Skip to content

Menu

LexBlog, Inc. logo
CommunitySub-MenuPublishersChannelsProductsSub-MenuBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAboutContactResourcesSubscribeSupport
Join
Search
Close

Cyber Investigations and Privilege: Court Finds Forensic Report not Covered by Work Product Doctrine

By Michelle Kisloff, Allison Holt Ryan, Peter Marta, Paul Otto & Adam Cooke on June 4, 2020
Email this postTweet this postLike this postShare this post on LinkedIn

Last week, the U.S. District Court for the Eastern District of Virginia ordered Capital One to produce a forensic investigation report in multidistrict litigation arising out of the cyber incident Capital One announced in July 2019. The court found that the report was not protected by the work product doctrine because Capital One had not shown that “but for” the litigation the report would not have been prepared in substantially the same form. The opinion offers some lessons for companies entering into arrangements with forensic experts in advance of cyber events.

The ruling adds to a recent set of cases in which courts have taken a hard look at whether to afford protection to the work of cyber incident response service providers, including In re Dominion Dental Servs. USA, Inc. Data Breach Litig., 429 F. Supp. 3d 190 (E.D. Va. 2019), and In re Premera Blue Cross Customer Data Sec. Breach Litig., 296 F. Supp. 3d 1230 (D. Or. 2017), both of which found that post-incident investigation reports were discoverable.

These decisions are in tension with case law applying a more flexible standard to claims of attorney-client privilege or work product protection. See, e.g., In re Kellogg Brown & Root, Inc., et al., 756 F.3d 754, 760 (D.C. Cir. 2014); In re Experian Data Breach Litigation, 15-01592, 2017 WL 4325583 (C.D. Cal. May 18, 2017). This common sense approach acknowledges that there can be non-legal reasons for forensic investigation, but where the preparation for litigation is a key reason for the work, it still deserves protection. The Capital One court did not apply this approach, and it is important to understand what factors drove its analysis.

The Capital One court emphasized the following in compelling production of the Mandiant report:

  • Nature of Mandiant’s services. The court found Mandiant’s incident response services would have been performed in substantially similar form even in the absence of litigation. In the court’s view, statements that Mandiant’s work “was to be ‘under the direction of Counsel’ did not alter the business purpose of the work.”
  • Timing of Mandiant’s engagement. The court focused on the prior, ongoing engagement between Capital One and Mandiant, which dated back to 2015.  It also focused on the fact that the statement of work underlying Mandiant’s forensic services was signed in January 2019, which pre-dated the cyber incident.
  • Payment. The court found that Capital One had designated Mandiant’s work as a “Business Critical” expense, not a “Legal” expense. The Mandiant report was paid for out of the retainer provided to Mandiant under the January 2019 statement of work, and expenses associated with Mandiant’s initial incident-related work were “paid directly by Capital One through their Cyber organization budget.” These expenses were then re-designated as legal expenses in December 2019 and deducted against Capital One’s legal department’s budget.
  • Use of Mandiant’s report. The court viewed the disclosure of Mandiant’s incident report to an external accountant as “not necessarily” rising to the level of “waiver” but as evidence that the purpose of the report was not driven by the litigation and legal needs.  The court expressed a similar view about use of the report for regulatory disclosure purposes.

Although the court ordered the production of the Mandiant report, it denied without prejudice Plaintiffs’ request for access to “related materials” about the internal investigation. The court found that Plaintiffs’ motion to compel those materials was not yet ripe. It remains to be seen whether the court will open the door to discovery into Capital One’s incident response investigation more broadly.

This decision underscores several factors that are likely to influence how courts evaluate work product claims related to cyber incident investigations—from the timing of when service providers are retained, how they are retained, and how their work will be used and shared both within and outside an organization.

Photo of Michelle Kisloff Michelle Kisloff
Read more about Michelle KisloffEmail
Photo of Paul Otto Paul Otto
Read more about Paul OttoEmail
Photo of Adam Cooke Adam Cooke
Read more about Adam CookeEmail
  • Posted in:
    Privacy & Data Security
  • Blog:
    HL Chronicle of Data Protection
  • Organization:
    Hogan Lovells
  • Article: View Original Source

LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • The FTI Award Journal
  • International Dispute Resolution
  • China Law Update Blog
  • Law of The Ledger
  • Antitrust Law Blog
Copyright © 2022, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo