Virginia Judge Requires Capital One to Produce Expert Report on Data Breach
By David Chavez, Attorney, CRISC | 6.5.2020
Generally, any company that suffers a security breach is best served by retaining legal counsel to help deal with the legal fallout from the incident. And, usually, such counsel insists that service providers responding to the breach work at the direction of counsel, rather than the client company, to protect communications from disclosure in pre-litigation discovery. Courts have split on whether breach reports are discoverable in litigation and now the Eastern District of Virginia has again weighed in – again in favor of disclosure.
Before Capital One suffered its 2019 breach, it had entered into a Master Services Agreement (MSA) and a series of Statements of Work (SOWs) with Mandiant, one of the leading forensic security firms. Generally, the SOWs outlined pre-breach services, but one of the SOWs detailed how forensic investigations would be performed in the event of a breach.
When Capital One discovered the 2019 breach, it retained law firm Debevoise and Plimpton as counsel, and turned to Mandiant to perform the forensic investigation. Rather than rely on the MSA, the three parties then entered into a three-way retainer letter which directed Mandiant to report its findings to lawyers at Debevoise. The purpose for the three-way letter was to shield the service provider’s work from discovery by demonstrating that the service provider’s work was “work product” of Capital One’s lawyers and to be performed at the direction of counsel, in anticipation of litigation. The work product doctrine offers protections that are similar to protections provided under the attorney-client privilege.
The plaintiffs argued that the report was not work product and was subject to disclosure. Judge John Anderson agreed.
The judge ruled that a number of factors led him to rule that the work product doctrine did not apply:
1. The three-way letter between the client, the counsel and the service provider was identical to the Statement of Work that was prepared months before the breach as part of the original MSA.
2. The fees paid to Mandiant under the MSA were logged as “business critical” expenses and not “legal expenses”.
3. The report, once prepared and provided to counsel, was then forwarded to fifty Capital One employees, four regulators and the company’s accounting firm.
4. The report was also reportedly provided to Capital One’s board, by way of a “corporate governance office general mailbox”, with no understanding of who has access to the box and (reportedly) with no instructions regarding the sensitivity of the report or limitations on disclosure.
5. Capital one employees appeared to have anticipated using the Mandiant report to make certain disclosures required under Sarbanes Oxley and for “2d line business need”.
Judge Anderson relied on a standard set out in a prior Virginia case, RJI Insurance Company v. Conseco. That court ruled that to be protected, a document must be prepared “because of” the prospect of litigation as distinguished from materials prepared “in the ordinary course of business or pursuant to regulatory requirements or for other non-litigation purposes”.
Because the courts favor disclosure, the burden is on the party requesting protection. Capital One did not present sufficient evidence to show that the forensic services performed by Mandiant would not have been done in a substantially similar form even if there was no prospect of litigation. But that argument simply raises more questions than it answers. For instance:
· Would a financial services company ever retain an incident response firm without expecting that litigation, or at least a regulatory action would ensue after a breach?
· Would it matter if the original Master Agreement and associated Statements of Work were three-way agreements with counsel?
· What is the import of the law firm turning the report over to the client without making modifications to it? And, what kind of modifications would have been significant enough to protect the document from production? Some may argue that the firm acted as a mere conduit, but so what? Expert reports are never modified by counsel and besides, would you want a forensic report modified by a lawyer?
We continue to believe that the three-way letter is the best way to tee up incident response actions and to try to protect the report from disclosure. The jurisdictions continue to be split, and Virginia appears to be digging in its heels on disclosure. In light of the Capital One ruling, I would advise clients (and service providers) to draft three-way Incident Response retainer letters independently from MSAs and SOWs for pre-breach proactive services for testing, assessing and planning security. Often, such three-way letters do not require a retainer and are prepared before a breach merely for convenience. Time is of the essence in responding to a security breach and no one wants to hold up a forensic investigation to negotiate a contract. Better to draft it ahead of time, with fees set out and a retainer that is activated at the time of the breach. Oh, and refer to those fees and retainer as “legal expenses”.
One final point – the facts surrounding the breach will be discoverable regardless of whether the report is turned over. The reason plaintiffs want the report is to refute that Capital One “implemented and maintained” reasonable information security standards, as required under many laws. This ruling supports our recommendation that businesses get their InfoSec house in order as soon as possible, before a breach hits and the disclosure obligations begin.