Protecting Your Organization: Eastern District of Virginia Rules Cybersecurity Incident Report Not Privileged Work Product

On May 26, 2020, in In re Capital One Consumer Data Security Breach Litigation, MDL 1:19md2915 (E.D. Va.) the Federal District Court for the Eastern District of Virginia (Alexandria Division) (Anderson, J.) held that a forensic investigation report conducted by a third-party investigator under the direction of outside counsel on behalf of Capital One in response to a data breach was not entitled to protection under the attorney work product doctrine. The class action lawsuit was filed against Capital One following the discovery of Capital One’s March 2019 data breach which compromised the personal information of approximately 100 million individuals.

Capital One argued that the report, produced by FireEye, Inc. d/b/a Mandiant (Mandiant), was prepared in anticipation of litigation following the data breach and therefore was protected by the attorney work product doctrine. The court disagreed and ordered Capital One to provide the report to plaintiffs.

In its decision, the court identified several factors in support of its ruling.  First, in 2015, Capital One entered into a Master Services Agreement (MSA) with Mandiant, and subsequent Statements of Work (SOW), for the provision of computer incident response services, including the preparation of a final report with recommendations for remediation. Second, in the SOW executed in January 2019, Capital One paid Mandiant a retainer entitling it to 285 hours of services from Mandiant for incident response services in the event such services were necessary. Capital One designated the retainer as a “Business Critical” expense and not a “Legal” expense. Third, after the discovery of the data breach, Capital One retained outside counsel to provide legal advice in connection with the breach. Outside counsel entered into a Letter Agreement with Mandiant in which Mandiant agreed to provide the same services under the same terms as set out in the MSA and the January 2019 SOW, which the court found effectively transferred the existing MSA and SOW to outside counsel.  In September 2019, Mandiant issued the report to outside counsel, which was then disclosed to four different regulators, Capital One’s legal department, Capital One’s Board of Directors, and Capital One’s accountants.  

The court found that Mandiant’s work under the Letter Agreement was virtually identical to the work set forth in the existing MSA and SOW and that Capital One failed to demonstrate that the resulting report was prepared because of the prospect of litigation rather than in the ordinary course of business or pursuant to regulatory requirements, and thus the report was not entitled to protection under the work product doctrine.

Although this case involved the disclosure of a report involving a data breach, the court’s analysis is clear: the scope of the work product privilege is limited, and organizations must consider this carefully in determining what steps should be taken to better shield documents from discovery.