May 28, 2020

Capital One ordered to produce forensic report of data breach investigation

On May 26, 2020, the US District Court for the Eastern District of Virginia granted a motion to compel the production of a forensic investigative report prepared by Mandiant, a cybersecurity consulting company, concerning the March 2019 Capital One data incident.  Mandiant was originally retained by Capital One in November 2015 to provide ongoing incident response services, in part “to ensure that Capital One could quickly respond to a cybersecurity incident should one occur.”  (Mem. Op. at 1-2.)  Capital One maintained its consulting relationship with Mandiant through a series of periodic Statements of Work and paid Mandiant a retainer for its services.  In February 2019, Capital One designated that retainer a “Business Critical” expense, rather than a “Legal” expense.  

Following a March 2019 data incident, Capital One retained an outside law firm to conduct an internal investigation. Four days after it was retained, Capital One’s outside law firm entered into a separate letter agreement with Mandiant that cross-referenced Mandiant’s most recent statement of work (“SOW”) for Capital One and agreed that Mandiant would be paid according to the terms of that SOW.  In addition, the law firm’s letter agreement stated that Mandiant’s services under the letter agreement would be performed at the direction of counsel and that Mandiant’s work product would be delivered to the law firm, not Capital One.  Once Mandiant’s retainer was exhausted, Mandiant’s additional fees were paid directly by Capital One, and in December 2019 the expenses associated with Mandiant’s work on the data incident were re-designated by Capital One as “Legal” expenses.

On July 30, 2019 the first of several consumer lawsuits was filed against Capital One in connection with the data incident. Mandiant issued its forensic report in September 2019.  Mandiant sent its report to the outside law firm, which then provided it to Capital One’s legal department and board of directors.  In addition to approximately fifty Capital One employees, the Mandiant report was shared with four federal regulatory bodies and an accounting firm.  Plaintiffs in the consumer data breach litigation requested that Capital One produce the Mandiant report to them, but Capital One refused, invoking the work product doctrine under Rule 502 of the Federal Rules of Evidence, which protects materials prepared in anticipation of litigation or for trial.  

Applying the standard set forth in National Union Fire Ins. Co. v. Murray Sheet Metal Co., 961 F .2d 980, 984 (4th Cir. 1992) and its interpretation by the Eastern District of Virginia in RLI Ins. Co. v. Conseco, Inc., 477 F. Supp. 2d 741, 748 (E.D. Va. 2007), the Court noted that to qualify for work product protection, a document must (a) be prepared “because of” the prospect of litigation, and (b) would not have been prepared in substantially similar form but for the prospect of litigation.  The Court ruled that Capital One had not met its burden of showing “that the incident response services performed by Mandiant would not have been in substantially similar form even if there was no prospect of litigation.”  (Mem. Op. at 7.)  In reaching that conclusion, the Court found that the following factors weighed against finding work product protection:  (i) Capital One’s long-standing consulting relationship with Mandiant; (ii) the identical services provided by Mandiant under both the pre-existing SOW and the outside law firm’s letter agreement; (iii) the designation of Mandiant’s retainer as a “business-critical” rather than “legal” expense; and (iv) the significance of the report’s contents to business and regulatory matters, evidenced by the report’s widespread distribution.  (Id. at 7-8.)

Memorandum opinion and order