Capital One Ordered to Produce Forensic Report in Data Breach Class Action
On May 26, 2020, a Magistrate Judge in the US District Court for the Eastern District of Virginia ordered Capital One to turn over a digital forensic investigation report in a class action arising out of a 2019 cyber incident affecting roughly 100 million US residents. The court rejected Capital One’s argument that the report is protected from disclosure by the attorney work product doctrine.
Although litigation was likely at the time of the investigation, the court concluded the report would have been prepared in the same form even if Capital One had not expected legal action. The decision provides important guidance for companies hiring forensic experts to investigate data security incidents.
Background
In 2015, Capital One entered into a Master Services Agreement with a cyber security consultant, Fireye, Inc. d/b/a Mandiant. Thereafter, Capital One and Mandiant entered into periodic Statements of Work pursuant to the MSA, including in January 2019.
In July 2019, Capital One discovered that unauthorized persons had gained access to customer personal information. Capital One immediately retained outside counsel. Several days later, outside counsel, Capital One, and Mandiant entered into a Letter Agreement pursuant to the MSA and existing SOW whereby Mandiant agreed to provide computer security incident response, digital forensics, and incident remediation services. After its investigation, Mandiant produced a report to outside counsel detailing the technical factors that allowed the hackers to penetrate Capital One’s security.
The Court’s Decision
In ordering production of the Mandiant report, the Capital One court expanded upon case law concerning whether data breach forensic reports are discoverable. The court applied a two-part test. Capital One, as the party asserting work product protection, had the burden to establish that (i) it faced an actual or potential claim following events that reasonably could result in litigation and (ii) the work product would not have been prepared in substantially similar form but for the prospect of that litigation.
There was no question the cyber incident was the type of event that Capital One knew would lead to litigation. However, the court held that Capital One failed to establish that Mandiant’s services would have been different if there was no prospect of litigation, emphasizing the following key factors:
- Pre-existing SOW. Before the breach, Capital One had an existing SOW for incident response services with a paid retainer that obligated Mandiant to provide 285 hours of services in 2019. The scope of work under the SOW was identical to the scope of work in the Letter Agreement.
- Payment to consultant. Mandiant was paid for its initial work out of the retainer, which Capital One classified as a “business critical” expense and not a “legal” expense at the time it was paid in February 2019.
- Disclosure of report. The report was disclosed to Capital One’s information security and cyber teams, its outside accountants, and various regulators, suggesting the cause and extent of the incident was significant for regulatory and business reasons. The court distinguished a similar case where the company performed (and produced evidence of) an independent data breach investigation while outside counsel retained a forensic expert to perform a separate investigation for litigation.
Although the court ordered production of the report, it denied without prejudice plaintiffs’ request for “related materials” (i.e., Capital One’s communications with Mandiant).
Takeaways
In light of the Capital One decision, companies should consider adjusting their approach to hiring outside forensic experts to maximize the protection of data breach investigations.
First, companies should consider hiring a new forensic expert in the event of a breach, instead of the consultants normally used for day-to-day security issues.
Second, the new expert should be retained by outside counsel and disclosure of the expert’s work product should be restricted to the litigation team.
Third, companies should consider conducting separate investigations to the extent such investigations are required for business and/or regulatory purposes. Companies should consider requesting verbal reports and less detail in written summary findings, with the expectation that the information will be more widely distributed and potentially subject to discovery in post-breach litigation.
Contacts
- Related Practices