Investigations and forensic reports relating to a cybersecurity breach may not always be protected by the attorney-client privilege or work product protection. Companies seeking such reports after a data breach must take caution to protect them from a possible waiver of privilege in the event of subsequent litigation relating to a data breach. The following recent cases highlight the potential waiver of privilege in light of the preparation of a forensic report.
- In re Capital One Consumer Data Security Breach Litigation, 2020 WL 3470261 (E.D. Va. June 25, 2020)
- After a data breach occurred, Capital One retained a law firm that later entered into an agreement with Mandiant for various cyber-related services (including incident remediation), which required that Mandiant provide deliverables to the firm, rather than to Capitol One. In re Capital One Consumer Data Security Breach Litigation, 2020 WL 2731238, at *1 (E.D. Va. June 25, 2020). Plaintiffs sought release of the report created by Mandiant (regarding the factors leading to the breach), arguing that it was prepared for business and regulatory purposes and therefore was not privileged, while Capital One argued that the report was privileged because it was prepared in anticipation of litigation. Ibid. The Court determined that Capital One did not carry its burden of establishing that the report was protected by the attorney work-product doctrine and ordered that Capital One produce the report. Id. at *7. In its reasoning, the Court stated that the fact that there is litigation does not, by itself, provide prepared materials with work-product protection. Ibid. The work-product protection applies when a party faces a claim following an event that may result in litigation, and the work product would not have been prepared in a substantially similar form but for the prospect of that litigation. Ibid.