Data collectors constantly struggle to balance the need for honest self-critiques of their data protection safeguards with the desire to not generate information that may be used in litigation. Indeed, it is encouraging to see a number of data collectors hiring third-party experts to look at safety measures and issue reports on their findings before there is an incident. Of course, these reports are only useful if they include an honest assessment of a data collector’s incident response preparation, digital forensics and incident remediation. Understandably, there is trepidation that the findings in the reports may be used to establish liability against the data collectors. Further, many recent court decisions undermine the efforts to get data collectors to take a hard look at their safeguards by allowing reports generated during self-assessment to be used in subsequent litigation.
The recent decision in In Re Capital One Consumer Data Security Breach Litigation, 2020 WL 3470261 (June 25, 2020), addresses this balance between assessing how information is protected against generating a report that can be used to potentially create liability. The sole issue before the District Court in Capital One is whether a report prepared by a third party analyzing a Capital One’s data breach is protected as work product and, therefore, not discoverable. The Magistrate Judge ordered Capital One to produce the third party’s report. Rule 72 (a) of the Federal Rules of Civil Procedure allows a party to submit objections to a magistrate judge’s ruling for a district court’s review. After reviewing the Magistrate Judge’s ruling, the United States District Court for the Eastern District of Virginia held the Magistrate Judge correctly found the report was discoverable.
On November 30, 2015, Capital One entered into a Master Services Agreement (“MSA”) with FireEye, Inc. d/b/a Mandiant. “A key purpose of the MSA and SOWs was to ensure that, in the event of a cybersecurity incident, Capital One could respond quickly.” To facilitate Mandiant’s prompt response to an incident, the parties could use SOWs for Mandiant to “provide incident response services, which are broadly characterized as computer security incident response support, digital forensics, log and malware analysis support; and incident remediation assistance.” Further, Mandiant was required to issue a final report “outlining the results and recommendation for remediation.”
In July 2019, Capital One confirmed it had suffered a data breach incident. Accordingly, on July 20, 2019, Capital One retained the law firm Debevoise & Plimpton LLP to provide legal advice on the cyber incident. On July 24, 2019, Capital One and Debevoise signed a Letter Agreement with the cyber incident that required Mandiant to provide services and advice. On September 4, 2019, Mandiant issued its Report by sending the Report directly to Debevoise, and later, at Debevoise’s direction, the report was sent to Capital One’s legal department. After the breach, the individuals involved in the breach sought discovery of the September 4, 2019 report.
Standard To Determine Whether Report Is Protected Work Product
Federal Rule of Civil Procedure 26 states that while a party may obtain discovery regarding any unprivileged matter relevant to any party’s claim or defense, a party may not discover documents “that are prepared in the anticipation of litigation by or for another party or its representative.” On this point, the District Court relied on RLI Ins. Co. v. Conseco, 477 F. Supp. 2d 741, 748 (E.D. Va. 2007), for the following test to determine if a document should be protected:
(1) “whether the document at issue was created ‘when the litigation is a real likelihood, and not when the litigation is merely a possibility;’” and
(2) “whether the document would have been created in essentially the same form in the absence of litigation.”
In its Objections to the Magistrate Judge’s finding that the Report was not protected, Capital One asserted that the second prong only applies in situations where the documents are created once litigation is considered a likelihood. “Capital One contends in substance that where, as here, the work product documents are created only after the prospect of litigation arises,…the ‘driving force’ test should not include the second prong of the RLI test and essentially ends in favor of protection upon determining, as the Magistrate Judge did in this case, that the Report was created in anticipating of litigation.” In sum, Capital One took the position that the Report was protected because Capital One was going to obtain the Report regardless of the data breach and the second prong should not be a consideration. And, therefore, the question of whether the Report would have been the same in face of litigation is irrelevant.
The District Court rejected Capital One’s argument and applied both prongs of the RLI test. First, the District Court upheld the Magistrate Judge’s finding that the first prong was met because “[t]here is no question that at the time Mandiant began its ‘incident response services’ in July 2019, there was a real potential that Capital One would be facing substantial claims following its announcement of the data breach.”
Further, the District Court upheld the second portion of the Magistrate Judge’s finding that “Capital One failed to establish that the Report would not have been prepared in substantially similar form but for the prospect of that litigation.” The District Court was not persuaded by Capital One’s argument that the Mandiant Report was substantially different than what the parties envisioned in the original Statement of Work because Debevoise (Capital One’s law firm) requested the Report contain certain information once litigation appeared to be possible.
Are Courts Discouraging Honest Reports By Requiring This Data To Be Produced?
Based on the District Court’s reasoning, a breach incident report will only be protected from discovery if it can be shown that the report would have been prepared “in substantially similar form but for the prospect of litigation.” This reasoning is consistent with the finding in In Re: Premera Blue Cross Customer Data Security Breach Litigation, 2019 WL 464963 (D. Ct. Or. Feb. 6, 2019), where a district court held similar information may be discoverable even if legal counsel relies on the information while formulating their advice since “[t]hese audits…are normal business functions performed on a regular basis, to enable Premera to assess the state of its technology and security.” The court in Premera also found the information related to the investigation of the cause of this breach or into the corporation’s “physical security” was discoverable since Premera needed to conduct the investigation as a business anyway. (We addressed the Premera decision in a prior blog post which can be found here.)
It will be interesting to see if this reasoning takes hold across the country and if data collectors will be apprehensive to continue to take steps that may generate information that can later be used against them. That is, even though this decision is consistent with similar cases, the District Court’s reasoning overlooks the fact that Capital One took steps to work with a vendor before a breach occurred. This conduct should be encouraged. However, this decision puts data collectors into a tough spot where they incur liability for not working on security with a third party while, on the other hand, they can potentially incur liability if the third party hired generates an honest report.