In In re Capital One Consumer Data Sec. Breach Litig., No. 1:19md2915 (AJT/JFA), 2020 U.S. Dist. LEXIS 91736, at *5-9 (E.D. Va. May 26, 2020), Judge Anderson found that a consultant’s report prepared in connection with a data breach was not entitled to work product protection and must be turned over to the Plaintiffs. The facts were as follows:
On July 29, 2019, Capital One issued a public announcement concerning the data breach. (Cantwell Decl. ¶ 3). The following day the first of many lawsuits was filed against Capital One asserting claims based on the data breach. See Baird v. Capital One Fin. Servs. Corp., No. 1:19cv979 (LMB/JFA) (E.D. Va. filed July 30, 2019). Mandiant preformed the services that had been outlined in the Letter Agreement and prepared a report “detailing the technical factors that allowed the criminal hacker to penetrate Capital One’s security.” (Cantwell Decl. ¶ 19). The Mandiant Report was issued on September 4, 2019. (Docket no. 435 at 10). Mandiant was paid for its initial work under the Letter Agreement out of the retainer already provided to Mandiant under the January 7, 2019 SOW between Mandiant and Capital One. (Watts Decl. ¶ 3, Docket no. 435-3). After the [*6] retainer amount was exhausted, Mandiant’s additional fees were paid directly by Capital One through the budget for the Cyber organization. (Id ¶4). In December 2019 the expenses associated with the work Mandiant performed relating to the data breach were re-designated as legal expenses and deducted against Capital One’s legal department’s budget. (Id. at ¶ 5). In addition to Mandiant, an internal investigation into the data breach was instituted involving a manager from Capital One’s cyber incident management team and the Chief Information Security Officer that was separate from, and proceeded parallel to, Mandiant’s investigation. (Blevins Decl. ¶ 16). Capital One has identified certain internal and external investigations that were undertaken in response to the data breach incident in its answer to plaintiffs’ interrogatory number 11 (Docket no. 416-13 at 22-23) indicating that it does not “categorically claim work product protection or privilege over all of these company-led investigations” and “will produce documents relating to certain of them” (Docket no. 435 at 16). The brief summary of the work conducted and description of the results of the internal investigations set forth in the response to interrogatory number 11 is not sufficient for the court to determine the full nature and extent of those investigations and how the results were used within Capital One. Furthermore, Capital One has provided no detail concerning which of these internal investigations it will be producing documents for and the extent of its document production concerning those internal investigations. The Mandiant Report was initially sent to Debovoise, which in turn provided the report to “Capital One’s legal department.” (Cantwell Decl. ¶ 20). Debovoise also provided the Mandiant Report to Capital One’s Board of Directors. (Id. at ¶ 22). Exhibit 2 to Capital One’s opposition states that it contains “a list of those to whom the Mandiant report was disclosed.” (Docket no. 435-5). This list includes approximately fifty Capital One employees, four regulators (Federal Deposit Insurance Corporation, Federal Reserve Board, Consumer Financial Protection Bureau, and Office of the Comptroller of the Currency), and an accounting firm (Ernest & Young). (Id.). There is no explanation provided as to why each recipient was provided with a copy of the Mandiant Report and whether the disclosure was related to a business purpose or for the purposes of litigation. Even for those within the legal department, it is unclear if they were provided with the Mandiant Report in relation to duties involving the litigation or for regulatory or other business reasons. While the Cantwell declaration states the Mandiant Report was distributed to Capital One’s Board of Directors, the list provided by Capital One’s counsel does not appear to include those individuals. While there is an item named “corporate governance office general email box” on the list, there is no indication who has access to that “general email box.” Capital One’s opposition also fails to address what, if any, restrictions were placed on those persons and entities who received a copy of the Mandiant Report on discussing, copying, or providing the Mandiant Report, or any portion of it, to others. As described in the Cantwell declaration, during Mandiant’s investigation, it had communications with Ernst & Young, Capital One’s outside auditor, related to Mandiant’s confirmation of certain facts so that Ernst & Young was able to conclude that the data breach had no impact on Capital One’s internal controls over financial accounting. (Cantwell Decl. ¶¶ 13, 14, see also Docket no. 416-6). It also appears that individuals within Capital One anticipated using the Mandiant Report in making certain disclosures required under the Sarbanes Oxley Act (Docket no. 416-4) and that the Mandiant Report was provided to an employee “for 2nd line business need” (Docket no. 416-11).
Judge Anderson found that the consultants reports were not entitled to work-product protection.
Capital One had a long-standing relationship with Mandiant and had a pre-existing SOW with Mandiant to perform essentially the same services that were performed in preparing the subject report. The services to be provided in the January 7, 2019 SOW are the same services described in the Letter Agreement. Capital One’s senior manager of the cyber security operations center and the person responsible for managing Capital One’s relationship with Mandiant acknowledged that as a financial institution that stores sensitive financial and other sensitive information, it is critical that it be positioned to immediately respond to any potential compromise of the security of its systems. (Blevins Dec1. ¶5). The retainer paid to Mandiant was considered a business-critical expense and not a legal expense at the time it was paid. While the fact that the Mandiant Report was provided to four different regulators and to Capital One’s accountant may not necessarily constitute a waiver, it does show that the results of an independent investigation into the cause and the extent of the data breach was significant for regulatory and business reasons. This independent investigation was also used internally for Sarbanes Oxley disclosures and was referenced in a draft FAQs prepared by a senior vice president for finance prior to the public announcement of the data breach. (Docket no. 436-12). The only significant evidence that Capital One has presented concerning the work Mandiant performed is that the work was at the direction of outside counsel and that the final report was initially delivered to outside counsel. Capital One’s outside counsel states that Mandiant issued a written report detailing the technical factors that allowed the criminal hacker to penetrate Capital One’s security. There is no statement by Capital One, or evidence upon which one could find, that Capital One would not have called upon Mandiant to perform the services described in the SOW that existed prior to the data breach and prepare a written report as provided in the SOW that would have detailed the results of its investigation, including detailing the technical factors that allowed the criminal hacker to penetrate Capital One’s security. Capital One has cited several cases in support of its argument that the Mandiant Report is protected work product including In re Experian Data Breach Litig., 2017 WL 4325583 (C.D. Cal. May 18, 2017); In re Arby’s Rest. Grp., Inc. Data Sec. Litig., No. 1:17mi55555-WMR (N.D. Ga. March 25, 2019) Doc. No. 453; In re Target Corp. Customer Data Sec. Breach Litig., 2015 WL 6777384 (D. Minn. Oct. 23, 2015); and Genesco, Inc. v. Visa, Inc., No. 3:13-cv-00202 (M.D. Tenn. Mar. 25, 2015), Doc. No. 969, at 2. In Experian, the court applied the same test as applied by Judge Payne in RLI and followed in this decision — that is, considering the totality of the circumstances can it fairly be said that the document was created because of anticipated litigation and would not have been created in substantially similar form but for the prospect of that litigation. Experian, 2017 WL 4325583 at *1. In finding that the report was protected as work product, the court noted that Experian immediately retained outside counsel and that outside counsel hired Mandiant to prepare a report. The court emphasized the timing of the retention of Mandiant by outside counsel and the fact the full report was not given to Experian’s incident response team. The court stated that if the report “was more relevant to Experian’s internal investigation or remediation effort, as opposed to being relevant to defense of the litigation, then the full report would have been given to that team.” Id. at *3. The court then concluded that the report would not have been prepared in substantially the same form or with the same content. Id. One significant difference between the facts in Experian and the facts in this case is that Capital One had an existing SOW and MSA with Mandiant at the time of the data breach that was effectively transferred to outside counsel. As set out in the SOW and Letter Agreement, the work to be performed by Mandiant was the same, the terms were the same, but the work was to be performed at the direction of outside counsel and the final report delivered to outside counsel. The retention of outside counsel does not, by itself, turn a document into work product. While it is true that in Experian the report was not given to Experian’s response team, it appears that at least several members of Capital One’s cyber technical, enterprise services, information security and cyber teams were provided with a copy of the Mandiant Report, and that it was used by Capital One for various business and regulatory purposes. As each case must be determined on its own facts and circumstances, the court cannot come to the same conclusion as the court in Experian that the work performed by Mandiant would not have been done in substantially the same form or with the same content. The order in Arby’s does not address in detail the facts underlying the ruling or the legal analysis for the conclusion that Arby’s hired Mandiant to produce a report in anticipation of litigation and for other legal reasons and it is protected as work product and a privileged attorney-client communication. Arby’s, No. 1:17mi55555-WMR (Docket no. 445-3). Accordingly, the court can divine no guidance from this decision. In Target, the court also issued a brief order announcing its decision in which it provided very little factual background and no legal analysis on the work product issue. Target, 2015 WL 6777384. In essence this order merely announces a ruling on several challenged documents following an in camera review by the court and provides no assistance in resolving this case. As in Arby’s and Target, the order entered in Genesco referring to reasons stated in open court for its rulings provides no substantive guidance on the issues involved in this case. Genesco, No. 3:13-cv-00202 (Docket no. 445-2). Plaintiffs have provided the court with two data breach cases that the court finds persuasive, one from the District of Oregon and one from this court. The decision in Premera, contains a discussion of the work product doctrine and how one should consider the application of that doctrine when materials are prepared for “dual purposes.” In re Premera Blue Cross Customer Data Sec. Litig., 296 F. Supp. 3d 1230 (D. Or. 2017). The Premera court indicated that courts must view the totality of the circumstances and determine whether the document would have been created in substantially similar form but for the prospect of litigation. In discussing the Mandiant Remediation Report, the court noted that Mandiant was performing work for Premera and discovered the existence of malware in Premera’s system. Premera then hired outside counsel and entered into an amended statement of work that shifted supervision of Mandiant’s work to outside counsel. The amended statement of work did not otherwise change the scope of Mandiant’s work from what was described in the master services agreement. The court distinguished the decision in Target on the basis that there was an independent data breach investigation performed by the company “that was produced in discovery” and that the attorneys performed a separate investigation through a retained expert company. The decision in Experian was distinguished because outside counsel hired Mandiant and in Premera, Mandiant had already been hired and was performing services for Premera before outside counsel became involved. The court also recognized that Premera had the burden of showing Mandiant changed the nature of its investigation at the instruction of outside counsel and that Mandiant’s scope of work and purpose became different when outside counsel became involved. . . .Capital One’s attempts to distinguish the Dominion Dental decision are unpersuasive. First, Capital One has not shown that the nature of the work Mandiant had agreed to perform changed when outside counsel was retained. As discussed in detail above, and as was the case in Dominion Dental, the statement of works and master services agreements provided for virtually identical services to be performed before and after the data breaches were discovered. The fact that Dominion Dental waited two months to make a public announcement after it learned of the intrusion, at which time Mandiant had concluded its report, does not alter the legal analysis. Just as Capital One has argued here, that there “is no question that the Cyber Incident was the type of event that Capital One knew would lead to litigation” (Docket no. 435 at 12), there can be no question that Dominion Dental knew there was a prospect of litigation once the data breach had been discovered. Finally, Capital One argues that “there was no evidence” in Dominion Dental that the fruits of Mandiant’s work were used for legal purposes. However, the record in Dominion Denial [*22] included an affidavit that the Mandiant report would not have been prepared in substantially similar form without the threat of litigation and that the statement of work was modified to provide that the work was to be performed under the direction of counsel and if requested by counsel.