Disclosure Ordered of Data Breach Incident Response Report Prepared for Outside Counsel
On May 26, 2020, a United States Magistrate Judge in the Eastern District of Virginia ordered Capital One to disclose to class action plaintiffs a report prepared by Mandiant, a cyber forensics firm, for Capital One’s outside counsel in the wake of a March 2019 data breach. The court found that the Mandiant Report was not subject to attorney work-product protection — despite the fact that Capital One had retained outside counsel following the data breach and outside counsel had, in turn, engaged Mandiant to provide incident response forensic services. Companies and cyber incident response professionals should take note of this opinion. Although Capital One and its outside counsel appeared to follow standard practices for the retention of a forensic firm, the court still found that the forensic report was not protected work product.
Capital One entered into an initial Master Services Agreement (MSA) with Mandiant in November 2015. Thereafter, Capital One and Mandiant executed periodic Statements of Work (SOWs), which stated that Mandiant would provide certain cyber incident response services, as well as other ongoing cyber and data consulting services. The most recent SOW between Capital One and Mandiant was executed in January 2019.
Capital One retained outside counsel in July 2019 after discovering there had been an unauthorized exposure of personal information. Outside counsel executed a new Letter Agreement with Mandiant whereby forensic services would be provided to Capital One “at the direction of counsel and the deliverables would be provided to counsel[.]” The Mandiant Report was issued to outside counsel in September 2019.
In subsequent civil litigation related to the data breach, plaintiffs sought to compel disclosure of the Mandiant Report. Capital One argued that the Mandiant Report had been prepared at the direction of counsel and was thus protected from disclosure under the attorney work-product doctrine.
The court rejected Capital One’s argument, noting that “the fact that the investigation was done at the direction of outside counsel and the results were initially provided to outside counsel” did not necessarily mean that the Mandiant Report was attorney work product. Instead, “the determinative issue was whether the Mandiant Report would have been prepared in substantially similar form but for the prospect of … litigation.” The court noted that, in order to receive protection under the work product doctrine, “the material must be prepared because of the prospect of litigation” — as opposed to work that would have been done in the ordinary course of business.
In concluding that the Mandiant Report was not protected by the work-product doctrine, the court focused principally on the pre-existing and “long standing relationship” between Capital One and Mandiant, which the court concluded evidenced a “business” purpose for the creation of the report, rather than a “litigation” purpose. The court emphasized that Mandiant had entered into several SOWs with Capital One before the breach. These SOWs described some of the same services that were spelled out in the post-data breach Letter Agreement with outside counsel. Thus, in the court’s view, the nature of Mandiant’s work did not change after outside counsel was retained. The court concluded that there was no evidence that Mandiant would have done anything different in the absence of the Letter Agreement with outside counsel, and, as such, the Mandiant Report likely would have been created in substantially the same form regardless of any threat of litigation.
In addition to the existing relationship between Capital One and Mandiant, the court also focused on the recipients of the Mandiant Report. Mandiant initially sent the forensic report to outside counsel, but Capital One subsequently distributed it to approximately 50 Capital One employees (including some who were conducting a separate internal investigation directed by the company’s chief information security officer [CISO] and cyber incident response team), the Board of Directors, four different regulators and Capital One’s outside accounting firm. While noting that disclosure of the report to employees and third parties did “not necessarily constitute a waiver [of work product protection],” the court concluded that the distribution of the report showed that it was prepared primarily for business and regulatory reasons — not for litigation.
Conclusion and Practice Pointers
The magistrate judge’s order — which Capital One has appealed to the District Court judge assigned to the data breach litigation — is a strong warning for cyber incident response professionals, as well as companies that have been or will be victimized by a cyberattack or data breach incident. In denying work-product protection to a report created by a cyber forensics firm with which the data breach victim had a pre-existing, ongoing relationship, the ruling arguably disincentivizes companies from working with forensic firms on incident prevention or planning. Given that many federal and state regulators and agencies typically encourage — and in some cases expect — companies to have ongoing relationships with cyber forensic firms, the Court’s order is somewhat confusing. However, the benefits of working with cybersecurity firms on an ongoing and regular basis likely still outweigh any potential attorney work-product waiver possibilities and working with such firms remains a widely accepted best practice.
Below are some practical steps that data breach victims and incident response professionals can take to protect forensic reports from discovery even if a court follows an approach like the one that was taken in this case:
- Carefully Structure Agreements with Incident Response Firms: In excluding the Mandiant Report from work-product protection, the court focused on two key issues: first, the “long standing relationship” between Capital One and Mandiant and second, the pre-existing SOWs in which Mandiant had agreed to perform essentially the same services that were later invoked in the post-breach Letter Agreement with outside counsel. Companies should use separate agreements for consulting services and incident response services. The two types of agreements should not refer to or incorporate each other by reference. Moreover, to the extent that companies hire a forensic firm to provide ongoing consulting services, the agreements covering the provision of such services should state that incident response services will be covered by an independent, unrelated agreement.
- Limit Forensic Report Distribution: The distribution of the Mandiant Report to several Capital One employees, as well as to regulators and outside accountants, was not dispositive on the work-product protection issue. However, the Mandiant Report’s wide distribution likely contributed to the court’s holding. Outside counsel and the company’s legal department should be the primary audience for the report. In certain instances, it may be necessary to share reports with Boards of Directors, government agencies and regulators. But, when possible, limit sharing to oral presentations about the forensic report’s factual conclusions or summaries written by outside counsel. While sharing of the forensic report may be necessary in some instances, companies should be aware that each additional party who receives the report makes it less likely that the report will be given attorney work-product protection by a court.
- Cover Incident Response as Legal Work: The court noted on multiple occasions that payments by Capital One to Mandiant had been originally characterized as “business” expenses, not “legal” expenses. While it may make sense for ongoing consulting fees to be paid out of a company’s “business” budget, it would be wise to characterize any fees and payments associated with cyberattacks or data breach incident responses as “legal” from the outset.
- Ensure that Counsel Directs Incident Response: Companies should utilize their outside counsel to engage and coordinate relationships with forensic investigators in the wake of cyberattacks or data breach incidents. Outside counsel should also take the lead in coordinating the incident response with the forensic investigation team. While it may not be practical to involve outside counsel in ongoing consulting relationships with forensic investigators, companies should have a clear message — both internally and externally — that outside counsel is directing incident response investigations and that such investigations are being conducted separate and apart from any pre-existing cyber consulting activities with forensic firms.