Communications between lawyers and outside consultants or vendors working together on legal matters are generally confidential and protected by the attorney work product doctrine. The theory being that experts hired by lawyers are acting at the direction of counsel and doing work in anticipation of litigation. But, communications between lawyers and consultants are only privileged if the primary purpose of communications relate to legal services. If a consultant is engaged for both business and legal purposes, the communications may not be privileged. This presents a conundrum for legal teams engaging forensics experts and other consultants to assist with data security and cyber incident response.
As they should, many corporate security departments hire vendors to monitor computer systems and networks to ensure appropriate security measures are in place to prevent cyber attacks. But what happens when a cyber incident occurs and the company is sued? Are communications with vendors hired as a preventative measure before a data breach protected by the attorney work product doctrine? Maybe.
As we see below, according to one court, it depends on when they are hired and which corporate department is paying their bills. (If other courts follow suit, this case may have implications for other pre-litigation investigations such as those for regulatory compliance and HR investigations).
In the Capital One Consumer Data Security Breach Litigation, the court ordered Capital One to turn over a forensic report compiled by its data security vendor, Mandiant, because Capital One’s Cyber Security Operations team hired Mandiant before the data breach occurred, not because it was sued. Capital one engaged Mandiant in 2015 to ensure the company could effectively respond to cybersecurity incidents (among other reasons). According to the agreement, Mandiant provided “computer security incident response support; digital forensics, log, and malware analysis support; and incident remediation assistance.” Mandiant also agreed to provide a final report with results and recommendations for remediation in the event of a cyber incident. Capital One paid Mandiant as a “business critical” expense and not a legal expense.
In March 2019, Capital One suffered a data breach, several lawsuits followed and the company hired data security attorneys to defend against them. Once retained, the law firm signed a new agreement with Mandiant to provide the same services provided under the existing contract with Capital One. Payment terms under the new agreement were also the same as those in the prior. However, the new agreement with the law firm and Mandiant stated that all work would be done at the direction of counsel and all deliverables would be given to the attorneys.
After the data breach, Mandiant investigated and reported its findings. Although supervision of the investigation shifted to Capital One’s outside law firm, payments to Mandiant continued to be categorized as business expenses. Later they were re-designated as legal expense deducted from Capital One’s legal department budget.
Mandiant sent its forensic report to Capital One’s attorneys who then forwarded it to Capital One’s in-house legal team. Ultimately the report was sent to several of Capital One’s employees, its board members, outside auditors, and some regulators.
Not surprisingly, attorneys for the Capital One customers were also eager to get their hands on the Mandiant forensic report. Capital One refused to turn it over, considering it attorney work product. When the dispute ended up before the judge, he ordered disclosure of the forensic report.
The court noted that in federal court, attorney work product protection stems from Federal Rule of Evidence 502 . This protects from disclosure material prepared in anticipation of litigation or trial. But, the court also pointed out that just because litigation exists does not mean that every related document is protected by the attorney work product doctrine:
“material must be prepared because of the prospect of litigation. Materials prepared in the ordinary course of business or pursuant to regulatory requirements or for other non-litigation purposes are not documents prepared in anticipation of litigation.”
Work that would have been done and information that would have been compiled regardless of litigation is not protected by the attorney work product doctrine.
The court concluded that because Capital One and Mandiant had a long standing relationship and performed the same services regardless of the data breach litigation, Mandiant did not create the report solely “because of” the lawsuit. The court believed a similar report would have likely been prepared regardless of the litigation. While not finding a waiver of privilege per se, the judge found it significant that the report was provided to others outside of the Capital One legal team and that the bills were considered a business rather than a legal expense.
A similar dispute over another Mandiant forensic report prepared in the Experian Data Breach Litigation was important to the Judge in the Capital One case. In that case, the court refused production of the report because outside counsel hired Mandiant after Experian was sued.
Attorneys for Experian customers sought disclosure of the report during discovery arguing that Experian had an independent business reason to investigate data breaches and prepare reports about them. Therefore, the attorneys argued Mandiant did not prepare the report in anticipation of litigation. The court disagreed and noted that despite any other purposes for which Mandiant created the report, it prepared the report for Experian’s attorneys “because of” the litigation.
To determine whether documents are created “because of” litigation courts “weigh factors such as the timing of retention of non-testifying expert in relation to the litigation at issue . . . .” Different from the Capital One case and weighing against disclosure of the Experian report was the fact that a full report was never given to Experian’s Incident Response Team. The court concluded that if the report was more important for business reasons, such as remediation of the data breach, than it was for use in the litigation, the full report would have been given to the Response Team.
Another case, In Re: Premera Blue Cross Data Breach Litigation also involved a Mandiant report. The Premera court noted that when a document is created for a dual purpose, not just for purposes of litigation, the “because of” test applies. They also pointed out that courts must view “the totality of the circumstances and determine whether the document was created because of anticipated litigation, and would not have been created in substantially similar form but for the prospect of litigation.”
The timeline in Premera was not much different than in the Capital One Data Breach. Premera hired Mandiant to analyze network security. During that work, Mandiant found malware and alerted Premera. Once alerted about the malware, supervision of Mandiant’s work shifted to Premera’s outside counsel and a new contract was drawn up. However, the scope of Mandiant’s work did not change much.
The court, using the “because of” test, concluded that Premera could not show that all of the documents relating to Mandiant’s work it sought to withhold were created because of the litigation. Some might be protected, but others not because Premera hired Mandiant prior to the discovery of the data breach. It was up to Premera to prove to the court that documents it wanted kept secret were created after the cyber incident or at the request of counsel.
So, what is the takeaway from all of these cases? If you want to keep cyber incident reports confidential, start by having outside counsel engage the cyber forensics team and make sure the consultant’s bills are paid as a legal and not a business expense. Any agreement with the cyber security response team must make clear that it is engaged at the direction of counsel and any work performed is being done in anticipation of litigation. Also, if the expert prepares a report, limit its distribution to the legal team and do not disclose it to third parties.
Finally, to the extent operations personnel must assist with the data breach response, if possible, keep that work separate from the legal related work.
We can help with Cyber Incident Response.