Federal Court Holds Outside Cybersecurity Response Report Not Privileged
On May 26, 2020, in the matter In re Capital One Consumer Data Security Breach Litigation, MDL 1:19md2915 (Ed. Va.), the Federal District Court for the Eastern District of Virginia ordered Capital One to produce its cybersecurity incident response report, rejecting the contention that the report was privileged. Capital One contended that the report, produced by FireEye, Inc. d/b/a Mandiant (Mandiant), was prepared in anticipation of litigation following discovery of Capital One’s March 2019 data breach, and therefore protected by the work product doctrine. The court disagreed.
In finding against Capital One, the federal district court concluded that the Mandiant report had business and regulatory compliance purposes, and that Capital One failed to produce sufficient evidence showing that the report would not have been produced in a “substantially similar form” in the absence of anticipated litigation. The case turned on several controversial facts, including: (1) that Capital One had entered into a Statement of Work (SOW) with Mandiant for cybersecurity services in January 2019, several months before the breach, and (2) that a retainer paid to Mandiant pre-breach and exhausted for the work had been designated internally by Capital One as a “Business Critical” expense rather than a “Legal” expense.
That the work performed under the SOW ultimately manifested as an investigative assignment related to the March 2019 breach did not matter. Further, the court determined that a letter agreement among Capital One, the company’s outside data breach legal counsel, and Mandiant, entered into in July 2019 (after the breach was confirmed to have occurred) under which the SOW work would be directed by, and delivered directly to, outside legal counsel was insufficient to render the Mandiant report work product. The court also highlighted the distribution list for the report, which included Capital One’s internal regulatory team and outside accountants, as further evidence that the report had regulatory and business purposes beyond litigation. A more thorough analysis of this order is forthcoming.
If you have questions or would like further information, please contact Joshua A. Mooney (firstname.lastname@example.org; 215.864.6345), Richard M. Borden (email@example.com; 212.631.4439), or Gwenn B. Barney (firstname.lastname@example.org; 215.864.7063).