Maintaining Your Data Breach Investigation Report as Privileged

Michael Simon

A critical component of any major data breach or incident response is retaining an expert consultant to investigate, remediate and recommend changes to prevent reoccurrence of the breach or incident. Companies and their outside counsel rely on these  experts to report on when the intrusion occurred, how it happened, what safeguards were in place, whether personally identifiable information (PII) was actually accessed, and whether/how the problem was remediated.  The expert’s report can also provide details about why the breach occurred, how it could have been prevented, and whether the safeguards in place were consistent with required industry standards.

So, of course, that report is exactly what you don’t want to become Plaintiffs’ Exhibit A in any litigation surrounding the data breach.  And it is for exactly this reason that lawyers designate  expert reports as attorney-client privileged and protected work product. However, simply stamping and tagging the report as protected is not enough. Counsel and their clients need to work carefully and consistently with the experts, and their reports, to ensure that the protections remain intact. 

When lawyers and clients don’t take the proper precautions the results can be disastrous, with the data breach report becoming Plaintiffs’ Exhibit A.  This is what happened in the recent decision in In re Capital One Consumer Data Breach Litigation, Case No. 1:19-md-2915 (May 26, 2020), where the judge denied the work product protection for the report and required it to be produced.  

But despite some of the panic over this surprising ruling, it turns out that there are still some simple, basic things that you can do to better protect these reports, and yourself.

Courts tend to protect expert reports

In re Experian Data Breach Litigation, 15-01592 (C.D. Cal. May 18, 2017), plaintiffs sought access to Mandiant’s expert data breach investigation report because, they claimed, it was prepared in the ordinary course of business, not in anticipation of litigation.  Plaintiffs cited the fact Mandiant had previously worked for Experian on other matters and in a non-litigation related capacity.  The court denied plaintiffs’ motion to compel, finding that Mandiant’s previous work for Experian was separate from the work it did regarding the subject breach and thus protected by the work product doctrine.

The ruling in Experian seemed to be in line with prior rulings by other courts protecting data breach investigation reports, such as In re: Target Corporation Customer Data Security Breach Litigation, MDL No. 14–2522 (D. Minn. Oct. 23, 2015).  The court in Target denied plaintiffs’ attempt to compel the data breach report because the defendant had hired two separate teams, one to manage the litigation-related work and one to respond to outside demands, kept those teams scrupulously separated, and clearly connected the litigation experts’ work to their attorneys’ legal advice. 

And now, the lessons we can learn from Capital One

After the Experian ruling, some felt so confident that expert data breach investigation reports would be protected as to announce that “A trend is emerging” in this area.  Then came the surprising ruling in Capital One, involving the same consulting firm from Experian, Mandiant.  Now, suddenly, law firms and legal departments find themselves adjusting to what they fear is a new, more difficult reality where reports become fair game. 

The Capital One case arose out of a data breach in March 2019, with several resulting class actions consolidated into a multi-district litigation proceeding.  Capital One had retained Mandiant in 2015 to provide incident response services.  After Capital One hired outside counsel to handle the data breach litigation, that counsel executed a new agreement with Mandiant to retain them directly in connection with the litigation.  Plaintiffs filed a motion to compel the production of the report, which the court granted, finding that the report was not protected by the work product doctrine.

Federal Rule of Evidence 502 defines work-product protection as “the protection that applicable law provides for tangible material (or its intangible equivalent) prepared in anticipation of litigation or for trial.” Fed. R. Evid. 502(g)(2).  The court distinguished the work done by Mandiant in the Experian case and instead found that the report was not prepared “in anticipation of litigation” for the following reasons:

  •  Work characterized as business-related: The agreement with outside counsel did not change the terms of the 2015 agreement;
  • Used for operational purposes: The report was used by Capital One for various internal operational purposes wholly unrelated to the litigation;
  • Not managed by Legal: The expert relationship was initially managed by the manager of the cyber security center and only later transferred during the litigation to outside counsel;
  • Not paid by Legal: The expert fees were allocated initially as “Business Critical” and only later re-designated to the legal budget;
  • Broadly distributed internally: The report was sent to over fifty Capital One employees, many of whom had nothing to do with the litigation; and
  • Distributed externally: The report was also sent to the Board of Directors, four different regulators, and the company’s accountants.

Based on the totality of the circumstances, the court concluded that the report would have been prepared in a substantially similar form regardless of whether there was any anticipation of litigation.

How to do this the right way

First of all, the Capital One case is not a reason to avoid retaining an expert firm before any breach occurs.  If you or your clients are the kinds of companies that are frequently hit by cyber attacks (and these days, who isn’t?), then you will need to have a relationship in place with an expert response firm before an incident occurs.  Many privacy laws set strict and short limits on how long you have to respond to a breach and you can’t afford to waste that time trying to find, vet, retain, and then start working with new experts.

When you do hire an expert consulting firm, XPAN Law Group can help you find and hire a data breach response expert firm the right way.  Here are our top 10 recommendations for protecting expert reports:

  1. Do the due diligence on your experts: Carefully review prior work of the proposed expert for the company along with any contracts – if there are any doubts, hire a different expert;
  2. Do not re-use contracts: Do not re-use any prior agreements between the expert and the client, instead draft a new agreement that clearly enumerates how the work is intended to help provide legal advice as to the specific incident;
  3. Define the scope of work as legal-related and in anticipation of litigation: Have the law firm hire the investigator, not the client with the contract clearly enumerating how the work is to be limited to assisting outside counsel to provide legal advice and to prepare for litigation;
  4. Segregate any operational needs: If there are business analysis needs for the report, then prepare a separate report, or, better still, hire a separate expert for that work to keep the litigation report absolutely limited only to litigation-related work;
  5. Legal manages the expert: Do not allow operational or business line units to manage, at best everything should go through outside counsel, but if it is absolutely necessary to keep it in-house, have it go through the Legal department;
  6. Legal pays the expert: All expenses for the expert need to be designated as Legal expenses and paid through them;
  7. Limit internal distribution of the report to a “need to know” basis: Only those internal personnel who need the report to complete the legal analysis and work on the litigation should receive a copy – nobody else;
  8. No external distribution: Do not send the report to third parties, period – if you need a report for outsiders, whether regulators or the media or the like, hire a separate expert to do that work and treat it as if it will never be confidential – because it won’t;
  9. Incorporate the report into outside counsel’s legal work: Demonstrate that the expert’s work was intended to assist outside counsel in providing legal advice to the client by incorporating the findings as an exhibit to the law firm’s investigative report; and
  10.  Stick to the facts: Do not allow the expert to speculate, present judgments – whether on legal or industry standards – just describe the facts and only the facts because even if you do follow all of these rules there is always a chance that the report could end up being produced.

In the end, Capital One appears to be something of an outlier, perhaps an example of what can go wrong when things aren’t handled carefully enough.  Taking things one step at a time, more carefully, should bring better results, and protect expert reports better, in the future.

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.