Why Capital One was forced to disclose its incident report in data breach lawsuit
This blog summarizes the webinar in which I discuss this legal decision and its insurance implications with experts Justin Daniels, Advisor on Cybersecurity and Data Protection and General Counsel at Baker Donelson, and Kelly Geary, National Practice Leader - Executive Risk & Cyber/Professional Services Claims & Coverage Leader, Epic Brokers. Watch the webinar.
In August, a top banking regulator, The Office of the Comptroller of the Currency, fined Capital One $80 million over a 2019 data breach that exposed the financial records of over 100 million customers and credit card applications. The regulator found that the bank failed to establish effective security measures and correct deficiencies in a timely manner. And this financial penalty is likely to be the tip of the iceberg after a judge in the resulting class action lawsuit ruled in favor of the plaintiffs on a critical issue.
In late May of this year, the judge presiding over a class action lawsuit brought against Capital One in response to its 2019 data breach ruled that the global financial holding company must turn over a copy of the incident report it commissioned to determine the cause of the breach.
While it may seem like a nondescript cog of the legal machine, this ruling shakes up a protection taken for granted by businesses that engage services such as incident response. In fact, in the past, we often have advised customers to work through general or inside counsel to protect communication between their cybersecurity service providers and that counsel by using well-understood legal mechanisms, including attorney-client privilege. However, in this case, the judge refused this privilege. That’s why this decision upends the notion of blanket sanctuary against disclosing the intimate details on how a cyber incident might have occurred. And for all companies, it now means simple mistakes made years prior to an offending cyber breach can cause major complications down the road.
This ruling is instructive about how companies and their forensic firms structure their engagements. Master service agreements (MSAs) and statements of work (SOWs) should be paid separately and not out of a retainer for existing services. And, this ruling could impact firms that request prepaid retainers to provide on-demand breach services, especially for customers for whom they already serve. Let’s pause for a moment and establish the key factors.
Capital One 2019 data breach
In late September 2019, Capital One publicly disclosed a massive cyber breach that affected over 100 million of their credit card customers and applicants. The breach was detected in July of that year and the stolen data included personally identifiable information (PII) including applicant names, addresses, phone numbers, email addresses, dates of birth, self-reported incomes and some “fragmented” information including credit scores, transaction data and in some cases, U.S. Social Security numbers.
The resulting investigation conducted by Capital One’s appointed cybersecurity firm, Mandiant, determined that an outside individual gained unauthorized access as a result of a misconfigured open-source Web Application Firewall (WAF) used to protect operations hosted in the cloud with Amazon Web Services (AWS). As part of the service, Mandiant produced an incident response report which outlined the key sequence of events and contributing factors that led to the breach.
The attorneys representing an amalgamated class action lawsuit of 60 similar filings requested access to the Mandiant report. They argued that the document would be critical in the discovery phase of the suit they brought against Capital One in response to the breach.
In May of this year, Judge John Anderson from the U.S. District Court for the Eastern District of Virginia ruled in favor of the plaintiffs in the action requiring Capital One to provide a copy of the report.
Understanding attorney-client privilege
Everyone is familiar with the notion of attorney-client privilege. It’s a jewel in the crown of almost all crime drama in mainstream culture. In legal parlance, attorney-client privilege protects the right of the client to refuse or prevent other parties to disclose confidential communications between themselves and their attorney. It’s a critical pillar in common law to encourage frank discourse between client and attorney, in order that their attorney can provide the most effective representation.
There is another critical legal object to understand: work product protection. Fed Rule 502(g)(2) defines work product protection as “protection for tangible materials in preparation for litigation or trial.”
Capital One’s position
Representatives for Capital One argued that the Mandiant report was protected work product and subsequently protected by attorney-client privilege because the data breach in question would likely precipitate legal action against the firm. Capital One also managed all communication through their legal representatives at Debevoise & Plimpton. Normally this position would hold. So why did the judge rule against Capital One?
The judge’s ruling
The simplified ruling is that the judge deemed that Capital One’s commission and use of the Mandiant incident response report was for business purposes and not in response to litigation. Read the full report here.
There are several factors that go into the judge’s ruling: at the time the work was commissioned, there were no known suits against Capital One in relation to the data breach. The judge ruled that Capital One could not provide “sufficient evidence” to show that the incident response services provided by Mandiant would have differed between litigation and non-litigation motivated activity.
The judge also deemed that the contact history, dating back to 2015, excluded the incident report from protection. The original SOW and MSA included the same data forensics work as was conducted in 2019 as part of the breach investigation. Moreover, Capital One designated the retainer paid to Mandiant in February 2019 as “business critical” and not a “legal” expense. It is conceivable that, internally, the CISO had to deem the work business critical to avoid budgetary constraints or meet other financial restrictions. In fact, a Wall Street Journal article outlined internal concerns with Capital One about high turnover in the security team, failure to deploy critical security software and other issues.
The final nail in the Capital One coffin was the wide distribution of the report across 50 employees, a general email distribution list, four regulators and its accounting firm, Ernst & Young. With this broad distribution to non-legal experts and organizations, it became hard to argue that the report was commissioned in defense of a lawsuit.
Learning from this ruling
While appearing pedantic, these factors contributed to the judge’s final ruling in favor of the plaintiff. From each factor, we can glean recommendations to ensure companies do not find themselves exposed similarly to Capital One.
Separate vendor contracts
Firms should require separate SOWs and MSAs that distinguish specific services as pre- and post-incident. Incident response services, including subsequent investigations, resulting reports and remediation recommendations should not be included in ongoing engagements. They must be specifically commissioned in response to a distinct event.
Distinct vendor payment
Payment for incident response services should be separate from any payments for ongoing or renewable services and should precipitate a new retainer. Your finance department should clearly identify specific work as “Legal” and not part of any other convenient reporting general accounting code.
Limit distribution
How widely an incident report is disseminated can undercut claims of attorney-client work products. Understand in-house counsel and limitation of attorney work product doctrine. In this case, the report should be closely controlled by legal counsel. In fact, during a recent webinar I hosted, Justin Daniels advised that the incident response report goes only to the legal counsel, and dissemination beyond is only verbal summary by counsel. This way, the communication is protected under attorney-client privilege and the original document is protected as a work product.
By extension, the findings of incident response reports as well as vulnerability assessments, penetration testing and risk assessment should go through and only to legal counsel. Justin also advised that this strategy works best with retained counsel rather than in-house counsel. In some cases, in-house counsel are viewed as wearing multiple hats and not all communications will fall under protection of attorney-client privilege in similar matters.
I’d recommend you speak with Justin directly on this matter. His observations are eye opening.
Lurking in the details
In the case of Capital One, the devil certainly resides in the details. The judge’s ruling in this case shakes the generalized assumption of protection under attorney-client privilege … and reinforces the fact that innocuous administrative tasks can lead to your undoing in a courtroom. Remember, it’s not just class action lawsuits. The same could happen during disrupted insurance claims or seeking relief from third-party vendors at the heart of a data breach. While most of us view the details of financial accounting as a nuisance, that also could be a snare. Ensure you don’t compromise your future during the pain of an annual budgeting cycle and don’t let your accounting folks make uninformed decisions about accounting buckets and codes. These simple mistakes can compound into extremely expensive risks down the road.
