Federal Court Erodes Work Product Protections for Data Breach Investigations

Federal Court Erodes Work Product Protections for Data Breach Investigations

This alert has been updated with new information reflecting the district judge’s denial of Capital One’s appeal.

​In a recent decision, a Virginia federal magistrate judge held that the attorney work product doctrine did not protect from discovery a forensic investigation report created for Capital One in the wake of a 2019 data breach. See In re Capital One Consumer Data Security Breach Litigation, MDL No. 1:19md2915, 2020 WL 2731238 (E.D. Va. May 26, 2020). This new decision threatens companies’ ability to protect such reports from disclosure to class action plaintiffs and other third parties, but the court’s analysis also implicitly points the way to better insulate such reports from discovery. Across the country, court decisions on the discoverability of such reports are split, and a single magistrate judge’s decision is of limited precedential value, but this was a significant win for the plaintiffs. Capital One has filed an appeal to the district judge. This alert examines the magistrate judge’s decision and the implications it has for companies in preparing for and responding to data security and privacy incidents.

The Capital One Breach

In 2015, Capital One entered into a consulting agreement with FireEye, Inc., d/b/a Mandiant (“Mandiant”), a cybersecurity consulting and investigation company, putting Mandiant on retainer so that it could respond quickly to a future cybersecurity incident. Ironically, this prudence ended up working against Capital One, in the court’s judgment.

In 2019, Capital One suffered a data breach that compromised the personal information of more than 100 million people. Following discovery of the breach, Capital One hired outside counsel to provide legal advice and assist in the investigation. Capital One’s outside counsel executed a new agreement with Mandiant to investigate and remediate the incident. Capital One paid Mandiant directly for its services, although Mandiant’s work was nominally done at the direction of counsel. Mandiant created a comprehensive investigative report regarding the breach and provided it directly to counsel. Counsel then provided it to more than fifty of Capital

One’s employees, with no explanation of the restrictions placed on those employees regarding further disclosure of the report.

In the wake of the public disclosure of the data breach, numerous complaints and class actions were filed and then consolidated into multidistrict litigation. The class plaintiffs moved to compel production of the Mandiant report, a critical and presumably candid record of the scope, causes and effects of the breach. In response, Capital One argued that the Mandiant report was protected by the attorney work product doctrine and should not be made available to plaintiffs’ counsel.

The Magistrate Judge’s Decision

The magistrate judge’s decision turned on whether Mandiant’s report was prepared “in anticipation of litigation” and thus protected by the attorney work product doctrine. The attorney work product doctrine protects the disclosure of materials prepared by or for an attorney during legal representation of a client. The Supreme Court recognized the doctrine in Hickman v. Taylor, 329 U.S. 495 (1947), stating that the work product protection is a rebuttable presumption that an adverse party is not entitled to discover documents and tangible things prepared by legal counsel in anticipation of litigation. Unlike the more absolute attorney-client privilege, work product protection is a “qualified” privilege that may be overcome if an adverse party can show a strong necessity and no reasonable alternative to obtain substantially similar information.

In resolving the motion to compel, the court noted that the key issue was whether Mandiant would have prepared the report any differently if litigation was not anticipated. The magistrate judge recognized that other courts had protected similar forensic reports from discovery, see, e.g., In re Experian Data Breach Litig., No. SACV1501592AGDFMX, 2017 WL 4325583 (C.D. Cal. May 18, 2017); In re Arby’s Rest. Grp., Inc. Data Sec, Litig., No. 1:17mi55555-WMR (N.D. Ga. Mar. 25, 2019); In re Target Corp. Customer Data Sec. Breach Litig., No. MDL142522PAMJJK, 2015 WL 6777384 (D. Minn. Oct. 23, 2015); Genesco, Inc. v. Visa, Inc. No. 3:13-cv-00202, 2015 WL 13376284 (M.D. Tenn. Mar. 25, 2015), but concluded those decisions were inapposite. Unlike the forensic experts in those cases, the court reasoned, Mandiant would have prepared a similar report regardless of whether there was a threat of litigation, and therefore Capital One did not carry “its burden of establishing that the forensic report is entitled to protection under the work product doctrine.” The court further differentiated Experian, in which the outside forensic investigation firm was a new consultant hired by outside counsel, and the full report was not given to Experian’s incident response team.

Although Capital One had hired outside counsel to act as an intermediary between Capital One and Mandiant, the court stated that this was insufficient to create a privilege that otherwise would not exist. Mandiant had already been working under contract for Capital One for four years and Capital One continued to pay Mandiant directly during the investigation into the breach. The magistrate judge found that “the work to be performed by Mandiant was the same, the terms were the same, but the work was to be performed at the direction of outside counsel and the final report delivered to outside counsel.” The court held that “[t]he retention of outside counsel does not by itself, turn a document into work product.” Further, the retainer paid by Capital One to Mandiant (prior to the breach) was considered a “business-critical” expense rather than a “legal” expense. The court also observed that the report was widely distributed within Capital One and not confined to a select litigation team under strict internal confidentiality protections. Because, according to the court, Mandiant’s report would have been prepared regardless of whether there was a threat of litigation, the court granted the class plaintiffs’ motion to compel the production of the forensic report and related information.

The Pending Appeal of the Magistrate Judge’s Decision

Capital One immediately filed an appeal to the district judge, calling the decision “unworkable” and arguing that the magistrate judge misapplied the controlling law. Capital One argued that “it is abundantly clear that the driving force behind the preparation of the Mandiant Report was to help [outside counsel] advise the Company about the waves of litigation that began rolling in within 24 hours of Capital One’s announcing the Cyber Incident.” Capital One warned that the court’s ruling could have a cooling effect and dissuade companies from planning ahead and engaging capable service providers to quickly respond to a data breach.

The plaintiffs opposed the appeal, arguing that the district court may not reverse the magistrate judge’s decision absent a showing that the ruling was “clearly erroneous or is contrary to law.” The plaintiffs argued that Capital One was improperly attempting to re-litigate the factual findings and introduce new evidence (including a report produced by Capital One after the magistrate judge’s decision). Capital One responded that the district court owes no deference to the magistrate judge’s decision, and that the plaintiffs are attempting to advance the wrong legal standard. Capital One argues it was justified in submitting additional clarifying evidence because the “clearly erroneous” standard is a mixed question of fact and law, and the court may consider all relevant evidence under Federal Rule of Civil Procedure 72(a).

UPDATE (6/25/20): On June 25, 2020, U.S. District Judge Anthony J. Trenga affirmed the magistrate judge’s decision to require Capital One to produce its cybersecurity analysis from the data breach. Judge Trenga agreed that Capital One’s hiring of outside counsel did not require Mandiant to perform work any differently, and that Mandiant’s contractual obligations were identical before and after the data breach. The court found “no difference between what Mandiant produced and what it would have produced in the ordinary course of business absent [outside counsel’s] involvement. . .” Additionally, the court found that the distribution of the Mandiant report to Capital One employees for business purposes was probative into the nature of the document as being “business critical,” and not merely in anticipation of litigation.

Takeaways

Based on this new decision, companies should consider taking the following steps to best establish their position that a post-breach forensic report is protected by the attorney work product doctrine. Some, but not all, of these steps were taken by Capital One:

  • Outside counsel should engage the cybersecurity consultant responsible for investigating the security breach. Ideally, the law firm would have established its own standby relationship with that cybersecurity consultant to avoid engagement delays.
  • For work product purposes, there might be some advantage in counsel’s hiring a different consultant from the company’s “regular” cybersecurity consultants. Of course, this also forfeits the advantage of using someone who may be deeply familiar with the company’s information technology systems, so the tradeoffs need to be considered. There is more at stake in responding to a major data breach than work product considerations.
  • If the company already retains a cybersecurity consultant and wants that consultant to do the work, that consultant should enter into a new and separate agreement directly with outside counsel with a scope of work related to that specific security breach. Cloning the company’s standard terms of engagement into the law firm’s terms of engagement may not be advisable.
  • Counsel should direct the actions of the investigators at all times.
  • Investigative documents should be provided directly to counsel, not to the company.
  • To the extent investigative documents are provided to the company, they should only be provided by outside counsel to a select group of company representatives, and distribution should be tightly managed under strict confidentiality protocols.
  • Original investigative documents should not be shared with third parties outside of the company. If federal or state statutes require certain disclosures, they should be prepared by outside counsel in consultation with the forensic investigators.
  • Payment for the investigation should be isolated as a specific “legal” expense for the company, ideally by paying through outside counsel rather than directly (although this may conflict with some law firms’ internal policies for managing client expenses).

As discussed above, pre-emptive steps and strategies can help protect sensitive and confidential data breach investigative documents from becoming discoverable. Saul Ewing Arnstein & Lehr LLP works directly with clients to help with defensive planning, engagement of resources, crisis management and mitigation actions relating to data security and privacy incidents. If you have questions about this alert, please contact the authors.

View Document(s):