Breach Reports and Privilege

The steps taken immediately following knowledge of a data breach are often scrutinized by the public at large and by potential litigants.  Remember when it came out that three Equifax executives sold nearly $2M worth of company stock within days of Equifax’s data breach?  The executives claimed they had no knowledge of the breach when they sold their shares, but that didn’t stop the public from questioning the timing.

How a company responds to (and thus recovers from) a data breach can make or break the company’s reputation.  And during these uncertain and unprecedented times, a company’s reputation is more important than ever.

Breach Reports

After becoming aware of a data breach, common practice is to engage counsel to direct an investigation into the cause, scope and extent of the incident.  For years, many have felt that these investigations, and the breach reports stemming from them, are covered by the work-product privilege when outside counsel in engaged.  Unfortunately, the question of privilege surrounding these types of reports is not as clear as many hoped as evidenced by the recent ruling in In Re Capital One Consumer Data Security Breach Litigation, No. 19-2915 (E.D. Va.).

In 2019, Capital One experienced a data breach that compromised the personal information of approximately 100 million individuals.  After announcing the breach in July 2019, Capital One immediately hired outside counsel to provide legal advice in connection with the incident.  Outside counsel engaged Mandiant, an IT forensic company, and an updated Statement of Work was executed highlighting the work would be done at the direction of counsel.  (Capital One had a long-standing relationship with Mandiant going back to 2015).

After performing the services and preparing the data breach report, Mandiant provided it to outside counsel, who then provided it to Capital One’s legal department.  Ultimately, approximately fifty Capital One employees received a copy of the report, along with a number of regulators and Capital One’s accounting firm.

Civil litigation followed the announcement of the breach, and the plaintiffs ultimately moved to compel disclosure of the Mandiant breach report.  Capital One argued that the breach report was privileged under the work-product doctrine as it was prepared at the direction of counsel.

Ultimately, the Magistrate rejected Capital One’s argument noting that “the fact that the investigation was done at the direction of outside counsel and the results were initially provided to outside counsel” does not necessarily give the document work-product protection.

Instead, the court focused on whether Capital One would have likely taken the same steps even without anticipation of litigation.  And in this case, the court decided Capital One would have engaged Mandiant to perform these services even without anticipation of litigation, and thus ordered Capital One to hand over the breach report.

The work-product doctrine is widely relied upon during litigation, but the Capital One case reminds us that the protection is not infallible.  And although this is just one case (and some courts might come to a different conclusion), the decision is still informative, and highlights some things to consider.

Things to Consider:

1. If you decide to use an IT forensic company that you already have a relationship with, make sure the SOW clarifies that the post-breach work is different than the pre-breach work. The court focused on the “long standing relationship” between Mandiant and Capital One, and the fact that the work set forth in the SOWs pre-breach and post-breach were essentially identical.
2. Limit who gets a copy of the data breach report. In this case, the report was originally presented to Capital One’s outside counsel, who then provided the report to Capital One’s legal department.  It was subsequently provided to over fifty employees, a number of regulators, and Capital One’s accounting firm.  Although the court did not address whether the wide distribution amounted to waiver of the privilege, the court did note that the circulation of the report weakened the argument that the document was for legal purposes as opposed to general business purposes.
3. Clarify that costs associated with incident response are legal costs as opposed to business expenses. Capital One originally characterized the breach response costs as business expenses and not legal expenses.  Capital One later re-characterized these as legal expenses, which the court took note of.
4. Engage outside counsel immediately to direct the response and engage third party vendors. Even in light of this decision, it’s important to engage counsel to direct and manage the third-party vendors to protect any potential privilege.