Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Federal Court: Cybersecurity Forensic Report Not Privileged Under Attorney Work Protect Doctrine

June 15, 2020

The National Law Review posted on June 12 that the United States District Court for the Eastern District of Virginia held that a cybersecurity investigation report was not protected by the attorney work product doctrine and ordered Capital One to produce it in a multidistrict litigation arising out of a 2019 data breach.

During March 2019, an unauthorized person gained access to personal information of Capital One customers. On July 29, 2019, Capital One issued a public announcement concerning the data breach. Many lawsuits were filed against Capital One. In this case, plaintiffs file a motion to compel production of a cyber-forensic report which detailed how a cybercriminal was able to breach Capital One's network.

Capital One argued that the report was protected by the attorney work product doctrine because it was requested by a law firm and prepared in anticipation of litigation following Capital One's March 2019 data breach. The Court disagreed based on the facts which showed that the law firm was engaged to work with Capitol One after the breach occurred. Had the law firm been properly retained prior to the breach and hired the cybersecurity firm to work at its direction rather than the company's, the attorney client privilege and attorney work product doctrine would have remained in place.

Hat tip to Dave Ries. Read the whole post to understand all the specifics, but it sure looks like Capital One screwed up, in multiple ways.

Citing the Fourth Circuit, the Court clarified that the fact there is litigation, does not, by itself, cloak materials with work product immunity. Rather, the material must be prepared "because of" the prospect of litigation. Materials prepared in the ordinary course of business or pursuant to regulatory requirements or other non-litigation purposes are not documents prepared in anticipation of litigation. The Capital One case emphasizes the need to have the law firm directing the breach incident response as well as the steps taken by the company ahead of the breach to ensure its network is secure and risks for breach are mitigated as much as possible.

As the post says, "it is critically important to have the attorney directing the process prior to a breach occurring in anticipation of litigation that will result after a breach occurs. Vulnerability scans, penetration tests, network monitoring and all of the reports and discussions taking place should involve and be directed by counsel without the taint of the information being shared with third parties not hired through counsel."

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson