Risk Update

Data Breach — When Privilege Won’t Protect Vendor Incident Reports from Discovery or Disclosure

This one caught my eye as something worth keeping on radar. While the focus is on client breaches and outside counsel/experts, we’ve read about a law firm or two that has faced similar incidents in recent times…

Data Breach Report in Capital One Litigation Not Privileged” —

  • “On May 26, the District Court found in the In Re: Capital One Consumer Data Security Breach Litigation, MDL No. 1:19md2915 (AJT/JFA)(ED VA) that a report prepared by Mandiant concerning the Capital One data breach (Breach Report) was not protected by the work product privilege and must be turned over to Plaintiffs.”
  • “The Breach Report was prepared by Mandiant at the direction of Debevoise & Plimpton, Capital One’s counsel. Debevoise & Plimpton hired Mandiant immediately after the breach to assist in likely litigation.”
  • “In July 2019, Capital One reported the breach and lawsuits started to be filed the following day. Mandiant performed the work and prepared the Breach Report in September 2019. So far this looks like the normal way experts are hired under the very real prospect of litigation for which the work product doctrine should attach. But as so many TV offers remind us ‘wait, wait, there’s more!'”
  • “The Court found the determinative issue was whether the Mandiant Breach Report would have been prepared in substantially similar form ‘but for the prospect of that litigation.’ The fact that the investigation was done at the direction of outside counsel and the Breach Report was initially provided to outside counsel did not satisfy the ‘but for’ test.”
  • “Capital One failed to demonstrate Mandiant would not have performed substantially similar services in the absence of litigation. In fact, Mandiant had a long-standing relationship with Capital One, going back to at least 2015… The only significant change from prior agreements were that Debevoise & Plimpton would direct the work and receive the Breach Report. Mandiant’s similar, prior work was deemed business critical and not a legal expense. The Breach Report was shared with four regulators. While the Court noted this did not necessarily constitute a waiver, it did not decide the case based on this factor and noted the ‘waiver argument may have some merit.'”
  • “Some clear lessons can be gleaned. When choosing a company to assist with data breach litigation response, clearly vet that company. Past work for the breached company, including prior work relationships and contracts, should be reviewed carefully to make sure the post-breach engagement is not more of or similar to the same. If in doubt, have one firm assist with litigation and the other in breach mitigation.”

I was curious and found a few related updates, including this interesting analysis from 2017: “Cyber Breach Forensic Reports: Is Your Report Discoverable?” —

  • “Due to the growing prevalence of data breaches and ransomware attacks, courts have been forced to interpret and nuance privilege in the context of post-breach forensic reports. One major consideration in the context of data breach litigation strategy is how to protect forensic reports prepared by outside forensic firms from discovery in civil litigation. If the forensic report is discoverable, it could be used by the opposing party and ultimately become part of the public record in litigation.”
  • ” Courts have held that, in certain circumstances, such forensic reports are protected by both attorney-client privilege and work product protection. Although there are few cases discussing these doctrines in the context of forensic reports, the cases provide guidance on what a company or organization can do to bolster claims that its post-breach forensic reports are shielded from discovery in civil litigation.”
  • “In Genesco, Inc. v. Visa U.S.A., Inc., a case involving a cyber-attack on a retail store, the defendant’s outside counsel engaged a forensic firm to assist with a privileged factual investigation as to how the cyber-attack occurred. The Middle District of Tennessee court found that the attorney-client privilege protects attorneys’ factual investigations, and the protection extends to attorneys’ communications with agents and experts who are retained for the purpose of providing legal advice. Accordingly, the court held that the report was protected from disclosure by the attorney-client privilege because it was: (1) prepared by the forensic firm at the direction of outside counsel; and (2) prepared to aide counsel in providing legal advice.”
  • “Multiple federal courts have held that in certain instances, forensic reports are protected by work product protection. Whether a document is work product generally comes down to whether the document was prepared in anticipation of litigation.”
  • “Companies should bear in mind that work product protection can be overcome by a finding of substantial need by the adverse party. To strengthen the argument against finding a substantial need, outside counsel should ensure that the forensic firm conducts its investigation based on documentation that can be provided to an adverse party for an independent investigation.”

Court Applies Work Product Protection to Breach Investigation Reports” —

  • “In October 2015, Experian announced that it suffered a data breach. A class action was filed the next day. Experian immediately hired legal counsel who in turn hired Mandiant, one of the world’s leading forensic firms, to investigate the data breach and identify facts that would allow outside counsel to provide legal advice to Experian.”
  • “The plaintiffs requested a copy of Mandiant’s report and documents related to that investigation. Experian objected, arguing that the documents are privileged and protected by the work-product doctrine because they were prepared in anticipation of litigation for the purpose of allowing counsel to advise Experian on its legal obligations. The plaintiffs moved to compel production of the documents.”
  • “The court held that the documents were protected from discovery by the work-product doctrine. Plaintiffs had argued that Experian had an independent business obligation to investigate the data breach, and it hired Mandiant to do that after realizing its own experts lacked sufficient resources. The court rejected this argument because Mandiant conducted the investigation and prepared the report for outside counsel in anticipation of litigation, “even if that wasn’t Mandiant’s only purpose.” The court pointed to, among other things, the fact that Mandiant’s full report was not provided to Experian’s internal incident response team.”

For even more, see the ACC’s: “Protecting Privilege in a Cyber Breach Incident Response.