with incident response providers, such as forensic investigators, with careful consideration towards establishing and protecting appropriate privileges. It is also important for organizations to evaluate their incident response plans to ensure potential data breaches are quickly escalated to counsel. When brought in early, counsel is in a better position to engage a forensic investigator to aid in rendering legal advice and prepare for litigation, as applicable. In that regard, counsel may advise the organization on the purpose for which any reports should be created, appropriate distribution of any such reports and who should be in the “circle of trust” to receive communications and information that is of a privileged nature.