While it may be easy to assume a report made in response to a cyber incident would be insulated from discovery in litigation, a recent case serves as a timely reminder that attorneys should exercise caution when anticipating the need to shield the investigative work of forensics and cyber professionals. In a recent order, a Virginia District Court ordered that the report of a cybersecurity expert, created in response to a data breach incident, is not protected by the work product doctrine.
Companies faced with regulatory as well as technical security concerns often rely upon the services of third parties to manage and determine the extent of an attack. In In Re: Capital One Customer Data Security Breach Litigation, a cybersecurity vendor (“the vendor”) and Capital One had an existing agreement in place to address such a scenario. The vendor was placed on retainer and agreed to a statement of work under a Master Service Agreement (“MSA) with Capital One in 2015; the vendor later responded to and reported on a data breach at Capital One in 2019. Although the vendor subsequently signed a letter of engagement with Capital One’s then outside counsel in July 2019 and all fees that had been paid to the vendor were later designated as legal expenses in December 2019, the vendor’s work began pursuant to the MSA agreement, which also paid for the vendor’s initial retainer and fees.
Following the 2019 data breach, several consumers filed suit against Capital One. The consumer class filed a motion to compel, seeking to discover the contents of the vendor’s incident response report. Capital One argued that the report was covered under the work product doctrine. Under the Federal Rules of Civil Procedure, the work product doctrine affords a zone of privacy within which to prepare the client's case and plan strategy. Fed. R. Evid. 502 Generally speaking, the tangible documents and other creations of a party’s attorney or other agents will be afforded immunity from production. However, this immunity can be overcome in certain situations, and courts may order the production of some materials protected by the work product doctrine under certain circumstances. See: Hickman v. Taylor, 329 U.S. 495.
Capital One was unable to establish that the work product doctrine applies and was ordered by the District Court of Virginia to produce the investigative report written by the vendor. The District Court, considering the appeal of the Magistrate Judge’s order in favor of the Plaintiff consumers, focused on how the vendor’s report was compiled in the normal course of Capital One’s business and not at the direction of Capital One’s outside counsel. That is, notwithstanding the impending lawsuit by the consumer class, Capital One would have had the vendor report prepared in the same form; more specifically, Capital One didn’t from the outset have counsel guiding, consulting, or strategizing with the vendor’s team performing the investigation and compiling the report. Accordingly, because the report was not created in anticipation of impending litigation, the report was not immune from production as work product and was therefore ruled discoverable.
Thus, when engaging the service of an expert – particularly for a cybersecurity incident or a digital forensic investigation – regardless of whether litigation is imminently impending or merely conceivable in the distant future, it is imperative to take steps to ensure that an expert’s reports, written findings, data collections, and the like can be established as immune from production.
In this case, the notable considerations of the District Court can be summarized as follows: (1) whether the attorney has directly hired the expert in anticipation of litigation or whether the client had a preexisting agreement with the expert in the normal course of business or to address an operational issue; (2) whether the attorney has had distinct oversight and strategic input into the scope of the expert’s work and the assembly of the expert’s findings or whether the client is managing the affiliation with the expert, which would be otherwise unaffected by the prospect of litigation; and (3) whether the report was limited to review by counsel and need-to-know players or whether the report was widely shared within an organization or with third parties. Stated more broadly, clients need to work closely with their attorneys to ensure that any written impressions of an outside consultant are leveraged to specifically minimize the client's liability and exposure, and are thus unequivocally protected by the established tenants of work product jurisprudence.
Although several other federal courts have weighed similar cases and arrived at diverging conclusions, in the wake of this case, we are reminded that certain questions persist about the viability of future work product arguments. For instance, even if an incident response retainer has been put in place for the purpose of mitigating future litigation, does a law firm now have to be involved in the incident response from the outset to ensure the immunity of the expert report? Do a new scope of work, direct correspondence with an attorney, and a bill only to the attorney’s office suffice to preserve work product in data breach cases? Do existing Master Service Agreements for vulnerability assessments, penetration tests, incident response, data exfiltration, and network security all need the oversight and input of an attorney to guarantee their immunity from production? What about eDiscovery hosting (storing data which may end up as part of litigation), forensic remediation (reviewing and removing data at the end of a project or employment), internal investigations, and others?
Of course, courts will always be focused on the specific circumstances of a given case; but because cybersecurity and digital forensic consultants can become deeply involved in discussions with an attorney about a case’s weaknesses, strengths, theory, and strategy, it may be important to maintain formalities that will ensure your expert’s work will be insulated from discovery. Just as lawyers may be unfamiliar with the technological nuance of digital forensic work, many consultants will be likewise uninformed about the legal obligations surrounding confidentiality, immunity, and privilege. At Capsicum, as a company born within a global legal department, we work diligently as a part of your litigation team to ensure that the rights, immunities, and privileges of your client are advocated for and zealously protected in the development of our materials and testimony, and we are always prepared for the adversarial scrutiny of our methods against others in the field.