Absent proper precautions, companies may be forced to produce or otherwise disclose third-party forensic reports generated during a post-breach investigation. Historically, when a data breach has occurred, companies have understood that engaging outside counsel to conduct an investigation would ensure that any work product produced by counsel or any consultants retained by counsel would be protected from disclosure by the attorney-client privilege or attorney work-product doctrine. But, as high-profile data breaches have become more prevalent and litigation relating to the breaches has spiked, plaintiffs are demanding to discover a broader range of documents, including any internal analyses, communications, and forensic reports produced by third-party investigators. And, a growing number of cases have found that not all reports and materials prepared by third-party advisors, even those retained by counsel, are protected by privilege.

Companies Ordered to Disclose Cybersecurity Reports to Plaintiffs

Most recently, In re Capital One Consumer Data Security Breach Litig., 2020 WL 2731238 (E.D. Va. May 26, 2020), a Virginia federal magistrate judge held that Capital One was required to turn over the incident report prepared by its cybersecurity consulting firm, Mandiant, in the wake of its 2019 data breach. Following its discovery of the breach, Capital One engaged outside counsel to provide legal advice and conduct an investigation. Capital One’s outside counsel, in turn, engaged Mandiant to assist in its investigation. During the subsequent litigation, the plaintiffs moved to compel the Mandiant report. Capital One objected, arguing it was shielded by the attorney work-product doctrine because it was prepared for Capital One’s attorneys in anticipation of the litigation. The magistrate judge disagreed, pointing to several key facts that signaled the report was not prepared “in anticipation of litigation” and likely would have been prepared for Capital One regardless of whether there was a threat of litigation, including that:

  • Mandiant had been on retainer with Capital One for several years before the incident.
  • Capital One continued to pay Mandiant directly for its investigation.
  • Capital One classified the retainer as a “business” rather than “legal” expense.
  • The report was widely distributed to nearly 50 Capital One employees with no explanation of any restrictions regarding its further disclosure.

The magistrate judge thus ordered Capital One to produce the report to the plaintiffs. Capital One has appealed the decision to the district judge, arguing, among other things, that it would dissuade companies from planning ahead and engaging capable service providers to quickly assess the scope of and respond to data breaches. That appeal is still pending.

The Capital One case follows other recent decisions similarly requiring the production of investigative reports to plaintiffs in litigation. Last December, in In re Dominion Dental Servs. USA, Inc. Data Breach Litig., 429 F. Supp. 3d (E.D. Va. Dec. 19, 2019), another Virginia federal judge held that Dominion Dental was required to disclose its post-breach investigation report, which was also prepared by Mandiant. Like Capital One, Dominion had hired Mandiant to investigate, prevent, and remediate data breaches before suffering the data breach at issue in the case. When the breach was discovered, Dominion’s outside counsel entered into a new statement of work with Mandiant. But, the court found the new statement of work to be “almost identical” to the prior version between Dominion and Mandiant, and it concluded that Mandiant’s post-breach report would have been prepared in a substantially similar form for Dominion without the threat of litigation. The Court thus ordered the report to be produced to the plaintiffs. Similarly, in 2017, in In re Premera Blue Cross Customer Data Breach Litig., 296 F. Supp. 3d (D. Or. Oct. 27, 2017), an Oregon federal judge overseeing multidistrict litigation against Premera Blue Cross ordered Premera to produce a large chunk of documents relating to work performed by Mandiant during its post-breach investigation. Like Capital One and Dominion Dental, Premera had engaged Mandiant to review and advise on Premera’s data security systems before the breach at issue occurred. When Mandiant discovered the breach, it entered a new statement of work that shifted supervision from Premera to Premera’s outside counsel. But, because the change in supervision did not alter the scope or nature of work Mandiant had been engaged to perform years earlier, the court found that the involvement of outside counsel could not cloak Mandiant’s post-breach investigative work with privilege.

Takeaways for Protecting Privilege in the Wake of Data Breaches

These and other cases raise questions about the traditionally held view that the work of third-party consultants retained by legal counsel in the wake of a data breach will be protected from disclosure in subsequent litigation. While maintaining privilege may not be possible in every situation, there are some steps companies and counsel should consider taking to bolster a privilege claim over third-party forensic reports:

  • If the company has an ongoing relationship with the cybersecurity firm, outside counsel should consider retaining a different IT firm to conduct the breach investigation or, at a minimum, alter the scope of work with the existing firm to accurately and clearly account for the legal needs of the investigation. Alternatively, some law firms have ongoing vendor relationships with cybersecurity firms, which would add a layer of separation between the company and the cybersecurity investigative work being done at the direction of counsel.
  • Outside counsel, and not the company, should engage the cybersecurity firm to assist in any investigation.
  • Outside counsel, and not the company, should direct the activities of the consultants during the investigation.
  • Whether a new or existing firm is selected for the post-breach investigation, any fees for that work should be separately accounted for by the company as litigation expenses rather than ongoing business expenses.
  • Investigative documents and reports generated by the consultants should be provided directly to counsel, not the company.
  • If investigative documents or reports are provided to the company, they should come from outside counsel, be treated as more typical litigation-related documents, and be tightly managed under strict confidentiality measures and limits on dissemination.
  • No investigative documents or reports should be shared with third parties.

For more information on post-breach investigations, please contact the authors.