Earlier this month, we offered our analysis and takeaways from a Magistrate Judge’s decision that defendant Capital One was required to produce a third-party data breach assessment report as part of ongoing consumer litigation. Available here. Not surprisingly, Capital One appealed that order. On June 25, 2020, District Court Judge Anthony Trenga affirmed the decision, ordering Capital One to produce the report.
Brief Recap of the Incident and Order
In November 2015, Capital One retained FireEye, Inc. d/b/a Mandiant (“Madiant”) to provide support in case of a data breach or security incident. When a breach occurred in March 2019, Capital One’s outside counsel called on Mandiant. While they executed a new letter agreement, the analysis requested from Mandiant was the same as that outlined in the 2015 Scope of Work.
Several putative consumer class actions were filed and a multi-district litigation is currently pending in the Eastern District of Virginia, captioned In re Capital One Consumer Data Breach Litigation, Case No. 1:19-md-2915.
There is no valid argument that the Mandiant report does not qualify as relevant and responsive information; however, Capital One argued that it was shielded from discovery by the attorney work product doctrine. Plaintiffs filed a motion to compel its production. On May 26, 2020, Magistrate Judge John Anderson granted Plaintiffs’ motion, finding that Capital One failed to meet its burden of establishing a valid privilege.
District Court Affirms
Capital One objected to the Magistrate Judge’s ruling and sought relief from the District Court Judge under Federal Rule of Civil Procedure 72(a). The Magistrate Judge’s decision was subject to evaluation under a “clearly erroneous or contrary to law” standard. The Court considered whether the order failed to apply or misapplied relevant statutes, case law, or procedure.
The District Court focused on whether the report was compiled “because of the prospect of litigation.” The Court questioned whether the prospect of litigation was “the driving force behind” the preparation of the Mandiant report. Despite retention by outside counsel, the Court found that Mandiant’s investigation would have been conducted, and report compiled, in materially the same way whether or not there was litigation or counsel involved. The Court also agreed with the Magistrate Judge that Capital One’s broad distribution showed that the Mandiant report “was significant for regulatory and business reasons” and underscored that business purpose.
The Court downplayed the prospect of potential litigation. The Court agreed with the Magistrate Judge that “[t]here is no question that at the time Mandiant began its ‘incident response services’ in July 2019, there was a very real potential that Capital One would be facing substantial claims following its announcement of the data breach.” Capital One’s website confirms that the breach resulted in access to consumer and small business credit card applications from 2005 to 2019, transaction data for certain customers, and about 140,000 social security numbers and information from 80,000 bank accounts. Even before the full extent of the breach was known and a report compiled, Capital One almost certainly had reason to believe this could be a litigation event.
Rather than a subjective (or even objective) analysis of the potential for litigation, the Court focused on whether the report would have been compiled in the same form whether there was a litigation threat or not. On that point, Capital One failed to demonstrate any input, direction, or strategic guidance from its outside counsel. The report was compiled as it had been envisioned for “business critical” purposes in 2015, and without any focus on the potential for litigation. That contributed significantly to Capital One’s inability to establish a privilege.
Thus, Capital One was ordered to produce the Mandiant report “forthwith.” If it wants to press the issue further, Capital One’s next option would be to seek permission for an interlocutory review by the Fourth Circuit Court of Appeals.
Implications and Lessons
The District Court’s affirmance and acceptance of the Magistrate Judge’s order confirms the importance of having proper protocols and protections in place when engaging an external (or even internal) expert to assist with litigation-relevant analyses. As detailed in our prior post, if a written report is required, companies should keep certain key points in mind, along with one new point emphasized by the District Court as to active involvement by outside counsel in the report itself:
- Clearly Defined Legal Scope of Work: Where a consultant has already been engaged and works with the company, the retainer signed at the direction of counsel must clearly define the terms and scope of work as distinct from the previous business relationship.
- Paid by Legal: If a consultant is being retained to provide support for legal advice or concerning potential legal claims, that work should be managed and paid for by legal personnel.
- Outside Counsel Active Involvement in Written Work Product: Outside counsel should be actively involved in providing input and strategic direction to the consultant as to what the consultant report addresses and incorporating legal considerations.
- Narrow Internal Distribution: Distribution of investigation reports should be limited to those individuals necessary to complete the legal analysis and litigation work.
- No External Non-Legal Distribution: Investigation reports should not be distributed to third parties.
- Track Distribution: Distribution of investigation reports should be tracked so that limited distribution can be demonstrated.
- Segregate Legal from Operational Work: Where business and legal issues or analysis are part of the same investigation, steps should be taken to segregate the legal- and litigation-related work product from business or operational reports and work.
While no protocol is guaranteed to satisfy every court, and each factual situation is unique, these guideposts improve the odds of meeting the burden required to withhold production of a consultant’s report.
Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.