Skip to main content

Businesses Beware:  Incident Reports May No Longer Have Attorney Work Product Protection Absent Careful Planning

In an unprecedented ruling, one federal court recently held that the work product doctrine does not protect the expert cybersecurity report prepared after a data breach.  The court ordered the release of the unredacted cybersecurity report, despite that it was prepared in anticipation of litigation at the direction of outside counsel.  Despite ordering the release of the report itself, the court denied (without prejudice) the class plaintiffs’ request to also compel the disclosure of the “related materials,” finding that these materials may still qualify for protection, and that this issue was not yet adequately briefed. 

This order stemmed from a highly contested motion in the MDL proceedings against Capital One, In re: Capital One Customer Data Security Breach Litigation, Case No. 1:19-md-02915 (E.D. Va May 26, 2020).  After the breach allegedly exposed the personal information of over 100 million people, the putative class plaintiffs sought to compel Capital One to turn over its incident report, which contained the observations and analysis of its cybersecurity consultant.  Capital One strongly resisted, arguing that this report (1) was prepared to help its attorneys deal with the litigation and (2) was done in anticipation of litigation. 

Capital One had initially retained this third-party vendor back in 2015, when the parties signed a Master Services Agreement in order to help Capital One quickly respond to future cybersecurity incidents.  At that time, Capital One’s goal was to have a response plan in place and to be well positioned to respond immediately to any incident, should one occur.  In February 2019, Capital One paid a retainer to the vendor for future services but designated it as a “business expense” rather than a legal expense.  The parties agreed that pre-paid services would include computer security incidence response support; digital forensics, log, and malware analysis; help with remediation measures; and a comprehensive final report of results and recommendations. It was this report that ultimately became the subject of the court’s order in May 2020.

Several months after Capital One suffered a data breach in March 2019, it retained a large law firm to represent it.  The law firm immediately signed a Letter Agreement with Capital One’s cybersecurity vendor, whereby the vendor agreed to provide services and advice regarding data breach response, forensics, incident remediation, and analysis.  This agreement, however, simply incorporated the prior agreements and terms between Capital One and the vendor.  One key difference was that this agreement now specified that the agreed-upon services would be provided to the law firm rather than the company.  There was also an addendum signed, which added one new line item: penetration testing of systems and endpoints.

As soon as Capital One disclosed the breach to the public, an onslaught of litigation followed.  In September 2019, the vendor prepared a report discussing how the breach occurred.  The vendor sent the report directly to the law firm, which then provided it to its client’s legal department.  

Until late 2019, Capital One continued to pay the vendor directly.  In December 2019, however, Capital One finally re-designated this as a “legal expense” and deducted it from the budget of its legal department.  The report was sent to the legal department, numerous employees, to the company’s Board, to four regulatory agencies, and to an accounting firm. The scope and the purpose of this disclosure was unclear, although Capital One’s declaration stated that the accounting firm reviewed the report to determine that there was no financial impact on the company; and Capital One’s employees reviewed it to determine what disclosures were required and for “business need[s].”  There was no evidence that any copying or sharing restrictions were placed on the report, and some 50 company employees received the report.    

In discussing the legal standard, the court first emphasized that the litigation itself does not automatically protect the materials at issue.  Rather, the materials must be prepared in anticipation of litigation.  Litigation must be the “driving force behind the preparation of each requested document” to qualify for work-product protection.  See Order at 6.  This essentially meant that the work done in the course of litigation could qualify, while work generally prepared where litigation might occur in the future did not quality for protection.  Importantly, there needed to be “an actual claim or a potential claim following an actual event or series of events that reasonably could result in litigation and the work product would not have been prepared in substantially similar form but for the prospect of that litigation.”  Id. at 6-7.  

The court looked at the totality of the circumstances in deciding that there was no work product protection.  First, the court emphasized that the mere fact that (1) a law firm was retained or (2) that litigation was likely did not by itself satisfy the above “but for” requirement.  Capital One still had the burden to show that the report would not have been prepared in a substantially similar form even if there was no litigation.  The following factors worked against Capital One:

  • The company had a longstanding relationship and pre-existing agreements with the vendor “to perform essentially the same services” that were performed for the report.
  • There was no evidence that the report would not have been prepared but for this litigation. 
  • Capital One admitted that these services were essential to help it respond quickly to future incidents, which demonstrated that a report of this kind would have been prepared after an incident, no matter what.
  • The vendor’s work was the same, the services were almost identical, and the terms of its agreement were essentially the same both before and after the law firm’s involvement. 
  • Although the supervision of the vendor was shifted to the law firm in 2019, the scope of the work did not change.  The vendor was already retained and was already performing its services; it did not shift its investigation at the law firm’s instruction; and the scope of work did not change when the law firm became involved. 
  • The vendor’s retainer was paid as a “business expense” and not a legal expense at the time it was paid.  Subsequent re-categorization did not change that fact. 
  • It was “significant” that the vendor had already received a large retainer and agreed to perform 285 hours of work before the incident was discovered. 
  • The report was provided to four different regulators and accountant, which suggested it had regulatory and business reasons (rather than purely legal reasons). 
  • The report was also shared with Capital One’s internal response team (including technical, IT, cyber, and enterprise services teams), which demonstrated that the report had various business and regulatory purposes. 

The court noted that the “only significant evidence” in favor of the work product protection was that the work was ultimately done “at the direction of outside counsel and that the final report was initially delivered to outside counsel.”  See Order at 8.  Having weighed all the evidence, and despite strong objections from the company and its outside counsel, the court ultimately ordered the disclosure of the report in its entirety.

Incident reports contain highly sensitive and confidential information, which can significantly harm the company in litigation if the contents of the report are disclosed.  All possible measures must be taken to avoid the waiver of the work product protection.  This decision is thus an important reminder that companies must follow careful steps when engaging cybersecurity consultants to address incidents and to prepare reports.  While traditionally it was preferable to retain a vendor early on to help deal with future incidents, careful planning is now essential.  Here are the steps we recommend to help companies maximize and strengthen their claim for work product protection of incident reports:

  1. Retain outside counsel immediately after an incident occurs.
  2. Do not retain an outside vendor directly.  Instead, go through your outside counsel or your legal department.
  3. Outside counsel must be the one controlling the work and performance of the vendor.
  4. The work must be done at outside counsel’s direction, and the vendor must send the report only to outside counsel. 
  5. Either hire a new vendor to prepare the report or, if you must work with an existing vendor, carefully ensure that there is a vastly different agreement and scope of services specifically tailored to the report.
  6. Do not include the report in the scope of services before the incident. 
  7. Clearly differentiate between the vendor’s routine services and litigation-related services.
  8. Do not share the report with anyone, except for legal purposes.
  9. Share the report with as few people as necessary, and ensure that there are restrictions against copying and re-distributing it.
  10. If a report is also necessary for internal business, accounting, or regulatory purposes, have a separate report prepared and be ready for that report to potentially become public.
  11. The report and the related work must be a “legal expense” paid for out of the company’s legal budget.
  12. The report ultimately prepared must have been prepared because there was an actual or potential threat of litigation, following an actual event, and the type that would not have been prepared outside of litigation.

Subscribe To Viewpoints

Author

Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.