What’s in Your Wallet? Five Tips to Protect Forensic Reports from Discovery Post-Capital One

In a recent case that has set the data breach defense bar abuzz, a federal magistrate judge in Virginia overseeing a class action against Capital One arising from a significant data breach has ordered Capital One to turn over to plaintiffs a post-breach investigation report prepared by an outside forensic firm. Capital One objected to producing the report under the work product doctrine, arguing that its outside counsel procured the report to help the company prepare for litigation.

The court, however, disagreed, finding that Capital One failed to show that the report would not have been prepared in essentially the same form regardless of the prospect of litigation.  As a result, plaintiffs’ counsel may receive a copy of the report, which will presumably supply a detailed recitation of the methods used by the attackers, the impacts, and the specific security shortcomings at Capital One that contributed to the breach.

What can you do to avoid the same result (besides not experiencing a breach)? This post provides five practical tips derived from our experience, Capital One, and decisions in similar cases.

1. Run the engagement—and payments to the forensic firm—through legal counsel

Conscientious companies often develop long-standing relationships with data security firms as part of their information security programs. These firms can help conduct proactive data breach tabletop exercises, vulnerability assessments, and assessments of compliance with laws or standards such as PCI DSS and HIPAA—activities that often are not directed by legal counsel.   

Once a company forms a relationship with a firm through this proactive non-legal work, that firm makes an attractive candidate for breach response: its contracts are already negotiated, and it knows the company, its systems, and its people.  

In Capital One, however, that standing relationship and the already-established engagement undercut the company’s work product arguments. The court found that Capital One’s pre-breach engagement of the forensic firm showed that the company retained the firm for business purposes rather than because of the prospect of litigation. That was so even though Capital One’s outside counsel took over as director of the investigation under a letter agreement between counsel and the forensic firm signed after the breach occurred.

To mitigate the risk of a similar outcome, companies considering how to engage with a forensic firm as part of their response to a breach should:

• Avoid automatically defaulting to a security firm that already does work for the Company. Although a security firm that already does work for a company may have valuable knowledge about the company and its systems, that firm’s previous work can create various risks besides potentially jeopardizing the ability to protect its post-breach work product. Potential risks include conflicts of interest (did this same firm fail to detect a vulnerability?), competing priorities (it is unpleasant to criticize a long-standing customer), and assumptions borne of proximity, all of which can creep into the incumbent firm’s work. 

• Insist on a separate engagement. The breach investigation should be performed under a separate agreement to which counsel is a party. In Capital One, the company had already entered into a pre-breach MSA and SOW with the forensic firm. After the breach, the company’s outside counsel entered into a side agreement with the forensic firm under which outside counsel would direct the breach investigation. But the court found that side agreement did not suffice to invoke the work product doctrine because the agreement deferred to the existing MSA and SOW for its payment terms and recounted essentially the same scope of work.

Capital One did not test whether it would have been impactful for Capital One’s counsel to have pursued a separate SOW governed by the existing services agreement. However, that approach was considered in breach litigation involving Premera Blue Cross. Premera had an existing engagement with a security firm to review a claims system. When the assessor discovered malware, Premera engaged counsel and entered into a separate SOW with the assessor, recounting that counsel would direct the continued investigation. On review, the court concluded that the scope of work had not meaningfully changed, only the identity of the supervisor, and that was not sufficient to protect the work product from discovery.

• Pay for the forensic firm’s services through legal counsel. In Capital One, the court also found significant the fact that the fees for the forensic investigation were charged against a retainer designated by Capital One as a “Business Critical” rather than a “Legal” expense. And after the retainer was exhausted, Capital One paid the forensic firm directly through its “Cyber organization” budget. Even though Capital One showed that it later reallocated the expense to its legal department’s budget, the earlier accounting left the court unpersuaded that the forensic report had been prepared “because of” the prospect of litigation.

Importantly, these steps do not preclude advance planning: clients and their counsel can establish relationships with forensic firms in advance, provided the agreements and engagement protocols adhere to the guidelines above.

2. Justify the engagement of the forensic firm with privilege and the work product doctrine in mind

As the Capital One court explained, “[t]he retention of outside counsel does not, by itself, turn a document into work product.” Companies should, from the outset, approach the engagement of a forensic firm with an eye toward protecting the firm’s work product under the attorney-client privilege and the work product doctrine.

A few tips on this point:

• Retain outside counsel. Where protecting a forensic firm’s work product is a priority, retain outside counsel immediately to avoid creating the appearance that breach response was motivated by business rather than legal concerns. Waiting to retain counsel until the investigation reveals that notifications are required, lawsuits are filed, or things otherwise “get complicated” will impact the attachment of privilege and give the appearance that communications and work product produced in the interim were not motivated by a need to secure legal advice or prepare for litigation.
• Do not start investigating until counsel provides direction. Advise your response team now that they should not embark on an investigation conducted by an outside party, even one under contract, until counsel have provided direction on privilege and the purposes and needs of the investigation. Communications and work product drafted before counsel are engaged will be at risk in discovery.
• State the purpose of the investigation in the engagement documents. As noted above, counsel should retain the investigator rather than relying on an existing contract the client already has in place. That contract should explicitly recount that counsel is engaging the investigator and directing its work to provide legal advice requested by the client and in anticipation of litigation. If the only real distinction in the “new” engagement is that the security firm is directed by counsel, that modification may be insufficient to support an argument that an existing engagement is now subject to privilege. Here again, the Premera case is instructive. The court observed “there was only one investigation, performed by Mandiant, which began at Premera’s request. When the supervisory responsibility later shifted to outside counsel [under a new SOW], the scope of the work performed did not change. Thus, the change of supervision, by itself, is not sufficient to render all of the later communications and underlying documents privileged or immune from discovery as work product.” Recounting specifically why Mandiant’s work was necessary to counsel would have been advisable.
• Follow a strict privilege protocol for communications and work product. It may go without saying, but all written materials should be marked appropriately as privileged, and counsel must be vigilant to ensure this protocol is followed. Consider documenting the protocol in your incident response plan to help response participants adhere to it.

3. Consider the need for separate investigations

If an investigation is required both to prepare for litigation and for other business reasons, it may be difficult to protect the results of that investigation from compelled disclosure. To that end, the Capital One court acknowledged that when the company’s breach investigation began, “there was a very real potential that Capital One would be facing substantial claims following its announcement of the data breach.”  Even so, the court concluded that the resultant report would have been prepared “in substantially similar form” regardless of prospective litigation based in part on multiple later uses of the forensic report for non-legal purposes.  Those purposes included including drafting securities disclosures and FAQs the Company prepared in connection with its public announcement of the breach. The court reasoned that “the hiring of outside counsel does not excuse a company from conducting its duties and addressing the issues at hand,” suggesting Capital One had a duty to investigate and would have done so, and produced the same report, regardless of potential litigation.

That conclusion is debatable, as few laws explicitly obligate an organization to investigate a breach, much less produce a detailed written report of the cause. But when there is a clear mandate to investigate for business or contractual reasons other than potential litigation the results of the investigation are unlikely to be protected under the work product doctrine. For example, a Maryland court recently ordered Marriott to publicly disclose a forensic report it procured to comply with PCI DSS following a massive breach discovered in 2018. That report was not protected from disclosure because it was procured to meet Marriott’s contractual obligations to payment card issuers. Analogous situations may arise if a company obligates its vendors to procure or disclose forensic reports post-breach via services agreements with corporate customers.

Companies in this position should consider bifurcating the investigation: one track to satisfy business or contractual requirements (whose results the company should assume will not be protected) and another to support counsel’s rendering of legal advice. The downside of that approach, of course, is a likely doubling cost. But if the purpose of the first track is to determine the nature of the attack, or satisfy an obligation imposed by an adversarial third party, that investigation may have a different or more limited scope than an investigation directed in anticipation of litigation, which will need to uncover underlying vulnerabilities and identify affected individuals to determine the nature and scope of liability.

Target deployed that strategy following its epic 2013 data breach.  There, Target split its breach investigation into two tracks: one whose purpose was to learn how the breach happened, to enable the company to respond, and to address the company’s obligations to credit card companies under the PCI operating rules. That separation enabled Target to argue successfully that the investigation directed by counsel was protected by the attorney-client privilege and the work product doctrine. The Premera court considered Target’s approach and distinguished it from Premera’s situation, implying that Premera might have strengthened its argument by completely bifurcating its investigation, producing a separate counsel-directed investigation meant to facilitate the Company’s preparation for litigation.

4. “Need to know” does not justify full disclosure

In Capital One, the court found it significant that the forensic report was disclosed to a large number of recipients, including Capital One’s Board of Directors, fifty Capital One employees, four government regulators, and an accounting firm. Noting that Capital One provided no explanation of whether these disclosures were made for business or legal purposes, the court found the disclosures suggested the report was produced for purposes other than to prepare for litigation.

This outcome highlights another common pitfall of breach response: a wide array of individuals may expect to receive a copy of a forensic report as part of their business responsibilities, but rarely do they need the report itself to carry out those responsibilities. The purpose of the disclosure and the role of the recipient are critical in evaluating whether the work product is protected under the attorney-client privilege or the work product doctrine.

All of the following potential disclosures may be worth scrutinizing before you proceed:

• Regulators. A variety of regulatory bodies may request copies of documents relevant to the investigation or ask questions about the nature and timeliness of the response that seem best answered by disclosing the report. These include state attorneys general, international data protection supervisory authorities, the FTC, DHHS OCR, federal financial regulators, and the SEC, each of whom may seek to determine whether the affected business’s response was appropriate and lawful. Companies and their counsel should seek to address these inquiries through separately-prepared written responses and impress upon these agencies the need to protect privilege while maintaining transparency. In our experience, regulators are reasonable regarding the need to protect privilege and are willing to accept restatements or summaries of investigative determinations.
• Directors and Officers. A company’s board of directors may need to be apprised of the outcome of a forensic investigation, and those facts will not typically be subject to protection under the attorney-client privilege or the work product doctrine. But that does not mean that the Board needs a complete copy of the full investigation report. If the Board’s participation is not specifically tied to counsel’s preparations for litigation, a disclosure to it may damage a privilege or work product argument.  
• Remediation teams. Inevitably, some individuals will need to be aware of the investigation’s findings so remediation can be pursued. If remediation also is the subject of legal advice, communications and work product related to it may also be subject to privilege (provided the steps recommended here are followed). That does not mean, however, that remediation teams need or should receive a complete copy of work product from the investigation. A restatement of findings often is adequate for their work, and appropriate to help protect the original report from discovery.
• Shareholder accountability. Shareholders and investors are likely entitled to material information regarding a significant breach, but privileged material should not be shared to accomplish or engage in work preparatory to such disclosures. As with Boards of Directors, these updates can often be accomplished with restatements of factual information that was not likely to be privileged.

In short, regardless of requestor’s rank or perceived entitlement, companies should not knee-jerk share full copies of work product outside the team responsible for the company’s legal response to a breach.

5. Review Draft Work Product with an Eye Toward Possible Disclosure

Capital One reminds us that legal privileges are not iron-clad when it comes to forensic reports, even when counsel take steps to protect them. Companies and their counsel should take precautions when reviewing drafts of work product from investigators. Some practices we follow with that caution in mind:

• Outside counsel should review drafts before they are supplied to the company. Counsel should require the assessor to supply drafts to outside counsel first to help ensure all privilege protocols were followed and that the scope and conclusions in the report appropriately address the company’s legal needs.
  • Remove inadvisable or irrelevant content. If the facts recounted or conclusions drawn are not relevant, they should not be included. For instance, a report should not highlight vulnerabilities that were detected but which did not contribute to the incident. Those findings can and should be communicated separately.
  • Assessors are not lawyers. It is not appropriate for forensic reports to include any legal advice or conclusions. Take a statement like “the data were not encrypted as required by HIPAA.”  The statement of fact (data were not encrypted) may be relevant and appropriate to include in a report.  But the conclusion about whether the company met HIPAA’s requirements could be incorrect and, in any case, should be left to the judgment of the attorneys who procure the report.

If your organization would like to engage in breach preparation, including putting structures in place to help support legal privilege during breach response, our team can help you consider these points and others that may help expedite your response while still maintaining appropriate protection for investigative work product.