Last July, Capital One announced that an outside individual gained unauthorized access to information belonging to 100 million individuals in the United States and approximately six million in Canada.[1]  Within days, lawsuits were filed nationwide asserting an assortment of claims relating to the data breach.

Last week, in a class action filed in Virginia a federal magistrate ordered Capital One to provide its incident report for the data breach to counsel for the plaintiffs.  Capital One had contended that the report is protected attorney work product and that it shouldn’t have to.  The Virginia court disagreed, for reasons that are instructive.

When an Incident Report Is Not Attorney Work Product

Since 2015, Capital One had retained Mandiant to provide various cybersecurity services.  The data breach occurred in March 2019, but it was not confirmed until July 19 of that year.  A day later Capital One retained outside counsel which then retained Mandiant to assist with its investigation on July 24.  Then, on July 29 the public was notified about the data breach.

The issue the court decided last week was whether the Mandiant incident report was privileged and therefore protected from disclosure by the work product doctrine.[2]  This doctrine generally preserves the privacy of attorneys’ case materials, but it has limits.  To guide its decision in Capital One the court stated:

In order to be entitled to protection, a document must be prepared “because of” the prospect of litigation and the court must determine “the driving force behind the preparation of each requested document” in resolving a work product immunity question.[3]

Applying this standard, the court believed the incident report would have been prepared anyway even if the data breach had not occurred and determined that it needed to be disclosed.  In reaching this conclusion, after “considering the totality of the circumstances,” the court found these facts compelling:

• The work performed for Capital One by Mandiant prior to the data breach and then for Capital One’s outside counsel after the data breach was the same.
• Capital One had treated Mandiant’s work as a business-critical expense. It was not converted to a legal expense until months after its data breach counsel was retained.
• The incident report would have been prepared for regulatory purposes anyway – it was given to four regulators, an accountant, and a senior vice president.
• The incident report also would have been prepared for business purposes. More than 50 Capital One employees were given the report, without explanation as to why.

Notably, the court closely examined the incident report issues in other data breach class actions involving Experian, Arby’s, Target, and Visa.  The court found Experian was different and the other cases unhelpful.  Instead, it closely tracked the rationale in cases involving healthcare company Premera in Oregon, and dental services company Dominion in Virginia.

Protecting Incident Reports as Attorney Work Product

In Premera and Dominion,[4] the court required that incident reports be disclosed because the same cybersecurity firm, Mandiant, had been retained earlier to provide both companies various cybersecurity services.  But when outside counsel was subsequently retained to provide legal advice in relation to cybersecurity incidents, the scope of work was not changed.

Taken altogether, these cases and Capital One demonstrate that after experiencing a data breach, organizations that want to ensure their incident reports – explaining ‘what happened’ and ‘how’ – obtained via outside counsel are protected, so that they can receive appropriate legal advice, should do the following:

• When a data breach happens and outside counsel is retained to provide legal advice, if it uses a cybersecurity firm the company already has, make sure there is a separate agreement that details the work it is being retained to do for outside counsel.
• If the organization’s incident response plan includes a cybersecurity firm on its incident response roster, state that a new agreement will be entered into with outside counsel if it is determined necessary to assist with providing legal advice.
• Consider withholding the incident report from an organization’s incident response team since it is to be used by outside counsel to provide legal advice to in-house counsel and management and to eliminate the appearance of a dual purpose.
• In an incident response plan, state that an internal investigation will be conducted, that an incident report may be prepared by outside counsel to provide legal advice, and that technical consultants may be retained by outside counsel to assist it.

Capital One is required to produce the Mandiant incident report to the class plaintiffs’ counsel by June 8, 2020.

If you have questions about cybersecurity incident reports relating to the prospect of litigation, please contact Romaine Marshall at romaine.marshall@stoel.com or (801) 578-6905, or Jose Abarca at jose.abarca@stoel.com or (801) 578-6948.

[1] Capital One, Information on the Capital One Cyber Incident, https://www.capitalone.com/facts2019/ (Sept. 23, 2019).

[2] The attorney-client privilege, “the oldest of the privileges for confidential information” entitling a client to withhold confidential communications in order to obtain legal assistance, was not asserted by Capital One as a basis to withhold the incident report and therefore will not be discussed in this alert.

[3] In re Capital One Consumer Data Security Breach Litigation Mem. Op. and Order at 6 dated May 26, 2020 [Dkt. No. 490] (citing Nat’l Union Fire Ins. Co. v. Murray Sheet Metal Co., 967 F.2d 980, 984 (4th Cir. 1992)).

[4] In re Premera Blue Cross Customer Data. Sec. Litig., 296 F. Supp. 3d 1230 (D.Or. 2017), and Dominion Dental Servs. USA, Inc. Data Breach Litig., 2019 WL 7592343 (E.D. Va. Dec. 19, 2019).