In a time when data breaches are on the rise, a recent court ruling serves as a stark warning for companies attempting to shield from disclosure their incident response consultant’s report. The court’s decision compelling the disclosure of a report prepared by Mandiant should give companies pause when preparing for and investigating their next data breach—and suggests some steps companies can take to avoid a similar result if they decide to have their incident response consultant prepare such a report.

In In re: Capital One Customer Data Security Breach Litigation, E.D. Va., No. 1:19-md-02915, a case in which a putative class of consumers allege various claims against Capital One arising out of the data security incident Capital One suffered in 2019, a magistrate judge ordered Capital One to produce to plaintiffs a report of the incident that Mandiant, Capital One’s incident response consultant, prepared. The court’s order departed from other courts, which have consistently held such reports to be protected from disclosure by either the attorney-client privilege or the attorney work product doctrine.[1] The court held that Capital One failed to satisfy its burden of proving that Mandiant’s report would not have been prepared but for anticipated litigation and therefore fell outside the scope of protected attorney work product. In response to the court’s order, Capital One has informed the court of its plan to object to the magistrate judge’s ruling under Federal Rule of Civil Procedure 72, and the court has stayed the order compelling production of Mandiant’s report until Capital One’s objections are resolved. While the order compelling production may be reversed—and given the case law (see n. 1, supra), Capital One appears to have a strong argument for reversal—the order still highlights the issues surrounding the preparation and use of incident response reports like Mandiant’s.

In its order, the court pointed to a number of facts and circumstances surrounding Mandiant’s report. Chief among those facts was that Capital One had entered into a Master Services Agreement with Mandiant in 2015, years before the incident at issue in the litigation, and Capital One issued subsequent Statements of Work directing Mandiant to perform specified tasks. Capital One initially paid Mandiant’s fees as a “business critical expense” (though the court acknowledged that Capital One later reallocated Mandiant’s fees for its work on the 2019 security incident to be paid from the legal department’s budget). Immediately following the 2019 security incident, Capital One’s outside counsel entered into a new letter agreement with Mandiant to provide services related to the incident. The court found it significant that the new agreement provided for the same scope of work and services as those specified in previous agreements. At the conclusion of its investigation, Mandiant provided its incident report to Capital One’s outside counsel. The court noted that Capital One widely disseminated Mandiant’s report both within and outside of the organization—to its board of directors, to 50 Capital One employees, to four regulators, and to an accounting firm. Further, the court noted, Capital One used the report to make required Sarbanes Oxley Act disclosures and to provide talking points for a senior vice president of finance to discuss the incident.

While the court’s decision could have gone either way—as noted, there are plenty of cases holding that incident reports like the one Mandiant prepared for Capital One are protected either under attorney-client privilege or the work product doctrine—two facts seemed critical to the court’s decision to part from those cases. First, the court viewed Mandiant’s work under the letter agreement with outside counsel as identical to the services it agreed to provide to Capital One years before the incident, undermining the notion that Mandiant’s work would not have been performed but for litigation. And second, perhaps more importantly, Capital One’s broad dissemination of Mandiant’s work convinced the court that Capital One commissioned Mandiant’s work not just to defend against litigation, but for normal business purposes, such as working with its regulators and auditors and responding to shareholder inquiries.

The second point suggests the constraint Capital One faced in this case: having provided Mandiant’s report to third parties such as regulators and its auditor, Capital One could not have taken the position that the report was protected by the attorney-client privilege. Such a position would have failed because, having provided the report to third parties, Capital One would have been deemed to have waived any such privilege.[2] Attorney work product, on the other hand, can be provided to third parties without waiving the privilege, unless the third parties with whom the work product is shared are considered adversaries.[3]

But making the work product argument put Capital One in a bind with the court: the court used Capital One’s use of its work product against it, finding that the fact that Capital One shared the report with regulators and its auditor may not have effectuated a waiver of the work product (the court declined to reach that issue), but served as evidence that the report was not work product in the first place. That was because, as noted, the court viewed Capital One’s use of the report with regulators and its auditor as evidence that it would have asked Mandiant to prepare the report even without the threat of anticipated litigation.

So what can a company facing a security incident do to maximum the protection of any report prepared by its incident response consultant? In addition to the previous considerations we provided organizations when preparing their response plans and data breach investigation strategies, there are a few things companies should keep in mind:

1. When a company works regularly with a third-party forensic firm, the agreements signed at the direction of counsel should distinguish the post-security incident services from those of a previous business relationship or the pre-existing SOW with the organization.

The agreement drafted for post-security incident services should make clear that (a) counsel is directing the work, (b) the work is being requested for the purpose of defending against anticipated litigation, (c) the work should be limited to that litigation‑related work, and (d) any other non-litigation work (such as future penetration testing or remediation projects) should be outlined on a different SOW. The litigation-related work should be limited to identifying the attack vector responsible for the breach and (perhaps) identifying vulnerabilities that allowed the incident to occur.

2. When a company requests a third-party forensic firm to prepare a report, the organization should make a record that it is doing so for the purpose of anticipated litigation.

The Capital One court put the burden on Capital One to prove the relationship between Mandiant’s report and the anticipated litigation, and it ruled against Capital One for not having provided sufficient evidence of that relationship. Companies should, therefore, consider ways to make that relationship more clear when directing a third-party incident response firm.

3. A company should pay for a third-party forensic firm’s work out of its legal budget.

The Capital One court found it significant that Capital One initially designated fees paid to the forensic firm as “business critical” and the expenses were paid out of the cyber team’s budget, not legal (until the fees were later reallocated).

4. A company should limit the dissemination of any incident report created by a third‑party forensic firm.

Ideally, the audience within a company for any incident response report would be limited to in-house counsel, the Board, and a limited group within the cyber team who need to understand legal advice offered based on the incident response report. The report should not go to a broad group of employees, nor to any team conducting internal investigations or assessments outside of counsel’s direction. The Capital One court’s decision serves as a warning that anyone who receives the report should not use it for business purposes—it should be used only to deal with anticipated litigation or to obtain or implement legal advice—lest the report be deemed insufficiently related to anticipated litigation.

5. A company should not provide any incident report to third parties (e.g., regulators, auditors, customers).

This is, perhaps, the chief lesson of Capital One. The fact that Capital One provided Mandiant’s report to third parties precluded it from making the argument that the report was privileged, and not just work product. Had Capital One been free to make a privilege argument, it likely would have succeeded in shielding the report from disclosure: as noted, many courts have ruled that incident reports like Mandiant’s are both privileged and work product, and attorney-client privilege is broader than work product, requiring no relationship between the work and anticipated litigation (only that the report be prepared for the purpose of obtaining legal advice).

We recognize, of course, that a company may not be able to prevent regulators or auditors from getting access to an incident response report. To guard against the risks that come with sharing an incident response report, a company should carefully consider whether it should ask its incident response consultant to prepare a report in the first place. Again, we recognize that the value of such incident response reports usually prompt companies to ask their consultants to prepare them. Capital One warns companies that if they do commission incident response reports, they should take all of these steps to maximize the chances that the reports serve their true purpose—to provide a candid review of the facts informing the company’s counsel as counsel provides legal advice to the company and guides the company’s legal response to an incident—rather than serving as a road map to a plaintiff attempting to assert legal claims against a company based on a security incident.