Protecting Your Organization: Lessons from In re Capital One for Third-Party Cybersecurity Incident Reports
In the action In Re Capital One Consumer Data Security Breach Litigation, No. 19-2915 (E.D. Va.) (Capital One), a Virginia federal court determined that a forensics investigation report conducted by a third-party investigator under the direction of outside counsel was not privileged and had to be produced. The essence of the court’s decision is that the report was not work-product because Capital One would likely have ordered the forensic report completed even if it had not anticipated litigation. Is this decision extraordinary? It’s hard to cast fault on the company or its counsel, and the decision serves as a cold reminder on how fragile privilege can be.
Other similar decisions suggest that it is becoming more difficult to shield third-party forensics reports from discovery. Certainly, this decision serves as a cold reminder on how fragile privilege can be. Sometimes the scope of the work-product doctrine can be overestimated and relied upon too heavily. There are countless decisions that hold that a document is not work-product simply because counsel is involved.
So, navigating the privilege line can be difficult, especially in cybersecurity matters. In the context of a data breach response, events can move fast – like under 12 parsecs for the Kessel Run fast. Shortcuts in structure and procedure caused by time pressures can result in substantial and detrimental impacts later. It is critical for organizations to appreciate and prepare for the appropriate procedures when retaining a forensics consultant. Procedures include the context and structure of the consultant’s retention, dissemination of its report, and sometimes, even the content of the report itself. In light of the Capital One decision, there are several steps organizations and its counsel (in-house and outside) may take to strengthen a privilege claim for a forensics report.
To understand what should be done, it is critical to first know what happened in Capital One. In November 2015, Capital One entered into a Master Services Agreement (MSA) with FireEye, Inc., d/b/a Mandiant (Mandiant), which was supplemented by periodic Statements of Work (SOW) for specific services under the MSA’s terms. The SOWs provided for incident response services by Mandiant, if necessary. It was undisputed that a significant purpose of the MSA and SOWs “was to ensure that Capital One could quickly respond to a cybersecurity incident should one occur.” In re Capital One, slip op., at 1. In January 2019, Capital One entered in another SOW with Mandiant entitling it to 285 hours of services including, if necessary, incident response services. Id. at 2. Capital One designated the retainer to be paid as a “business critical” expenditure. Id.
In March 2019, Capital One suffered what is now a well-publicized data breach that compromised the personal data of over 100 million consumers. Capital One confirmed the data breach on July 19, 2019, and the next day retained outside counsel to provide legal advice in connection with the incident. Id. at 2. On July 24, 2019, outside counsel and Capital One signed a Letter Agreement with Mandiant, whereby Mandiant agreed to provide incident response services, including digital forensics, log and malware analysis and incident remediation. These services were to be performed under the same terms as the January 2019 SOW, but the Letter Agreement stated that the work was to be done at the direction of counsel and that deliverables would be provided to outside counsel instead of Capital One. Id. at 3.
Mandiant preformed the services, preparing a September 2019 report “detailing the technical factors that allowed the criminal hacker to penetrate Capital One's security” (the Mandiant Report). Id. Capital One paid Mandiant out of the retainer already given under the 2019 SOW. When the retainer amount was exhausted, Capital One paid Mandiant's additional fees from its cyber organization department. In December 2019, about three months after Mandiant had issued its report, Capital One re-designated the expenses as legal expenses and deducted them against Capital One's legal department's budget. Id.
Pursuant to the Letter Agreement, the Mandiant Report initially was sent to outside counsel, which in turn provided the report to Capital One’s legal department. Outside counsel also appeared to provide the report to Capital One's Board of Directors. Documents provided to the Capital One court showed that individuals and organization who received copies of the report included approximately fifty Capital One employees, four regulators and the accounting firm Ernst & Young. In opposing the motion to compel the report’s production, Capital One did not explain why each recipient was provided with a copy of the report, or show that it had placed restrictions on further copying or dissemination of the report. Id. at 4-5.
The In Re Capital One Court’s Decision
The work-product doctrine is a court-created exemption of materials from discovery under the theory that an opposing party should not have the right to discover those materials through its counsel which it has prepared for prosecution or defense of a claim. Federal Rule of Evidence 502 defines work-product protection as “the protection that applicable law provides for tangible material (or its intangible equivalent) prepared in anticipation of litigation or for trial.” Fed. R. Evid. 502(g)(2). “Anticipation of litigation” is a key concept – if the materials were not created in anticipation of litigation, they are not subject to the work-product doctrine protection.
Thus, materials prepared in the ordinary course of business, pursuant to regulatory requirements, or for other non-litigation purposes are not materials prepared in anticipation of litigation and fall outside the work-product doctrine protection. Courts in the Fourth Circuit, where the Capital One case is pending, examine “the driving force behind the preparation of” the document at issue to determine if the work-product doctrine applies. Slip op. at 6. Under this legal standard, in the case before it, while the court agreed that when Mandiant began its “incident response services” in July 2019, there was a very real potential that Capital One would face litigation, “the determinative issue is whether the Mandiant Report would have been prepared in substantially similar form but for the prospect of that litigation.” Id.
To begin, the Capital One court established the heavy framework for the issue by stating that “the party requesting protection under the work product doctrine bears the burden of showing how it would have investigated the incident differently if there was no potential for litigation.” Slip op. at 7. This question was critical to its analysis. Having an investigation be done at the direction of outside counsel is not enough. In determining that the Mandiant Report was not privileged, the court noted:
- Capital One had a long-standing relationship with Mandiant and had a pre-existing SOW;
- the retainer paid to Mandiant was a business-critical expense at the time it was paid;
- the Mandiant Report was provided to four different regulators and to an accountant, showing that the results of an independent investigation was significant for regulatory and business reasons; and
- the Mandiant Report was used for Sarbanes-Oxley disclosures and was referenced in draft FAQs prepared by a senior vice president prior to the public announcement of the data breach.
The court concluded that the “only significant evidence that Capital One has presented concerning the work Mandiant performed is that the work was at the direction of outside counsel and that the final report was initially delivered to outside counsel” – evidence that was insufficient to apply the work-product doctrine protections. Slip op. at 7-8.
Contrasting the case at hand with a similar discovery battle in the lawsuit In re Experian Data Breach Litigation – where the California federal court held that a report prepared by Mandiant was privileged, the court noted several differentiating factors, including the context of Mandiant’s retention and use of the report:
- Experian had immediately retained outside counsel and that outside counsel had hired Mandiant to prepare a report and
- the report was not given to Experian's incident response team, noting the California federal court’s conclusion that if the report had been "more relevant to Experian's internal investigation or remediation effort, as opposed to being relevant to defense of the litigation, then the full report would have been given to that team."
Most significant to the Capital One court was that the work to be done by Mandiant in connection with the March 2019 data breach was the same work to be performed under the MSA and SOW, without any differentiating factors other than the report was to be sent to outside counsel first. Id. at 9.
Strengthening Privilege Over a Forensics Report
There are specific processes and procedures organizations should consider when retaining a firm to conduct a forensics analysis in response to a cybersecurity incident. Different contexts provide different levels of importance for each. The critical common denominator, however, is that an organization must be prepared to produce objectively demonstrable actions that show the forensics firm’s investigation, and its report, were produced and disseminated for the purpose of legal defense and not for business operations or regulatory compliance. A key consideration that courts (and plaintiffs’ counsel) will focus upon is whether, in response to a cybersecurity incident, the organization would have had the forensics analysis report prepared even in absence of any anticipated litigation. Here are five things to consider.
1. The Report’s Intended Use and Whether a Separate Report is Required
The critical factor, especially in Capital One, is that a party must show why a forensics report claimed as privileged differs from a report produced for response and reporting purposes. Most organizations that sustain a cybersecurity incident will need to investigate the incident and report on it, whether for operational or compliance purposes. If the organization intends to use the forensics report primarily to analyze the: who, what, where, why, when and how of an incident, a court may determine that the report was created for a business purpose and is not privileged.
In some circumstances, an organization may consider having two separate reports prepared, possibly by two separate forensics investigators. One report would be for the incident response itself, focusing solely on factual information – namely, what is known and what is not known. It should provide only what is required for regulators, business partners and data breach response statutes. Such a report could even serve as exculpatory, depending upon the information uncovered, in which case the company may want to produce it. The second report would be prepared for counsel’s use only. The investigation could be broader in scope, provide some speculation and serve as an advisory purpose. It could opine what might have happened where the factual information is unclear.
2. Limited Dissemination
The scope of a report’s dissemination can reveal the report’s true purpose. If the report is provided to an organization’s full incident response team, auditors and to persons beyond those who need to know for litigation purposes, a court may hold that the report served a business purpose and was not created in anticipation of litigation. That is what happened in Capital One after the court determined that the Mandiant Report’s dissemination to over 50 employees, four regulators and an accounting firm rendered the work product doctrine inappropriate. Limited dissemination also may help qualify a report as opinion work product, which has a higher protection.
3. Pre-Existing Agreements
The Capital One court emphasized the pre-existing relationship between Capital One and Mandiant as a factor in its decision. Yet, distilling the court’s reasoning, what drew the court’s focus was the fact that Capital One routinely retained Mandiant for business purposes, and remained in that business-purpose structure to respond to the March 2019 data breach. Compounding the issue is that an incident response report ostensibly may be used to serve both a business purpose and a legal purpose. An organization’s incident response process should look and feel different than typical operations with a managed security provider. If there is a component to it for litigation purposes, that component should be segregated from other components of the process.
4. Language Matters
It is not unreasonable to anticipate that an organization may be required to produce a forensics report, especially if only one report is produced. Some have suggested elsewhere that organizations refrain from preparing reports. We disagree with that advice. Reports help document thorough investigations and can provide affirmative evidence that an organization has proper procedures in place to meet its duty of care.
However, a forensics report should stick to facts. Forensics investigators should be instructed not to speculate. Nor should the report’s language convey judgments – whether legal or based on recognized industry standards. An incident response report should identify the facts uncovered, and if possible, describe what happened. That’s it. If there is insufficient factual records to determine what happened, a conclusion should not be speculated upon. A report should be drafted with the anticipation that it may be produced. Editing such a document can be a tricky line to walk. Even well-intended edits can lead to trouble. It’s best to ensure that the investigator understands their role and the limited scope of the report before preparing the report.
5. It Needs to Be a Legal Expense
The court also appeared to give significant weight to the fact that Capital One initially paid Mandiant from funds designated as a “critical business” expense in its cyber operations budget. Was the court being too fastidious? On the other hand, was Capital One’s subsequent re-designation of Mandiant’s fees as a “legal” expense in December 2019 an attempt to improve its record knowing that a discovery dispute was brewing? We note that the same court issued a decision in December 2019 holding that a Mandiant-prepared report in another data breach was not privileged. In re Dominion Dental Services USA, Inc. Data Breach Litigation, 429 F. Supp. 3d 190 (E.D. Va. 2019).
Not every organization’s law department has its own budget. Not every organization has a law department. So, this factor may be unfair. If your organization has a law department, but does not have its own budget, properly document expenditures to demonstrate that work is clearly being performed with outside counsel for a legal purpose in anticipation of litigation and not a business purpose. If your organization’s law department does have its own budget, be sure that all expenditures are designated to its budget. Show that the work is being performed with outside counsel for a legal purpose and not just to investigate what happened.
Most times, when an organization suffers a cybersecurity incident, whether independently or through insurance, it turns to a third-party forensic examiner to discover how the incident happened, what information was compromised, possibly who did it and how the compromise can be stopped and mitigated against reoccurrence. An organization and its counsel – whether in-house or outside counsel – should be considering the limited scope of privilege and what steps should be undertaken to better shield documents from discovery.
If you have questions or would like further information, please contact Joshua A. Mooney (email@example.com; 215.864.6345), Richard M. Borden (firstname.lastname@example.org; 212.631.4439) or Gwenn B. Barney (email@example.com; 215.864.7063).
 The regulators were the FDIC, the Federal Reserve Board, the Consumer Financial Protection Bureau and the Office of the Comptroller of the Currency.
 Hickman v. Taylor, 329 U.S. 495, 510 (1947). Although Federal Rule of Civil Procedure 26(b) protects work-product doctrine materials from discovery, the protection is not absolute. E.g., Solis v. Food Employers Labor Relations Ass'n, 644 F.3d 221, 232 (4th Cir. 2011). Under Rule 26(b)(3), the party seeking discovery has the burden of supporting its request by demonstrating “substantial need of the materials in the preparation of his case and that he is unable without undue hardship to obtain the substantial equivalent of the material by other means.” Thus, a court may order production of work-product materials if the moving party shows that factual information in the work-product materials is not otherwise available, and is necessary to the preparation of its case. See, e.g., In re Grand Jury Subpoena, 870 F.3d 312, 316 (4th Cir. 2017).
 Citing National Union Fire Ins. Co. v. Murray Sheet Metal Co., 967 F.2d 980, 984 (4th Cir. 1992).
 If the report had just been produced to legal counsel and regulators, the court may have decided differently. Regulators sometimes receive privileged documents without waiver, and the work product doctrine permits limited waiver. See, e.g., Westinghouse v. Republic of the Phil., 951 F.2d 1414, 1429 (3d Cir. 1991); In re Niaspan Antitrust Litig., 2017 U.S. Dist. LEXIS 135753 at 4 (E.D. Pa 2017);
 See, e.g., Upjohn Co. v. United States, 449 U.S. 383, 401 (1981); In re Cendant Corp. Securities Litig., 343 F.3d 658, 664 (3d Cir. 2003) (“opinion work product protection is not absolute, but requires a heightened showing of extraordinary circumstances”).