On June 25, 2020, the District Court for the Eastern District of Virginia affirmed a magistrate judge’s decision that a cybersecurity forensics report prepared following a data breach and at the direction of outside counsel was not protected by the work-product doctrine and must be produced.1 The Court’s decision serves as a stark reminder of the heavy burden required to maintain work-product protection. Forensics reports are extremely important documents, and are sometimes the subject of discovery disputes, as they provide critical information that may reflect an entity’s preventative measures and subsequent response to a data breach.
A few lessons learned from the court’s decision will help entities strengthen their claim for work-product protection and maintain a forensics report’s confidentiality.
The work-product doctrine protects “documents and tangible things that are prepared in anticipation of litigation by or for another party or its representative.”2 Documents prepared in the ordinary course of business or for some other non-litigation purpose are not documents “prepared in anticipation of litigation.” In order for a document to receive work-product protection, the document must be created because of the prospect of litigation. In the Fourth Circuit Court of Appeals, courts particularly look at whether:
- The document was created when litigation is a real likelihood and not when that litigation is merely a possibility; and
- The document would have been created in essentially the same form in the absence of litigation.
In In Re Capital One Consumer Data Security Breach Litigation, Capital One entered into a Master Services Agreement (MSA) with FireEye, Inc., d/b/a Mandiant in November 2015, which was supplemented by periodic Statements of Work (SOW). The key purpose of the MSA and the SOWs was to ensure that Capital One could quickly respond to a cybersecurity incident should one occur. In January 2019, Capital One entered into another SOW with Mandiant which included incident response services.
On July 19, 2019, Capital One confirmed that it had experienced a data breach. The next day, Capital One retained outside counsel to provide legal advice in connection with the data breach. Outside counsel and Capital One signed a Letter Agreement with Mandiant, whereby Mandiant agreed to provide incident response services under the same terms as the January 2019 SOW, except the Letter Agreement stated that the work was to be done at the direction of outside counsel and that deliverables would be provided to outside counsel instead of Capital One.
A class action lawsuit was later filed against Capital One in regard to the data breach. During discovery, the plaintiffs filed a motion to compel the production of the forensics report. Capital One asserted that the report was protected from production under the work-product doctrine. The court acknowledged that the report was created when litigation was a real likelihood. At issue was whether the report would have been created in essentially the same form in the absence of litigation. The court held it would have.
In reaching this conclusion, the court noted that Capital One had a long-standing MSA relationship and a pre-existing SOW with Mandiant to perform essentially the same services that were performed in preparing the forensics report. Also, the funds used to pay Mandiant were designated as “business critical” expenses, and not legal expenses. The forensics report was also shared internally with approximately 50 different people as well as with an external accountant and four different regulators. For these reasons, the court concluded that the forensics report was not a protected work product and ordered the forensics report be produced to the plaintiffs.
The court’s decision presents a potential chilling effect on preparing forensics reports, given the possibility that these reports can be used against an entity in litigation. However, a forensics report has significant value and should still be prepared following a cybersecurity incident. For instance, documentation of a forensics investigation can be used as evidence that an entity has proper cybersecurity measures in place, and can also be used to show that notification of a data breach is not required under applicable law.3
Here are four steps entities should consider taking in order to help maintain work-product protection.
1. Limit Distribution of the Forensics Report
The number of people who view the forensics report should be limited to as few people as possible. Ideally, the forensics report should only be disclosed internally to individuals on a strict need-to-know basis. Avoid disclosure to third parties. As the court recognized, the fact that the forensics report was disclosed to an auditor and regulators does not necessarily destroy work-product protection. In fact, various statutes state that regulators may receive documents without waiving applicable privilege.4 However, the more individuals who view the forensics report, the less likely a court will find that the forensics report was prepared in anticipation of litigation. In addition, if dissemination of the report is limited to counsel and only very senior members of senior management, and other required elements are met, the report may also be protected by attorney-client privilege.
2. Discuss Just the Facts, Not Speculation or Opinions
Forensics reports should be prepared with the anticipation that it will be viewed by third parties. Indeed, entities that sustain a cybersecurity incident may need to share information about the incident, whether it be for internal operational or external regulatory compliance purposes.
With this in mind, forensics reports should be limited to providing just the facts regarding the incident. A forensics report should not provide any speculation or express any opinions on the cause or effects of the incident. A forensics report should simply identify the facts uncovered during the forensic investigation, such as indicators of compromise, relevant Internet Protocol (IP) addresses or email accounts, or notable events identified on an activity log. Therefore, it is important to make clear to forensic investigators that they limit the scope of their report to discuss just the facts, not speculation or opinions.
To improve the likelihood of successful work-product protection for the expert’s analysis, an entity may want to consider preparing two separate reports, and possibly by two separate forensics investigators, if feasible. One report would focus on the facts regarding the cybersecurity incident. This would be the report shared with regulators or other individuals internally. A second report could be prepared for legal counsel’s use only. This report would only be shared with legal counsel and be prepared with the explicit objective of developing the technical information that counsel needs to provide legal advice to the client. This second report can include some speculation on the causes and effects and further opinion about the incident if needed by legal counsel. This report will better support a claim of work-product production as well as a claim of attorney-client privilege.
3. Define The Relationship
The court highlighted the pre-existing relationship with Mandiant, noting that Mandiant’s scope of work under the Letter Agreement with outside counsel was the same as the scope of work already set forth in the pre-existing MSA and SOW. Entities routinely enter into MSAs with cybersecurity firms for services prior to any cybersecurity incident. However, once an incident occurs or is reasonably believed to occur, an entity may want to consider engaging a different forensics investigator to respond to the incident.
If an entity decides to use the same cybersecurity firm engaged under the MSA to respond to the incident, the entity should make clear in a new SOW that the scope of work being provided differs from the scope of work in the MSA or any pre-existing SOW. The new SOW should clarify that counsel is directing the forensics investigation and providing legal advice in anticipation of litigation. The SOW should specify the incident response services to be provided, and it should not include any unrelated services that may already be covered under pre-existing SOWs or are in the nature of routine forensic services. The purpose of engaging a new cybersecurity firm or providing a new SOW is to demonstrate that the incident response services are provided in anticipation of litigation. In other words, this newly defined relationship will demonstrate that the forensics report would not have been created in essentially the same form in the absence of litigation.
4. Designate the Expenses as a Legal Expense
The court notes that the funds used to pay Mandiant were designated as “business critical” expenses, and not legal expenses. To help demonstrate that the forensics investigation and report are a legal expense, payment should come directly from the entity’s legal budget or the payment should clearly be designated as a legal expense.
With the increase in cyberattacks, ranging from stealing credentials through business email compromises, to the total shut-down of even reasonably secured networks by sophisticated cybercriminals, more and more organizations are at risk of suffering a data breach and needing a comprehensive forensic analysis of what happened. This case demonstrates how difficult it is to sustain work-product protection and, therefore, how important it is to have a plan in place for how to engage and document the engagement of the forensic investigator as part of an organization’s incident-response plan.
- See In re Capital One Consumer Data Sec. Breach Litig., No. 1:19-md-02915, 2020 U.S. Dist. LEXIS 91736 (E.D. Va. May 26, 2020) and 2020 U.S. Dist. LEXIS 112177 (E.D. Va. June 25, 2020).
- Fed. R. Civ. P. 26(b)(3)(A); see also Fed. R. Evid. 502(g)(2) (defining work-product protection as “the protection that applicable law provides for tangible material (or its intangible equivalent) prepared in anticipation of litigation or for trial.”).
- See, e.g., N.Y. Gen. Bus. Law § 899-bb (requiring “[a]ny person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information. . . .”) and N.Y. Gen. Bus. Law § 899-aa (explaining that breach notification “is not required if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm. . . . Such a determination must be documented in writing and maintained for at least five years.”).
- See, e.g., 6 U.S.C.§§ 1501 – 1510 (allowing companies to share information with the federal government concerning “cyber threat indicators” or “defensive measures” without waiving applicable privilege) and 12 U.S.C. § 1828(x) (explaining that any information disclosed to a federal banking agency “shall not be construed as waiving, destroying, or otherwise affecting any privilege such person may claim with respect to such information under Federal or State law. . . .”).