Federal Court Compels the Production of Cybersecurity Firm’s Incident Response Report in Capital One Customer Data Security Breach Litigation: Court Rejects Work Product Protection for Report

Sullivan & Cromwell LLP - June 26, 2020

On June 25, a district court in the Eastern District of Virginia upheld a magistrate court’s order compelling Capital One to disclose in civil discovery a report prepared by a third party cybersecurity consultant in the aftermath of the data breach discovered by the bank in July 2019.  The court rejected Capital One’s claim that because its law firm formally engaged its incident response firm following the breach and the report was delivered to counsel, the report was entitled to work product protection. The ruling is the latest in a series of cases in which courts have examined attorney-client privilege or work product claims over investigative reports prepared by cybersecurity firms.  In light of the opinion, there are several steps companies may consider taking in preparation for a possible cybersecurity breach that may put them in a better position to claim work product protection over any investigative report prepared in connection with a breach.