Last week, the U.S. District Court for the Eastern District of Virginia ordered Capital One to produce a forensic investigation report in multidistrict litigation arising out of the cyber incident Capital One announced in July 2019. The court found that the report was not protected by the work product doctrine because Capital One had not shown that “but for” the litigation the report would not have been prepared in substantially the same form. The opinion offers some lessons for companies entering into arrangements with forensic experts in advance of cyber events.
The ruling adds to a recent set of cases in which courts have taken a hard look at whether to afford protection to the work of cyber incident response service providers, including In re Dominion Dental Servs. USA, Inc. Data Breach Litig., 429 F. Supp. 3d 190 (E.D. Va. 2019), and In re Premera Blue Cross Customer Data Sec. Breach Litig., 296 F. Supp. 3d 1230 (D. Or. 2017), both of which found that post-incident investigation reports were discoverable.
These decisions are in tension with case law applying a more flexible standard to claims of attorney-client privilege or work product protection. See, e.g., In re Kellogg Brown & Root, Inc., et al., 756 F.3d 754, 760 (D.C. Cir. 2014); In re Experian Data Breach Litigation, 15-01592, 2017 WL 4325583 (C.D. Cal. May 18, 2017). This common sense approach acknowledges that there can be non-legal reasons for forensic investigation, but where the preparation for litigation is a key reason for the work, it still deserves protection. The Capital One court did not apply this approach, and it is important to understand what factors drove its analysis.
The Capital One court emphasized the following in compelling production of the Mandiant report:
- Nature of Mandiant’s services. The court found Mandiant’s incident response services would have been performed in substantially similar form even in the absence of litigation. In the court’s view, statements that Mandiant’s work “was to be ‘under the direction of Counsel’ did not alter the business purpose of the work.”
- Timing of Mandiant’s engagement. The court focused on the prior, ongoing engagement between Capital One and Mandiant, which dated back to 2015. It also focused on the fact that the statement of work underlying Mandiant’s forensic services was signed in January 2019, which pre-dated the cyber incident.
- Payment. The court found that Capital One had designated Mandiant’s work as a “Business Critical” expense, not a “Legal” expense. The Mandiant report was paid for out of the retainer provided to Mandiant under the January 2019 statement of work, and expenses associated with Mandiant’s initial incident-related work were “paid directly by Capital One through their Cyber organization budget.” These expenses were then re-designated as legal expenses in December 2019 and deducted against Capital One’s legal department’s budget.
- Use of Mandiant’s report. The court viewed the disclosure of Mandiant’s incident report to an external accountant as “not necessarily” rising to the level of “waiver” but as evidence that the purpose of the report was not driven by the litigation and legal needs. The court expressed a similar view about use of the report for regulatory disclosure purposes.
Although the court ordered the production of the Mandiant report, it denied without prejudice Plaintiffs’ request for access to “related materials” about the internal investigation. The court found that Plaintiffs’ motion to compel those materials was not yet ripe. It remains to be seen whether the court will open the door to discovery into Capital One’s incident response investigation more broadly.
This decision underscores several factors that are likely to influence how courts evaluate work product claims related to cyber incident investigations—from the timing of when service providers are retained, how they are retained, and how their work will be used and shared both within and outside an organization.