In an unprecedented ruling, one federal court recently held that the work product doctrine does not protect the expert cybersecurity report prepared after a data breach. The court ordered the release of the unredacted cybersecurity report, despite that it was prepared in anticipation of litigation at the direction of outside counsel. Despite ordering the release of the report itself, the court denied (without prejudice) the class plaintiffs' request to also compel the disclosure of the "related materials," finding that these materials may still qualify for protection, and that this issue was not yet adequately briefed.
This order stemmed from a highly contested motion in the MDL proceedings against
Several months after
As soon as
Until late 2019,
In discussing the legal standard, the court first emphasized that the litigation itself does not automatically protect the materials at issue. Rather, the materials must be prepared in anticipation of litigation. Litigation must be the "driving force behind the preparation of each requested document" to qualify for work-product protection. See Order at 6. This essentially meant that the work done in the course of litigation could qualify, while work generally prepared where litigation might occur in the future did not quality for protection. Importantly, there needed to be "an actual claim or a potential claim following an actual event or series of events that reasonably could result in litigation and the work product would not have been prepared in substantially similar form but for the prospect of that litigation." Id. at 6-7.
The court looked at the totality of the circumstances in deciding that there was no work product protection. First, the court emphasized that the mere fact that (1) a law firm was retained or (2) that litigation was likely did not by itself satisfy the above "but for" requirement.
- The company had a longstanding relationship and pre-existing agreements with the vendor "to perform essentially the same services" that were performed for the report.
- There was no evidence that the report would not have been prepared but for this litigation.
Capital One admitted that these services were essential to help it respond quickly to future incidents, which demonstrated that a report of this kind would have been prepared after an incident, no matter what.- The vendor's work was the same, the services were almost identical, and the terms of its agreement were essentially the same both before and after the law firm's involvement.
- Although the supervision of the vendor was shifted to the law firm in 2019, the scope of the work did not change. The vendor was already retained and was already performing its services; it did not shift its investigation at the law firm's instruction; and the scope of work did not change when the law firm became involved.
- The vendor's retainer was paid as a "business expense" and not a legal expense at the time it was paid. Subsequent re-categorization did not change that fact.
- It was "significant" that the vendor had already received a large retainer and agreed to perform 285 hours of work before the incident was discovered.
- The report was provided to four different regulators and accountant, which suggested it had regulatory and business reasons (rather than purely legal reasons).
-
The report was also shared with
Capital One's internal response team (including technical, IT, cyber, and enterprise services teams), which demonstrated that the report had various business and regulatory purposes.
The court noted that the "only significant evidence" in favor of the work product protection was that the work was ultimately done "at the direction of outside counsel and that the final report was initially delivered to outside counsel." See Order at 8. Having weighed all the evidence, and despite strong objections from the company and its outside counsel, the court ultimately ordered the disclosure of the report in its entirety.
Incident reports contain highly sensitive and confidential information, which can significantly harm the company in litigation if the contents of the report are disclosed. All possible measures must be taken to avoid the waiver of the work product protection. This decision is thus an important reminder that companies must follow careful steps when engaging cybersecurity consultants to address incidents and to prepare reports. While traditionally it was preferable to retain a vendor early on to help deal with future incidents, careful planning is now essential. Here are the steps we recommend to help companies maximize and strengthen their claim for work product protection of incident reports:
- Retain outside counsel immediately after an incident occurs.
- Do not retain an outside vendor directly. Instead, go through your outside counsel or your legal department.
- Outside counsel must be the one controlling the work and performance of the vendor.
- The work must be done at outside counsel's direction, and the vendor must send the report only to outside counsel.
- Either hire a new vendor to prepare the report or, if you must work with an existing vendor, carefully ensure that there is a vastly different agreement and scope of services specifically tailored to the report.
- Do not include the report in the scope of services before the incident.
- Clearly differentiate between the vendor's routine services and litigation-related services.
- Do not share the report with anyone, except for legal purposes.
- Share the report with as few people as necessary, and ensure that there are restrictions against copying and re-distributing it.
- If a report is also necessary for internal business, accounting, or regulatory purposes, have a separate report prepared and be ready for that report to potentially become public.
- The report and the related work must be a "legal expense" paid for out of the company's legal budget.
- The report ultimately prepared must have been prepared because there was an actual or potential threat of litigation, following an actual event, and the type that would not have been prepared outside of litigation.
Originally published
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Ms
Mintz
1 Financial Center
MA 02111
Tel: 6175426000
Fax: 6175422241
E-mail: www.mintz.com
URL: www.mintz.com
© Mondaq Ltd, 2020 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source