In any data incident the first question is – who do I call first? Well a recent court decision reminds companies that the first call should be legal counsel.
Data breaches are a risk to any company collecting personally identifiable information. When an incident occurs, companies should carefully consider the possibility that the incident may result in litigation, including a data breach class action brought by any impacted consumers, and therefore take appropriate steps to preserve privilege over any post-breach analysis and work product. A recent court decision serves as a warning for companies who want to utilize the privilege doctrine to shield their post breach work product from disclosure during post breach litigation.
In 2015, Capital One hired Mandiant to provide cybersecurity consulting services. The master service agreement executed between the parties was occasionally supplemented by various Statements of Work for Mandiant to provide additional specified services. In March 2019, Capital One experienced a data breach. Capital One immediately retained outside counsel to provide legal advice regarding the incident. Thereafter outside counsel, Mandiant, and Capital One executed a Letter Agreement pursuant to which Mandiant would provide incident response, forensic and remediation services in relation to the incident.
After conducting its analysis, Mandiant provided a forensic report regarding the incident to outside counsel. The forensic report was subsequently distributed to Capital One’s legal team, board of directors, various employees, regulators, and Capital One’s accounting firm. In post-breach litigation following the incident, Capital One asserted that the forensic report was privileged and protected by the work product doctrine.
The court held that despite the fact that the report was prepared at the direction of outside counsel, Capital One failed to satisfy its burden of proving that the report would not have been prepared but for anticipated litigation and thus fell outside the scope of protected attorney work product.
District Court Affirms
Not surprisingly, Capital One appealed the Court’s ruling, arguing that the magistrate judge misapplied the controlling law and improperly relied on Capital One’s business uses of the report. On June 25, 2020, the District Court affirmed the decision, ordering Capital One to produce the report. On appeal, the Court focused on “the driving force behind the preparation of the report” and whether it was compiled in anticipation of litigation. The Court found that Capital One failed to prove that there were any differences between Mandiant’s report and what would have been prepared in the ordinary course of business, absent anticipated litigation or legal counsel.
Lessons from the Decision
This conclusion brings into question best practices following a data security incident. At least according to this decision, companies should consider the following guidance points offered by the decision when preparing for potential data security incidents.
1. Legal vs. Business Advice
An important factor considered by the court in Capital One was whether the report in question was prepared in order to provide legal advice or business advice. In general, the attorney client privilege does not apply in situations where the attorney acts merely to provide business advice. (Aetna Cas. & Sur. Co. v. Sup. Ct., 153 Cal. App. 3d 467 (1984)).
In Capital One the court placed the burden on Capital One to prove that the forensic report was prepared for the purpose of anticipated litigation and concluded that they failed to provide sufficient evidence. The court found that hiring outside counsel alone was insufficient. Companies should therefore consider ways to memorialize the fact that a forensic report is being prepared for legal advice—and specifically disclaim that the report is not for business purposes.
2. Distinguish Post-Breach Relationships from Preexisting Relationships
Even though Capital One found that hiring outside counsel alone was insufficient to establish privilege, it is still an important factor in proving that a forensic company’s work is done in anticipation of litigation. Capital One distinguished its circumstances from a previous case, In re Experian Data Breach Litig., where the court held that a similar report was privileged in part because Experian hired outside counsel first, and that counsel retained the cybersecurity firm to prepare a forensic report.
In the event of a preexisting relationship with a cybersecurity firm, in light of the Capital One decision, companies should distinguish the post-breach services from those of a previous business relationship. The post-breach agreement should make it clear that the work is being done at the direction of outside counsel in anticipation of potential litigation. The post-breach work should be limited in scope and any non-litigation work should be outlined on a different agreement.
3. Legal Expense
The Capital One court put emphasis on the fact that Capital One designated Mandiant’s retained as a “business critical” expense and not a legal expense at the time it was paid. Companies should therefore always pay for a third-party forensic firm’s work out of its legal budget.
4. Limit Dissemination of Post-Breach Forensic Report
Another important distinction between Capital One and Experian was that in Experian the full report was not shared with the company’s incident response team. In contrast, in Capital One the post-breach report was widely disseminated to internal groups and third-party regulators. Companies should limit the distribution of post-breach reports and consider including confidentiality instructions to maintain privilege.
The cases are varied in their approach to the use of incident response tech law firms. But all decisions make clear that legal counsel should be engaged at the outset of a breach.
Companies confronted with a data breach should carefully consider the guidance offered in Capital One. Hiring experienced data breach counsel to help preserve applicable privileges and leverage their industry experience may prove extremely helpful during any post-breach litigation. Recent increases in data breach class actions brought under the California Consumer Protection Act (CCPA) highlight the importance of being prepared for post-breach litigation.
The team at Octillo has extensive experience in data security incident response and understanding of the steps necessary in order to preserve privilege. If your company believes it is experiencing a data breach, call our 24/7 breach response line at 844.502.9363. One of our tech breach coach lawyers would be happy to assist you.
*Attorney Advertising. Prior results do not guarantee future outcomes.