A U.S. District Court holds that the report of a forensic consultant, engaged on retainer in advance, in response to a data breach is NOT privileged.

In re Capital One Consumer Data Sec. Breach Litig., 2020 U.S. Dist. LEXIS 91736 (U.S. Dist. Ct., E Va., Alexandria Div.

Facts + Issues

Capital One was a financial institution which made arrangements for the investigation and response to cybersecurity incidents. It entered into a Master Services Agreement (MSA) with Mandiant in November 2015 to provide services for responding to cybersecurity incidents.  Thereafter, Capital One entered into numerous Statements Of Work (SOW) and purchase orders with Mandiant. The evidence from its senior manager of its cyber security operations centre was as follows (pp. 2 - 3):

... one purpose of the MSA and associated SOWs was to ensure that Capital One could quickly respond to a cybersecurity incident should one occur. As a financial institution that stores financial and other sensitive information, it is critical that Capital One be positioned to immediately respond to any potential compromise of the security of its systems.

In particular, Capital One entered into an SOW with Mandiant on January 7, 2019 and designated the retainer paid to Mandiant as a "Business Critical" expense and not a "Legal" expense (p. 2) because the retainer "was considered a business-critical expense and not a legal expense at the time it was paid" (p. 3).

In March 2019, Capital One suffered a data breach at the hands of a hacker. It confirmed that it had suffered a breach on July 19, 2019. The next day, Capital One retained law firm Debevoise & Plimpton for advice in relation to the breach. A few days later, Debevoise & Plimpton signed a letter of agreement retaining Mandiant to provide services and advice, namely with respect to "computer security incident response; digital forensics, log, and malware analysis; and incident remediation" (p. 4). This agreement provided "that the work would be done at the direction of counsel and the deliverables would be provided to counsel instead of Capital One" (p.4).

Capital One issued a public announcement disclosing the data breach on July 29, 2019. The next day lawsuits began to be filed against Capital One regarding the breach. Initially Mandiant's accounts were paid from the retainer for the January 2019 SOW between Capital One and Mandiant. After that, Mandiant's subsequent fees were paid out of Capital One's legal department budget as legal expenses and the payment of the initial retainer to Mandiant under the SOW were re-designated as legal expenses and deducted from the company's legal budget.

In addition to Mandiant's investigation into the data breach, a separate (but parallel) internal Capital One investigation was launched in response to the data breach. Capital One did not object to producing documents emanating from that investigation on the basis of privilege.

Mandiant issued a report to Debevoise & Plimpton which forwarded a copy to Capital One's legal department and also to Capital One's Board of Directors and others both within and outside of the Capital One organization, including four government regulators and Capital One's external auditor Ernst & Young. No explanation was provided for why these recipients received a copy or whether it was due to a business reason or for litigation. Capital One also communicated with Ernst & Young so that the auditor "was able to conclude that the data breach had no impact on Capital One's internal controls over financial accounting" (p. 8).

The Plaintiffs applied for an order directing production of the Mandiant Report "and related materials". Capital One resisted claiming that this material was covered by "work product privilege" (usually referred to as "litigation privilege" in Canada).

HELD: For the Plaintiffs; disclosure of the Mandiant Report ordered and application regarding the related materials was denied without prejudice

The Court summarized the legal principles regarding work product privilege:

  1. "[T]he party asserting work product doctrine, bears the burden of demonstrating the applicability of that doctrine". (p. 9)  
  2. "[C]ourts generally disfavor assertions of evidentiary privileges because they shield evidence from the truth-seeking process; as such, they are to be narrowly and strictly construed so that they are confined to the narrowest possible limits consistent with the logic of its principle" (p. 9).  
  3. "Federal Rule of Evidence 502 defines work-product protection as 'the protection that applicable law provides for tangible material (or its intangible equivalent) prepared in anticipation of litigation or for trial'" (p. 9)  
  4. While there must be litigation or anticipated litigation for work product privilege to arise, that fact alone is insufficient to give rise to that privilege.
    1. The driving force behind its preparation must be the litigation ( pp. 9 - 10):
      As the Fourth Circuit discussed in National Union Fire Ins. Co. v. Murray Sheet Metal Co., 967 F.2d 980, 984 (4th Cir. 1992), the fact that there is litigation does not, by itself, cloak materials with work product immunity but the material must be prepared because of the prospect of litigation. Materials prepared in the ordinary course of business or pursuant to regulatory requirements or for other non-litigation purposes are not documents prepared in anticipation of litigation.Id. In order to be entitled to protection, a document must be prepared "because of the prospect of litigation" and the court must determine "the driving force behind the preparation of each requested document" in resolving a work product immunity question.
    2. The mere fact that external counsel has been retained does not justify work product privilege.  "The hiring of outside counsel does not excuse a company from conducting its duties and addressing the issues at hand" (p. 11).
  5. Documents that would have been produced in "essentially similar form" regardless of the litigation do not qualify for work product privilege (pp. 10 - 11):
    The work product doctrine withholds protection from documents that would have been created in essentially similar form irrespective of the litigation. Id. Accordingly, work product protection applies when the party faces an actual claim or a potential claim following an actual event or series of events that reasonably could result in litigation and the work product would not have been prepared in substantially similar form but for the prospect of that litigation. Id. at 748.
    [footnotes omitted]
  6. "[T]he party requesting protection under the work product doctrine bears the burden of showing how it would have investigated the incident differently if there was no potential for litigation" (p. 11).

The Court held that there was no question that when Mandiant began its "incident response services" there was a very real prospect of litigation regarding the data breach. It was held to be clear that the data breach "was the type of event that Capital One knew would lead to litigation" (p. 12). Accordingly, "the determinative issue [was] whether the Mandiant Report would have been prepared in substantially similar form but for the prospect of that litigation" (p. 11).

The Court held that work product privilege did not protect the Mandiant report in the circumstances.

  1. The Court found that Capital One had "not presented sufficient evidence to show that the incident response services performed by Mandiant would not have been done in substantially similar form even if there was no prospect of litigation" (pp. 11 - 12). It had "not shown that the nature of the work Mandiant had agreed to perform changed when outside counsel was retained" [emphasis the Court's] (p. 12).  
  2. The Court rejected Capital One's argument that the privilege should apply because at the time of the data breach Mandiant was not undertaking an ongoing investigation.

Commentary

What Americans call "work product privilege" is similar to what is referred to as "litigation privilege" in Canada. The principles enunciated by the Court in Capital One are similar to those in Canadian law for litigation privilege except that our case law does not expressly enunciate the principle that the privilege does not protect documents that would have been produced in essentially similar form regardless of the litigation, which is the key principle which decided this case. Thus, it is not clear whether or not this case will be applied in Canada. However, this is arguably a rule that is consistent with enunciated Canadian principles. Put another way, the mere fact that a litigant has a report commissioned initially for legal counsel does not justify that privilege, in and of itself is the law in Canada. Thus if the litigant would have commissioned regardless of litigation for other purposes (such as tracking accidents to improve workplace security or to report to a regulator) this may be another way of saying that its dominant purpose was for the litigation. In Canada, the "dominant purpose" behind the record in question must be to respond to the litigation.

The key takeaway from this decision is that organizations that retain external forensic consultants to assist in responding to a data breach (an eminently sensible thing to include in an Incident Response Plan) may have difficulty maintaining privilege on the resulting reports.

This case is but the latest in a trend. Blarney et al. put it best in G. Barney, et al., Protecting Your Organization: Lessons from In re Capital One for Third-Party Cybersecurity Incident Reports, June 8, 2020, White and Williams LLP ("Blarney"):

Other similar decisions suggest that it is becoming more difficult to shield third-party forensics reports from discovery. Certainly, this decision serves as a cold reminder on how fragile privilege can be. Sometimes the scope of the work-product doctrine can be overestimated and relied upon too heavily. There are countless decisions that hold that a document is not work-product simply because counsel is involved.

So, navigating the privilege line can be difficult, especially in cybersecurity matters. In the context of a data breach response, events can move fast - like under 12 parsecs for the Kessel Run fast. Shortcuts in structure and procedure caused by time pressures can result in substantial and detrimental impacts later. It is critical for organizations to appreciate and prepare for the appropriate procedures when retaining a forensics consultant. Procedures include the context and structure of the consultant's retention, dissemination of its report, and sometimes, even the content of the report itself. In light of the Capital One decision, there are several steps organizations and its counsel (in-house and outside) may take to strengthen a privilege claim for a forensics report.

"The Capital One decision does not abolish any rights or protections; rather, it shines a light on the risks of not fully and properly delineating the scope of a company's outside consultants' retention and work": A.Z. Hutnik, et al., Lessons Learned for Maintaining Attorney-Client Privileged Data Breach Investigation (and other Consultant) Reports, June 11, 2020, Kelley Drye AD Law Access ("Hutnik"). " The good news ": R. Aghaian, et al., Recent Court Decision Carries Lessons for Retaining and Using Cybersecurity Consultants to Investigate a Breach, Kirkpatrick Townsend & Stockton LLP ("Aghaian")

Common sense dictates that organizations commissioning such reports should assume that they may well be denied privilege protection. However, commentators suggest factors that should be considered to maximize the odds that the forensic expert's report will be considered privileged:

  1. Involving counsel in all aspects of the data breach investigation.  
    1. Aghaian notes:
      If outside counsel is heavily involved in the breach investigation and report drafting, counsel can structure the report so that it in fact helps to prepare for litigation. Such involvement will help ensure that a breach report does not appear solely business-focused. Further, counsel's involvement may strengthen an argument for attorney-client privilege, so that a company is not restricted to claiming only work-product doctrine protection in order to protect the breach report.
  2. There is disagreement about whether or not the organization should commission a forensic investigator with whom the organization has no prior business relationship. Burke suggests that an expert with no prior business relationship with the organization be retained: [Mooney and Protecting IT Forensic Reports in the Wake of a Data Breach, October 1, 2020, Hodgson Russ LLP ["Burke"]]. We disagree. An important element in an Incident Response Plan is having vetted experts on retainer, which can be engaged and quickly deployed in response to a breach. One does not want to be negotiating contract terms with a new expert in the lobby while the consequences of the breach are building up.  
    1. Aghaian posits that one should not avoid employing a preferred cybersecurity consultant:
      While retaining a new consultant may aid one's work-product doctrine argument, it risks producing an inferior and inefficient outcome because the new consultant will face a steep learning curve in familiarizing itself with a company's business practices, network configuration, application portfolio, and overall cybersecurity posture, all while time is of the essence.
      See also Mooney to the same effect.
    2. The expert's retainer should be with legal counsel, as opposed to the organization [Burke]. The expert should be paid by counsel, with this expense reflected in the legal bill.  
    3. "[C]learly define the terms and scope of work as distinct from the previous business relationship" with the forensic investigator, making it clear that the expert's efforts are being sought to assist legal counsel. [Burke, Hutnik].
  3. Limit the distribution of the expert's report to entities as necessary to undertake the legal analysis and litigation efforts. [Burke, Hutnik, Mooney]  
  4. Think about commissioning two different reports regarding a breach: "(1) a detailed, litigation-focused report intended to be circulated within the legal department and C-suite on a need-to-know basis and in anticipation of litigation, and (2) a second report at a higher level of detail and analysis, that can be circulated more broadly, but may ultimately be produced be in discovery" (Aghaian).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.