Privacy Alert: Work Product Protection for Initial Data Breach Investigations Can Be More Limited Than You Think

Related Practices

Attorneys & Professionals

A recent decision out of the Eastern District of Virginia casts doubt on the scope of work product protection for data breach investigations.  On May 26, 2020, Magistrate Judge John F. Anderson, United States District Court for the Eastern District of Virginia, issued a lengthy decision analyzing the work product protection for data breach investigations, in the case of In re Capital One Consumer Data Sec. Breach Litig., No. 1:19MD2915 (AJT/JFA), 2020 WL 2731238 (E.D. Va. May 26, 2020). 

In the decision, the court rejected an argument of work product protection and granted a motion to compel production of an initial data breach investigation report prepared by a cybersecurity investigator, FireEye, Inc., d/b/a Mandiant (Mandiant), at the direction of the breached entity’s outside counsel.  The relevant facts include:

The plaintiffs moved to compel production of Mandiant’s report and the breached entity objected that the report was work product.  The court rejected this assertion, concluding that:

In support of its conclusion, the court pointed to:


Companies seeking to protect the confidentiality of their initial breach investigations should be careful to observe the formalities that the district court scrutinized in In re Capital One.  Companies should (1) pay attention to how the forensic investigator’s services are compensated by the business and characterized internally – either as a legal expense or as a business expense; (2) control the disclosure of the investigator’s report and its conclusions (i.e., clearly instruct recipients that it is legal work product that must be kept confidential); (3) not disseminate the report to an employee or even an in-house attorney unless that dissemination is consistent with the purposes of the attorney work product protection; (4) in any fight regarding attorney work product protection, be able to explain how the report would not have been prepared in substantially similar form but for the threat of litigation; and (5) consider modifying the Statement of Work to provide that the work was to be performed under the direction of counsel, and/or executing a new and separate SOW that clearly identifies the services to be provided as work product to be completed at the direction of counsel.

If you have questions about the scope of work product protection for your company’s breach investigation, please contact a member of the Vorys cybersecurity team:  Eric W. Richardson, Jacob D. Mahle, JB Lind or Brent D. Craft.