District Court Affirms Order Requiring Production of Cyber-Investigation Report after Considering Totality of Circumstances
As we previously reported, the Magistrate Judge in In re: Capital One Customer Data Security Breach Litigation, found that a forensic report that Capital One had claimed was protected by the privilege and work product doctrines needed to be produced because Capital One had not met its burden under the dual-purpose doctrine to show that the report was protected. In re: Capital One Customer Data Sec. Breach Litig.. The forensic report at issue (the “Report”) related to a 2019 data breach where a hacker purportedly accessed and stole highly sensitive customer information from Capital One’s online cloud environment (the “Breach”). Capital One hired outside counsel to investigate the Breach and to help the company prepare for anticipated litigation and regulatory inquiries. To assist counsel’s investigation, outside counsel engaged a cybersecurity consultant (“Consultant”). As developed in the Magistrate’s Order, Capital One had used this same Consultant prior to the Breach in the normal course of its business.
As part of its investigation, outside counsel entered into a new Letter Agreement with Consultant, but this agreement’s scope mirrored the agreement that Consultant already had in place with Capital One. In September 2019, Consultant issued its Report. In discovery, Plaintiffs moved to compel production of the Report. While reciting a number of other relevant facts, the Magistrate’s Order appeared to rely heavily on the fact that Capital One had used the same forensic consultant that it used for ordinary-course-of-business work in reaching its conclusion that the Report was discoverable. Against this backdrop, the Magistrate Judge concluded that Capital One had not presented sufficient evidence to show that the Report would not have been prepared in substantially similar form and with similar content in the absence of litigation. Accordingly, production of the Report was ordered.
On June 9, 2020, Capital One filed objections to the Magistrate’s Order, and asked the Court to set it aside. As explained in the District Court’s opinion affirming the Magistrate’s Order that the Report was not entitled to work product protection, Capital One objected on the grounds that the Magistrate Judge erred by: 1) considering whether the Report would have been created in essentially the same form absent litigation; 2) relying “too heavily on the ‘pre-existing SOW with [Consultant]’ to conclude that [Consultant] would have performed essentially the same services as ‘described in the Letter Agreement’ with [outside counsel]”; and 3) relying on the fact that Capital One used the Report for certain regulatory and business-related purposes after it was created. In re: Capital One Customer Data Sec. Breach Litig.
While the Court did not find any fault with the Magistrate’s fact-finding or ultimate conclusions in its June 25, 2020 Opinion affirming production of the Report, the District Court made express that it was a combination of multiple factors that led to the Court’s conclusion:
Consultant provided the same services during the privileged investigation that it provided in the ordinary course. Opinion 9.
The only significant differences between the Letter Agreement and the pre-existing SOW were that, under the Letter Agreement, the work Consultant performed was at the direction of outside counsel and that the Report was to be initially delivered to outside counsel. Id. at 10. The scope of the agreements were otherwise the same.
The Letter Agreement between outside counsel and Consultant provided that Consultant would be paid based on the same payment terms set out in the pre-existing SOW between Capital One and Consultant. Id. at 2. Consultant was paid for its work investigating the Breach from a retainer that it already received from Capital One in the ordinary course of business until those funds were exhausted, and then paid by Capital One from Capital One’s Cyber Budget before those payments were re-designated as legal expenses. Id. at 3.
Consultant initially delivered the Report to outside counsel, who then distributed the report, or directed it to be distributed, to “Capital One’s legal department, its Board of Directors, its financial regulators, its outside auditor, and dozens of Capital One employees.” Id. The District Court explained that the extent to which the Report was distributed was “appropriately probative of the purposes for which the work product was initially produced” and that consideration of the Report’s disclosure “underscore[d] Capital One’s business needs.” Id. at 12-13. In other words, the wide distribution of the Report reflected the Report’s business – not litigation – purposes.
The District Court Judge found that these facts, when taken collectively, showed that the Report was not protected work product. Opinion 9, 13-14. Notably missing from the District Court Judge’s Opinion is an analysis of outside counsel’s specific involvement (presumably because there was little involvement in incident response by outside counsel to rely on). See Opinion 10 fn.5 (“More to the point is that there is nothing in the record in this case that would reasonably suggest that this internal report reflects what [Consultant] would have produced absent [outside counsel’s] involvement.”):
Thus, the Court made clear that Capital One does not stand for the proposition that an organization can never use the same consultants that do ordinary course work to conduct a privileged analysis, as some commentators have suggested. See e.g., Capital One Objects to Magistrate Judge’s Ruling Its Forensic Report Discoverable: Here are the Practical Takeaways, The National Law Review, Jun. 12, 2020 (“Ensure that your outside counsel retains a cybersecurity vendor with which you have no preexisting relationship.”). But rather, the Opinion re-enforces the general principle that “[d]ual purpose documents are deemed prepared because of litigation if in light of the nature of the document and the factual situation in the particular case, the document can be fairly said to have been prepared or obtained because of the prospect of litigation.” In re Bard IVC Filters Prods. Liability at *2 (citing United States v. Richey) (emphasis added); see also In re Premera Blue Cross Customer Data Sec. Litig.. In other words, “courts must consider the totality of the circumstances and determine whether the document was created because of anticipated litigation, and would not have been created in substantially similar form but for the prospect of litigation.” In re Bard, 2016 WL 537587 at *2.
Significantly, the District Court Judge also analogized Capital One’s actions in response to the Breach to those taken by the defendant in In re Premera Blue Cross Customer Data Sec. Litig. (“Premera”). Opinion 11-12. In Premera, a cybersecurity consultant was conducting an ordinary-course-of-business investigation of Premera’s systems under a business-purpose Master Services Agreement (“MSA”) when it discovered the data breach. Opinion 11. After discovering the data breach, Premera entered into an amended statement of work with the consultant, which cosmetically shifted supervision of the work to outside counsel but did not otherwise change the scope of the consultant’s work from what it was doing under the MSA prior to discovery of the breach. Premera, 296 F. Supp. 3d at 1245. The court in Premera concluded that change in supervision of the investigation, without a change in the scope of work, was insufficient to render the consultant’s communications and underlying documents privileged or protected work product. Id.; see also, U.S. v. ISS Marine Serv., Inc. (“Unfortunately for the respondent, this sort of ‘consultation lite’ does not qualify the Audit Report for the protections of the attorney-client privilege. … This sort of arms-length coaching by counsel, as opposed to direct involvement of an attorney, undercuts the purposes of the attorney-client privilege in the context of an internal investigation.”). Likewise, here the District Court Judge found that “Capital One failed to establish” that “the report [Consultant] would have created for Capital One pursuant to its pre-data breach SOW would not have been substantially the same in substance or scope as the report [Consultant] prepared for [outside counsel].” Opinion 11.
The District Court’s Opinion in Capital One does not depart from established dual-purpose doctrine case law. Rather, it highlights that the test for determining whether or not the document at issue would have been created in essentially the same form in the absence of litigation should be (and remains) based on a consideration of the totality of the evidence. Following the reasoning in this Opinion that considers the totality of the evidence, one could argue that the more involved counsel is in incident response, the stronger a claim for work product protection will be.