On June 25, 2020, the United States District Court for the Eastern District of Virginia upheld a Magistrate Judge’s order, compelling Capital One to produce the Mandiant Report at issue in the matter of In Re: Capital One Consumer Data Security Breach Litigation (See MDL No.1:19md2915).

The decision put to rest the month-long dispute over the discoverability of a forensic report prepared for Capital One Financial Corp. by cybersecurity firm Mandiant Inc., following a cyber-incident that exposed 106 million applicants’ sensitive data last year.  This development reaffirms several key lessons that we recently wrote about for companies experiencing cyber incidents.

The sole issue before the District Court was “whether the Report is entitled to work product protection.”  The Magistrate Judge had previously held that it was not.  In its objection, Capital One argued that the Magistrate Judge’s recommendation “erred as a matter of law” for three reasons: (1) it “applied the second prong of the [test articulated in RLI Insurance Co. v. Conseco, Inc. (the “RLI test”)] whether the document would have been created in essentially the same form absent litigation) as part of the Fourth Circuit’s ‘driving force’ test”; (2) it “relied too heavily on the ‘pre-existing [statement of work (SOW)] with Mandiant to conclude that Mandiant would have performed essentially the same services as ‘described in the Letter Agreement’ with [outside counsel]”; and (3) it “relied on subsequent regulatory and business uses of the Report in determining that the Report is not entitled work product protection.”

Under the “because of” test applied in this case, a document will be protected as work product if it is shown to have been prepared “because of the prospect of litigation.”  A document that may be used for both litigation and business purposes is protected as work product only if litigation was “the driving force behind the preparation of” the document.  To determine whether litigation was the “driving force,” courts apply the two-prong RLI test, which asks: (1) whether the document at issue was created when litigation was “a real likelihood,” as opposed to being “merely a possibility”; and (2) “whether the document would have been created in essentially the same form in the absence of litigation.”  It was undisputed that there was “a real likelihood” of litigation following Capital One’s announcement of its data breach.  Thus, only the Magistrate Judge’s application of the second RLI prong was at issue.  In upholding the Magistrate Judge’s order, the District Court reaffirmed several key lessons for companies facing cyber incidents.

1.      To shield a forensic report as work product, a company must demonstrate that the report would not have been created in essentially the same form absent litigation.  This burden is more difficult to meet where the company has a pre-existing relationship with the cybersecurity vendor that prepares the report.

First, Capital One argued that litigation is necessarily the “driving force” behind the preparation of a document “where, as here, the work product documents are created only after the prospect of litigation arises” and the documents are “created in anticipation of litigation.”  Therefore, Capital One argued, under these circumstances, the document must be protected and application of the second prong of the RLI test is improper.  The court found that this argument “ignores the substance of the test,” as the second prong “captures one of the core inquiries identified by the Fourth Circuit in [articulating the ‘driving force’ inquiry]: whether the work product would have otherwise been produced in the ordinary course of business.”  It was thus proper for the Magistrate Judge to apply both prongs of the RLI test.

Second, Capital One argued that, in any event, the Magistrate Judge had improperly applied the second RLI prong by giving “dispositive effect to the pre-existing SOW with Mandiant.”  Mandiant changed “the nature of its investigation, the scope of work, and its purpose” at the direction of outside counsel and in anticipation of litigation, so “Mandiant’s investigation and report would have been very different if Capital One had engaged Mandiant to investigate the Cyber Incident for business purposes.”  Capital One pointed to its separate internal investigation and report as further evidence that the Mandiant Report would not have been prepared in substantially similar form but for the prospect of litigation.  Again, the District Court disagreed.

The Magistrate Judge properly applied the second RLI prong to conclude that the Mandiant Report was not protected work product, the District Court held, given that the scope of services was identical under both the pre-existing SOW between Capital One and Mandiant and the Letter Agreement they entered into with outside counsel following the data breach.  Based on the record, “it would be unreasonable to think, given identical contractual obligations under the pre- and post-data breach SOWs, that had Mandiant not provided to Capital One through [outside counsel] all the information required under the SOW concerning the breach, it would not have provided that same ‘business critical’ information directly to Capital One in discharge of its obligations under the pre-data breach MSA and SOW.”  Capital One’s internal report did not change this conclusion, as there was no evidence “that this internal report reflects what Mandiant would have produced absent [outside counsel]’s involvement,” and Capital One did not “provide[] sufficient evidence to explain whether any parallel investigation by Mandiant would have been substantially different in substance than the counsel-led investigation at issue here.”

In sum, “after the data breach incident at issue in this action, Capital One then arranged to receive through [outside counsel] the information it already had contracted to receive directly from Mandiant.”  Because Capital One “failed to establish that the Report would not have been prepared in substantially similar form but for the prospect of that litigation,” the Magistrate Judge properly applied the second RLI prong to conclude that the Report was not protected as work product.

This analysis reaffirms the crucial need for companies to keep pre-litigation investigations completely separate from business incident response services.  The safest route is to avoid engaging the same cybersecurity firm for breach response and litigation-related investigations as for business-related services.  Given the difficulty of vetting and onboarding a new cybersecurity firm in the aftermath of a cyber-incident, it may be prudent for counsel to separately engage a second forensic firm with which the company has no pre-existing relationship to support any litigation-related investigations that may become necessary.  Either of these steps would allow the company to clearly demonstrate that it has separate reports for business and regulatory purposes, on the one hand, and litigation purposes, on the other.  If neither of these steps is feasible, however, and a company decides to use the same vendor for both business and litigation-related services, it is critical to detail the vendor’s litigation-related services in a separate SOW whose scope and purpose clearly differ from those of any preexisting SOWs.  The SOW and any related documentation must clearly establish that the purpose and scope of the work to be performed is in anticipation of litigation and will be conducted under the direction and control of counsel for the purpose of providing legal advice.

2.      Disclosure of a forensic report to parties for non-litigation use may be considered evidence that the report was not initially produced “because of” litigation.

Finally, Capital One argued that the Magistrate Judge had erred in relying on the company’s “subsequent regulatory and business uses of the Report in determining that the Report is not entitled work product protection.”  The court pointed out, however, that “post-production disclosures are appropriately probative of the purposes for which the work product was initially produced.”  And the Magistrate Judge did not hold that Capital One’s subsequent disclosures of the Mandiant Report destroyed its work product protection; rather, the Magistrate Judge raised the issue “simply to underscore Capital One’s business needs for a Mandiant produced report.”  (Notably, while disclosure did not destroy work product protection in this case, the court expressly declined to reach plaintiffs’ alternative argument that Capital One had waived protection over the Report, since the court held that the Report was not protected in the first place.  Had the court held the Report to be protected, however, it is possible that Capital One’s disclosure of the Report might have jeopardized the Report’s protection in other respects.)

This reaffirms the importance of providing the full litigation-related report only to those who need it solely for litigation purposes and imposing clear controls on its use.  As a practical matter, companies can often create a separate and non-privileged report to be used for business and regulatory purposes.  Non-privileged reports should be distinct from the privileged forensic report (i.e., not a copy and paste) and should provide a summary of their findings rather than a detailed analysis.  Companies can further distinguish privileged forensic reports by paying for the reports and related services directly from their legal and/or litigation budgets and designating the expenses as legal.  At the very least, companies avoid paying from its cyber organization’s budget and designating it as a ‘business critical expense’ – as initially recorded by Capital One.

If your company experiences a data breach, it is imperative to immediately retain outside counsel who understands the nuances of cybersecurity events, the regulatory and legal obligations flowing from the event, and the potential claims that may arise to carefully navigate the difficult privilege issues that arise almost immediately following a breach.  SPB attorneys are here to help.