When companies get into trouble and need to investigate and prepare a report on it to the government, they typically want to limit the report’s exposure. One way to limit disclosing company information in these situations is to hire an outside law firm to direct the investigation and have the results reported to the outside law firm. The theory is to make the study protected from disclosure as attorney work-product. A recent federal court decision shows how this approach, although a good start, may not be enough to make the company information privileged.  

When Capital One suffered a data beach in 2019, it was already prepared to investigate and fix any breach it encountered. Years before, Capital One had retained Mandiant under a Master Services Agreement (MSA) for a broad range of cyber incident response services on a retainer basis; individual tasks would be performed as needed via purchase orders. 

So when the 2019 Capital One breach occurred, Mandiant was available to investigate and do a report on the breach.  Capital One and its outside law firm signed a “Letter Agreement” with Mandiant for such a report. Mandiant’s services under this three-party agreement were the same as under its MSA with Capital One but with two differences: this breach investigation would be directed by outside counsel and not by Capital One’s legal counsel; in addition, Mandiant’s report would be delivered to outside counsel instead of to Capital One.  

The Mandiant report, however, was important to Capital One not only for legal reasons like defending the breach litigation. The report was also important for business reasons. Capital One anticipated using the Mandiant Report in making certain disclosures required under the Sarbanes Oxley Act. Outside counsel, therefore, provided the report to the Capital One legal team and to some Capital One employees as well as the Capital One Board of Directors.  

During the ensuing litigation brought by plaintiffs impacted by the breach, Capital One refused to provide them with the Mandiant report, arguing that the report was protected work-product because the report was prepared in anticipation of litigation or for trial.    

The court, however, disagreed, concluding that the Mandiant report was not work-product. 

The court began by pointing out that Capital One faced a difficult hurdle to begin with: “courts generally disfavor assertions of evidentiary privileges because they shield evidence from the truth-seeking process; as such, they are to be narrowly and strictly construed.”   

More importantly, the attorney work-product privilege applies to material prepared “because of” the prospect of litigation. In contrast, materials “prepared in the ordinary course of business or pursuant to regulatory requirements or for other non-litigation purposes are not documents prepared in anticipation of litigation.”

Companies of course often prepare documents like the Mandiant report for more than one reason: for use in the litigation but also for business and regulatory reasons, like compliance with the Sarbanes Oxley Act. In these dual purpose situations, the “because of” test becomes a “but for” test: the privilege protects documents that “would not have been prepared in substantially similar form but for the prospect of that litigation.” 

Here, Capital One needed the Mandiant’s report for business reasons. The report would have been done even if Capital One had not been sued for breach. Therefore, the work-product privilege did not apply to the Mandiant report. 

Moreover, “the fact that the investigation was done at the direction of outside counsel and the results were initially provided to outside counsel, does not satisfy the ‘but for’ formulation.”   

In Re: Capital One Consumer Data Security Breach Litigation, MDL No. 1:19md2915 (AJT/JFA)(E.D. Va. signed May 26, 2020) 2020 WL 2731238. 

Terry O’Connor is a Partner and Director of Government Contracts at Berenzweig Leonard. He can be reached at [email protected].com.