ATTORNEY NEWS SOURCE DAILY
Class Proceedings – Injurious Affection Where No Land Taken - Litigation, Mediation & Arbitration
Litigation & Real Estate

Case Abstract: In Re Capital One Shopper Knowledge Sec. Breach Litig. – Litigation, Mediation & Arbitration

By

To print this article, all you need is to be registered or login on Mondaq.com.

A U.S. District Court holds that the report of a
forensic consultant, engaged on retainer in advance, in response to
a data breach is NOT privileged.

In re Capital One Consumer
Data Sec. Breach Litig., 2020 U.S. Dist.
LEXIS 91736 (U.S. Dist. Ct., E Va., Alexandria Div.

Facts + Issues

Capital One was a financial institution
which made arrangements for the investigation and response to
cybersecurity incidents. It entered into a Master Services
Agreement (MSA) with Mandiant in November 2015 to provide services
for responding to cybersecurity incidents.  Thereafter,
Capital One entered into numerous Statements Of Work (SOW) and
purchase orders with Mandiant. The evidence from its senior manager
of its cyber security operations centre was as follows (pp. 2 –
3):

… one purpose of
the MSA and associated SOWs was to ensure that Capital One could
quickly respond to a cybersecurity incident should one occur. As a
financial institution that stores financial and other sensitive
information, it is critical that Capital One be positioned to
immediately respond to any potential compromise of the security of
its systems.

In particular, Capital One entered into
an SOW with Mandiant on January 7, 2019 and designated the retainer
paid to Mandiant as a “Business Critical” expense and not
a “Legal” expense (p. 2) because the retainer “was
considered a business-critical expense and not a legal expense at
the time it was paid” (p. 3).

In March 2019, Capital One suffered a
data breach at the hands of a hacker. It confirmed that it had
suffered a breach on July 19, 2019. The next day, Capital One
retained law firm Debevoise & Plimpton for advice in relation
to the breach. A few days later, Debevoise & Plimpton signed a
letter of agreement retaining Mandiant to provide services and
advice, namely with respect to “computer security incident
response; digital forensics, log, and malware analysis; and
incident remediation” (p. 4). This agreement provided
“that the work would be done at the direction of counsel and
the deliverables would be provided to counsel instead of Capital
One” (p.4).

Capital One issued a public
announcement disclosing the data breach on July 29, 2019. The next
day lawsuits began to be filed against Capital One regarding the
breach. Initially Mandiant’s accounts were paid from the
retainer for the January 2019 SOW between Capital One and Mandiant.
After that, Mandiant’s subsequent fees were paid out of Capital
One’s legal department budget as legal expenses and the payment
of the initial retainer to Mandiant under the SOW were
re-designated as legal expenses and deducted from the company’s
legal budget.

In addition to Mandiant’s
investigation into the data breach, a separate (but parallel)
internal Capital One investigation was launched in response to the
data breach. Capital One did not object to producing documents
emanating from that investigation on the basis of privilege.

Mandiant issued a report to Debevoise
& Plimpton which forwarded a copy to Capital One’s legal
department and also to Capital One’s Board of Directors and
others both within and outside of the Capital One organization,
including four government regulators and Capital One’s external
auditor Ernst & Young. No explanation was provided for why
these recipients received a copy or whether it was due to a
business reason or for litigation. Capital One also communicated
with Ernst & Young so that the auditor “was able to
conclude that the data breach had no impact on Capital One’s
internal controls over financial accounting” (p. 8).

The Plaintiffs applied for an order
directing production of the Mandiant Report “and related
materials”. Capital One resisted claiming that this material
was covered by “work product privilege” (usually referred
to as “litigation privilege” in Canada).

HELD: For the Plaintiffs; disclosure
of the Mandiant Report ordered and application regarding the
related materials was denied without prejudice

The Court summarized the legal principles regarding work product
privilege:

  1. “[T]he party asserting work product doctrine,
    bears the burden of demonstrating the applicability of that
    doctrine”. (p. 9)  
  2. “[C]ourts generally disfavor assertions of
    evidentiary privileges because they shield evidence from the
    truth-seeking process; as such, they are to be narrowly and
    strictly construed so that they are confined to the narrowest
    possible limits consistent with the logic of its principle”
    (p. 9).  
  3. “Federal Rule of Evidence 502 defines
    work-product protection as ‘the protection that applicable law
    provides for tangible material (or its intangible equivalent)
    prepared in anticipation of litigation or for trial'” (p.
    9)  
  4. While there must be litigation or anticipated
    litigation for work product privilege to arise, that fact alone is
    insufficient to give rise to that privilege.

    1. The driving force behind its preparation must be
      the litigation ( pp. 9 – 10):

      As the Fourth Circuit discussed in
      National Union Fire Ins. Co. v. Murray Sheet Metal
      Co      ., 967 F.2d 980, 984 (4th Cir. 1992), the
      fact that there is litigation does not, by itself, cloak materials
      with work product immunity but the material must be prepared
      because of the prospect of litigation. Materials prepared
      in the ordinary course of business or pursuant to regulatory
      requirements or for other non-litigation purposes are not documents
      prepared in anticipation of litigation.Id. In order to be
      entitled to protection, a document must be prepared “because
      of the prospect of litigation” and the court must determine
      “the driving force behind the preparation of each requested
      document” in resolving a work product immunity question.

    2. The mere fact that external counsel has been retained does not
      justify work product privilege.  “The hiring of outside
      counsel does not excuse a company from conducting its duties and
      addressing the issues at hand” (p. 11).
  5. Documents that would have been produced
    in “essentially similar form” regardless of the
    litigation do not qualify for work product privilege (pp. 10 –
    11):

    The work product doctrine withholds
    protection from documents that would have been created in
    essentially similar form irrespective of the litigation.
    Id. Accordingly, work product protection applies when the
    party faces an actual claim or a potential claim following an
    actual event or series of events that reasonably could result in
    litigation and the work product would not have been prepared in
    substantially similar form but for the prospect of that litigation.
    Id. at 748.
    [footnotes omitted]

  6. “[T]he party requesting protection
    under the work product doctrine bears the burden of showing how it
    would have investigated the incident differently if there was no
    potential for litigation” (p. 11).

The Court held that there was no
question that when Mandiant began its “incident response
services” there was a very real prospect of litigation
regarding the data breach. It was held to be clear that the data
breach “was the type of event that Capital One knew would lead
to litigation” (p. 12). Accordingly, “the determinative
issue [was] whether the Mandiant Report would have been prepared in
substantially similar form but for the prospect of that
litigation” (p. 11).

The Court held that work product
privilege did not protect the Mandiant report in
the circumstances.

  1. The Court found that Capital One had “not
    presented sufficient evidence to show that the incident response
    services performed by Mandiant would not have been done in
    substantially similar form even if there was no prospect of
    litigation” (pp. 11 – 12). It had “not shown that the
    nature of the work Mandiant had agreed to perform
    changed when outside counsel was retained” [emphasis the
    Court’s] (p. 12).  
  2. The Court rejected Capital One’s argument that
    the privilege should apply because at the time of the data breach
    Mandiant was not undertaking an ongoing
    investigation.

Commentary

What Americans call “work product
privilege” is similar to what is referred to as
“litigation privilege” in Canada. The principles
enunciated by the Court in Capital One are similar to
those in Canadian law for litigation privilege except that our case
law does not expressly enunciate the principle that the privilege
does not protect documents that would have been produced in
essentially similar form regardless of the litigation, which is the
key principle which decided this case. Thus, it is not clear
whether or not this case will be applied in Canada. However, this
is arguably a rule that is consistent with enunciated Canadian
principles. Put another way, the mere fact that a litigant has a
report commissioned initially for legal counsel does not justify
that privilege, in and of itself is the law in Canada. Thus if the
litigant would have commissioned regardless of litigation for other
purposes (such as tracking accidents to improve workplace security
or to report to a regulator) this may be another way of saying that
its dominant purpose was for the litigation. In Canada, the
“dominant purpose” behind the record in question must be
to respond to the litigation.

The key takeaway from this decision is
that organizations that retain external forensic consultants to
assist in responding to a data breach (an eminently sensible thing
to include in an Incident Response Plan) may have difficulty
maintaining privilege on the resulting reports.

This case is but the latest in a trend.
Blarney et al. put it best in G. Barney, et al.,
Protecting Your Organization: Lessons from In
re Capital One for Third-Party Cybersecurity Incident
Reports, June 8, 2020, White and Williams
LLP (“Blarney”):

Other similar
decisions suggest that it is becoming more difficult to shield
third-party forensics reports from discovery. Certainly, this
decision serves as a cold reminder on how fragile privilege can be.
Sometimes the scope of the work-product doctrine can be
overestimated and relied upon too heavily. There are countless
decisions that hold that a document is not work-product simply
because counsel is involved.

So, navigating the
privilege line can be difficult, especially in cybersecurity
matters. In the context of a data breach response, events can move
fast – like under 12 parsecs for the Kessel Run fast. Shortcuts in
structure and procedure caused by time pressures can result in
substantial and detrimental impacts later. It is critical for
organizations to appreciate and prepare for the appropriate
procedures when retaining a forensics consultant. Procedures
include the context and structure of the consultant’s
retention, dissemination of its report, and sometimes, even the
content of the report itself. In light of the Capital One decision,
there are several steps organizations and its counsel (in-house and
outside) may take to strengthen a privilege claim for a forensics
report.

“The Capital One decision does not
abolish any rights or protections; rather, it shines a light on the
risks of not fully and properly delineating the scope of a
company’s outside consultants’ retention and work”:
A.Z. Hutnik, et al., Lessons Learned for Maintaining Attorney-Client
Privileged Data Breach Investigation (and other Consultant)
Reports, June 11, 2020, Kelley Drye AD Law Access
(“Hutnik”). ” The good news “: R. Aghaian,
et al., Recent Court Decision Carries Lessons for
Retaining and Using Cybersecurity Consultants to Investigate a
Breach, Kirkpatrick Townsend & Stockton
LLP (“Aghaian”)

Common sense dictates that
organizations commissioning such reports should assume that they
may well be denied privilege protection. However, commentators
suggest factors that should be considered to maximize the odds that
the forensic expert’s report will be considered privileged:

  1. Involving counsel in all aspects of the data
    breach investigation.  

    1. Aghaian notes:

      If outside counsel is heavily
      involved in the breach investigation and report drafting, counsel
      can structure the report so that it in fact helps to prepare for
      litigation. Such involvement will help ensure that a breach report
      does not appear solely business-focused. Further, counsel’s
      involvement may strengthen an argument for attorney-client
      privilege, so that a company is not restricted to claiming only
      work-product doctrine protection in order to protect the breach
      report.

  2. There is disagreement about whether or
    not the organization should commission a forensic investigator with
    whom the organization has no prior business relationship. Burke
    suggests that an expert with no prior business relationship with
    the organization be retained: [Mooney and Protecting IT Forensic Reports in the
    Wake of a Data Breach, October 1, 2020, Hodgson
    Russ LLP     [“Burke”]]. We disagree. An
    important element in an Incident Response Plan is having vetted
    experts on retainer, which can be engaged and quickly deployed in
    response to a breach. One does not want to be negotiating contract
    terms with a new expert in the lobby while the consequences of the
    breach are building up.  

    1. Aghaian posits that one should not avoid employing
      a preferred cybersecurity consultant:

      While retaining a new consultant may
      aid one’s work-product doctrine argument, it risks producing an
      inferior and inefficient outcome because the new consultant will
      face a steep learning curve in familiarizing itself with a
      company’s business practices, network configuration,
      application portfolio, and overall cybersecurity posture, all while
      time is of the essence.

      See also Mooney to the same effect.

    2. The expert’s retainer should be with
      legal counsel, as opposed to the organization [Burke]. The expert
      should be paid by counsel, with this expense reflected in the legal
      bill.  
    3. “[C]learly define the terms and
      scope of work as distinct from the previous business
      relationship” with the forensic investigator, making it clear
      that the expert’s efforts are being sought to assist legal
      counsel. [Burke, Hutnik].
  3. Limit the distribution of the
    expert’s report to entities as necessary to undertake the legal
    analysis and litigation efforts. [Burke, Hutnik, Mooney]
     
  4. Think about commissioning two different
    reports regarding a breach: “(1) a detailed,
    litigation-focused report intended to be circulated within the
    legal department and C-suite on a need-to-know basis and in
    anticipation of litigation, and (2) a second report at a higher
    level of detail and analysis, that can be circulated more broadly,
    but may ultimately be produced be in discovery”
    (Aghaian).

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

You might also like More from author

Comments are closed.