BlogLine

Cybersecurity Forensic Reports and the Work Product Doctrine

6/3/20

By: Michael Kouskoutis

When responding to a data security incident, it is typical for a company’s attorneys to retain a computer forensics firm on behalf of the company to help investigate what occurred. Because the forensic firm’s work is performed at the direction and under the supervision of the company’s attorneys, the company then asserts that the forensic firm’s work product, including any written report of findings, is protected from disclosure by the attorney-client privilege and work product doctrine. Case law in various jurisdictions has upheld this view when it is clear that the work performed was done under circumstances and in a manner that allows for this protection. But a recent case from a federal court in Virginia was decided the other way and serves as an important reminder to companies and their attorneys about the limits on this protection.

In a class action lawsuit following a data breach, Capital One refused to produce a report prepared by a computer forensics company retained to investigate the incident, on the basis that the report was protected from disclosure by the work product doctrine.  But Magistrate Judge John Anderson of the U.S. District for the Eastern District of Virginia recently ruled that Capital One had to produce the report to the attorneys suing it on behalf of customers impacted by the data breach because Capital One failed to meet its burden in establishing that the report was entitled to work product protection, despite that the investigation was performed at the direction of outside counsel.

In reaching this decision, the court emphasized that Capital One had signed a master services agreement with the forensics company, predating the subject incident by several years.  Also, while the companies did sign a separate agreement to investigate the subject incident, the agreement provided for essentially the same services as a pre-existing statement of work signed several months before the incident.  Moreover, the report was distributed to several governmental regulators and shared with about 50 Capital One employees, indicating that the investigation was important for business and regulatory reasons, rather than merely for purposes of litigation. 

The court was also persuaded by another case cited by the Plaintiffs in which, while performing cybersecurity incident response and remediation services, a forensics company discovered malware in their client’s system.  The forensics company amended its statement of work to shift supervision of the investigation to outside counsel, but did not otherwise change the agreement or deviate from services described in the MSA, and the resulting forensic report was therefore discoverable in litigation. Judge Anderson applied this same reasoning to the Capital One case and similarly required production of the forensics report.

Thus, a key takeaway from the Capital One case is that, while MSAs are certainly useful in expediting response to cybersecurity incidents, businesses should be careful that statements of work for subsequent services do not rely entirely on terms found in the MSA. Instead, it is better for the business’s attorneys to engage the forensics firm under an entirely separate MSA and SOW pertaining solely to its response and investigation of the incident at hand.  In addition, the business’s attorneys should be included on all communications with the forensics firm during its investigation, and distribution of any report by the forensics firm should be strictly limited to the attorneys and key management within the business who require access to the information in order work with their counsel on the business’s response to the incident.

If you have questions or would like more information, please contact Michael Kouskoutis at mkouskoutis@fmglaw.com.