In the summer of 2019, Capital One discovered that a hacker had accessed private data for more than 100 million Capital One customers, including data that was part of their credit card applications, such as Social Security numbers, names, home addresses, phone numbers, email addresses, credit scores, and income details. Shortly thereafter, Capital One had its normal third-party cyber forensics firm conduct an incident response investigation and report (“Report”), which typically includes technical and procedural failures. Normally, this type of report is considered privileged and will not be discoverable in a litigation, including the class action against Capital One that arose from the 2019 data breach.
However, in May 2020, the US District Court for the Eastern District of Virginia ordered Capital One to turn over the Report to plaintiffs given that the Report was already distributed to over fifty non-legal individuals and the cyber forensics firm was performing services already contemplated in its pre-existing agreement with Capital One. The ruling highlights critical steps that companies should consider in the event of an incident, such as retaining a different cyber forensics firm than the one used for daily security issues as well as having outside counsel retain the cyber forensics firm and limit the report to the litigation team. See In re: Capital One Customer Data Sec. Breach Litig., 2020 WL 2731238 (E.D. Va. May 26, 2020).