Insights: AlertsRecent Court Decision Carries Lessons for Retaining and Using Cybersecurity Consultants to Investigate a BreachJuly 17, 2020 A recent federal district court decision underscores the importance of structuring breach investigations with the attorney work-product doctrine in mind. In In re Capital One Consumer Data Sec. Breach Litig., 2020 WL 3470261 (E.D. Va. June 25, 2020), the U.S. District Court for Eastern District of Virginia upheld the magistrate judge's recommendation that a breach report compiled by a cybersecurity firm was not protected work product, even though the firm had reported to Capital One's outside counsel during the investigation. Id. at *7. In Capital One, the bank hired the cybersecurity firm prior to any breach. The companies signed a master services agreement (“MSA”) and multiple statements of work (“SOW”), including a January 2019 SOW which included breach response and remediation services. Half-a-year later, Capital One uncovered a data breach and hired outside counsel shortly thereafter. Outside counsel and the cybersecurity firm executed a letter agreement, which included a scope-of-work description copied verbatim from the January 2019 SOW and required the cybersecurity firm to complete the work in accordance with the specifications and payment terms set forth in that earlier SOW and the underlying MSA. The letter specified, however, that the cybersecurity firm was working under the direction of counsel. The cybersecurity firm originally only sent the breach report to outside counsel, but eventually circulated it to Capital One's Board of Directors, outside auditor, employees, and financial regulators. The court ruled that Capital One could not show that the breach report's main purpose was for litigation purposes rather than for a business need: “it would be unreasonable to think, given identical contractual obligations under the pre- and post-data breach SOWs, that had [the cybersecurity firm] not provided to Capital One through [outside counsel] all the information required under the SOW concerning the breach, it would not have provided that same ‘business critical' information directly to Capital One in discharge of its obligations under the pre-data breach MSA and SOW.” Id. at 6. Capital One's broad sharing of the report underscored Capital One's “business needs” for the report. Id. The decision could reverse the positive trend of companies proactively engaging security consultants to manage future breaches. Indeed, some commentators have suggested retaining a different cybersecurity firm to do breach remediation, rather than continuing with the same firm used for general cybersecurity advice, in order to differentiate the unique, legal purpose behind the resulting report. However, such dramatic action may not always be necessary. Here are 4 specific takeaways for companies that are reasonably concerned about the decision and the prospect of disclosing a breach report to opposing counsel:
Kilpatrick Townsend & Stockton LLP has extensive experience structuring consultant relationships to align with best practices, deep technical knowledge enabling us to coordinate closely with cybersecurity experts at every step in breach prevention, detection, and remediation, and practical expertise in conducting complex internal investigations. When litigation is a real possibility, these skill sets are indispensable assets in protecting some of the most sensitive confidential information that a company collects in a time of crisis: the details of its cybersecurity posture before and after an incident occurs. Related People![]() Anthony D. Glosson
tglosson@ktslaw.com ![]() Clay C. Wheeler
cwheeler@ktslaw.com ![]() Jon Neiditz
jneiditz@ktslaw.com |



