June 11, 2020Published Article

A Cybersecurity Briefing: Old Approaches Need Re-Consideration as Attorney-Client Privilege Fails a Challenge

A recent decision in the Capital One Consumer Data Security Breach Litigation highlights the importance of appropriately considering attorney-client privilege issues when utilizing a third party for cybersecurity forensic or assessment services. In this decision, the US District Court for the Eastern District of Virginia ordered Capital One to provide a forensic firm’s report to the plaintiff’s attorneys, rejecting Capital One’s argument that it was prepared at the direction of Capital One’s external legal counsel in anticipation of potential litigation and therefore privileged under the work product doctrine. The determinative issue for the court was whether the report would have been prepared in substantially similar form “but for the prospect of that litigation.” According to the court, Capital One failed to demonstrate that the forensic firm would not have performed substantially similar services in the absence of litigation. While not the addressed by the decision, Capital One was also not able to take advantage of the attorney-client privilege doctrine with respect to the receipt of legal advice from counsel, likely because the report was disclosed to several additional third parties, breaking that form of privilege. This decision highlights the importance of attorney-client privilege strategy with respect to budgeting for and the inclusion of cybersecurity forensic and assessment reports, not only in the context of litigation, but also during business-as-usual times. Involvement of outside counsel alone does not guarantee privilege protection; however, privilege can be achievable when a comprehensive strategy is implemented well in advance, before a breach occurs. Please reach out if you would like to discuss further.

back to top