June 30, 2020

US District Court affirms Magistrate Judge’s order that Capital One’s forensic investigtor’s data breach analysis is not protected from disclosure under the attorney work product doctrine

On June 25, 2020, the US District Court for the Eastern District of Virginia affirmed the May 26, 2020 order from Magistrate Judge Anderson that a forensic report issued by a third-party consultant detailing findings about a 2019 data breach is not protected from disclosure under the attorney work product doctrine, and must be produced to the plaintiffs.  In the May order granting the plaintiff’s motion to compel discovery of the forensic report prepared by Mandiant Corporation for Capital One, N.A. and two other Capital One entities, the court explained that in order to qualify for work product protection under Rule 502 of the Federal Rules of Evidence, not only must the document have been prepared “because of the prospect of litigation,” but the party asserting the privilege must also show that the document would not have been prepared in substantially similar form had there been no prospect of litigation. The Magistrate found that Capital One had not met this burden.

In the district court’s plenary de novo review, it affirmed the May ruling ordering production of the forensic report, noting that “Capital One had determined that it had a business critical need for certain information in connection with a data breach incident, it had contracted with Mandiant to provide that information directly to it in the event of a data breach incident, and after the data breach incident at issue in this action, Capital One then arranged to receive through [its outside counsel] the information it already had contracted to receive directly from Mandiant.”  As a result, Capital One did not establish that Mandiant’s report was created “because of” litigation or that its report would not have been issued in substantially similar form without the threat of litigation.

Court Memorandum and Order