We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
19 June 2020
Last week, the U.S. District Court for the Eastern District of Virginia ordered Capital One to produce a forensic investigation report in multidistrict litigation arising out of the cyber incident Capital One announced in July 2019. The court found that the report was not protected by the work product doctrine because Capital One had not shown that "but for" the litigation the report would not have been prepared in substantially the same form. The opinion offers some lessons for companies entering into arrangements with forensic experts in advance of cyber events.
The ruling adds to a recent set of cases in which courts have taken a hard look at whether to afford protection to the work of cyber incident response service providers, including In re Dominion Dental Servs. USA, Inc. Data Breach Litig., 429 F. Supp. 3d 190 (E.D. Va. 2019), and In re Premera Blue Cross Customer Data Sec. Breach Litig., 296 F. Supp. 3d 1230 (D. Or. 2017), both of which found that post-incident investigation reports were discoverable.
These decisions are in tension with case law applying a more flexible standard to claims of attorney-client privilege or work product protection. See, e.g., In re Kellogg Brown & Root, Inc., et al., 756 F.3d 754, 760 (D.C. Cir. 2014); In re Experian Data Breach Litigation, 15-01592, 2017 WL 4325583 (C.D. Cal. May 18, 2017). This common sense approach acknowledges that there can be non-legal reasons for forensic investigation, but where the preparation for litigation is a key reason for the work, it still deserves protection. The Capital One court did not apply this approach, and it is important to understand what factors drove its analysis.
The Capital One court emphasized the following in compelling production of the Mandiant report:
Although the court ordered the production of the Mandiant report, it denied without prejudice Plaintiffs' request for access to "related materials" about the internal investigation. The court found that Plaintiffs' motion to compel those materials was not yet ripe. It remains to be seen whether the court will open the door to discovery into Capital One's incident response investigation more broadly.
This decision underscores several factors that are likely to influence how courts evaluate work product claims related to cyber incident investigations—from the timing of when service providers are retained, how they are retained, and how their work will be used and shared both within and outside an organization.
For further information on this topic please contact Michelle A Kisloff, Peter M Marta or Paul Otto at Hogan Lovells by telephone (+1 202 637 5600) or email (email@example.com, firstname.lastname@example.org or email@example.com). The Hogan Lovells website can be accessed at www.hoganlovells.com.
This article has been reproduced in its original format from Lexology – www.Lexology.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.