On May 26, the District Court found in the In Re: Capital One Consumer Data Security Breach Litigation, MDL No. 1:19md2915 (AJT/JFA)(ED VA) that a report prepared by Mandiant concerning the Capital One data breach (Breach Report) was not protected by the work product privilege and must be turned over to Plaintiffs.
The Breach Report was prepared by Mandiant at the direction of Debevoise & Plimpton, Capital One’s counsel. Debevoise & Plimpton hired Mandiant immediately after the breach to assist in likely litigation. On July 24, 2019, Debevoise & Plimpton and Capital One entered into an agreement with Mandiant to provide advice “concerning security incident response; digital forensics, log and malware analysis; and incident remediation” (7/24/19 Agreement). Additional duties were added on July 26.
In July 2019, Capital One reported the breach and lawsuits started to be filed the following day. Mandiant performed the work and prepared the Breach Report in September 2019. So far this looks like the normal way experts are hired under the very real prospect of litigation for which the work product doctrine should attach. But as so many TV offers remind us “wait, wait, there’s more!”
The Court acknowledged when Mandiant was hired “there was a very real potential that Capital One would be facing substantial claims.” The Court found the determinative issue was whether the Mandiant Breach Report would have been prepared in substantially similar form “but for the prospect of that litigation.” The fact that the investigation was done at the direction of outside counsel and the Breach Report was initially provided to outside counsel did not satisfy the “but for” test.
Capital One failed to demonstrate Mandiant would not have performed substantially similar services in the absence of litigation. In fact Mandiant had a long-standing relationship with Capital One, going back to at least 2015, to perform essentially the same services as detailed in the 7/24/19 Agreement (and the prior agreements were specifically mentioned in the 7/24/19 Agreement). The only significant change from prior agreements were that Debevoise & Plimpton would direct the work and receive the Breach Report. Mandiant’s similar, prior work was deemed business critical and not a legal expense. The Breach Report was shared with four regulators. While the Court noted this did not necessarily constitute a waiver, it did not decide the case based on this factor and noted the “waiver argument may have some merit.” The Court further noted the full Breach Report was shared somewhat freely within Capital One – with the Incident Response Team, in preparation of SOX reports and in publicly announcing the breach.
Folks working in this space are well aware of the similar issue in the Experian data breach case. In Experian, Mandiant’s report was afforded the work product privilege. The Court distinguished this case from Experian. Key distinguishing factors from Experian included the full report was not provided to the incident response team or other non-legal needs, and there was no preexisting relationship with Mandiant to the same extent as in Capital One. Accordingly, the Court ordered the Breach Report turned over to Plaintiffs.
Some clear lessons can be gleaned. When choosing a company to assist with data breach litigation response, clearly vet that company. Past work for the breached company, including prior work relationships and contracts, should be reviewed carefully to make sure the post-breach engagement is not more of or similar to the same. If in doubt, have one firm assist with litigation and the other in breach mitigation. Be careful about who sees the full litigation report and the purpose(s) for which it is used. Stay in the work product lane. Again, hiring two firms with distinct functions – one for mitigation (which can also be used more broadly internally and with regulators), one for litigation – makes this task easier especially when the breaches are so large.