Opinion
MDL No. 1:19md2915 (AJT/JFA)
06-25-2020
IN RE: CAPITAL ONE CONSUMER DATA SECURITY BREACH LITIGATION This Document Relates to CONSUMER Cases
MEMORANDUM OPINION AND ORDER
Defendants Capital One Financial Corporation, Capital One Bank (USA), N.A., and Capital One, N.A. (collectively, "Capital One") have filed Rule 72 Objections to Order Granting Plaintiffs' Motion to Compel Production of Mandiant Report [Doc. 556], together with an accompanying memorandum [Doc. 558] (sealed) ("Objections" or "Objs."). In its Objections, Capital One objects to the Memorandum Opinion and Order dated May 26, 2020 [Doc. 490] (the "Order") entered by Magistrate Judge John Anderson, granting Plaintiffs' Motion to Compel Production of the Mandiant Report [Doc. 412].
Upon plenary, de novo review of the Order, the Objections, the memoranda in support thereof and in opposition thereto, and for the reasons stated below, the Court concludes that the Order is neither clearly erroneous nor contrary to law, and the Objections are OVERRULED, the Order is AFFIRMED, and Capital One will be ordered to produce the Mandiant Report pursuant to the terms of the Protective Order entered in this action.
I. BACKGROUND
After a de novo review of the record, the Court adopts the factual findings set forth in the Order, summarized herein, and makes such additional findings as reflected in this Memorandum Opinion and Order:
On November 30, 2015, Capital One entered into a Master Services Agreement ("MSA") with FireEye, Inc., d/b/a Mandiant ("Mandiant"). Under that MSA, Capital One, and Mandiant entered into a series of Statements of Work ("SOWs"), including a Statement of Work dated January 7, 2019 (the "2019 SOW"). A key purpose of the MSA and SOWs was to ensure that, in the event of a cybersecurity incident, Capital One could respond quickly. To that end, the SOWs directed Mandiant to provide incident response services, which are broadly characterized as computer security incident response support; digital forensics, log, and malware analysis support; and incident remediation assistance. In addition, under the SOWs, Mandiant is to provide a final report covering these issues and should one be necessary, a written technical document outlining the results and recommendations for remediation. Capital One paid Mandiant for this work from a Capital One fund denominated "business critical" expenses. [Doc. 416-3] at 13.
In July 2019, Capital One confirmed that it had experienced a data breach, and on July 20, 2019, Capital One retained the law firm Debevoise & Plimpton LLP ("Debevoise") to provide legal advice in connection with that incident. On July 24, 2019, Capital One and Debevoise signed a Letter Agreement with Mandiant under which Mandiant would provide services and advice, "as directed by counsel," in the areas of (1) computer security incident response; (2) digital forensics, log, and malware analysis; and (3) incident remediation, reflecting the same scope of work Mandiant had already agreed to provide under the MSA and SOWs. The Letter Agreement also provided that Mandiant would be paid based on the payment terms set out in the 2019 SOW, and "[l]ikewise, unless inconsistent with the terms of this Letter, [Debevoise], [Capital One], and Mandiant will abide by the applicable terms set forth in [the 2019 SOW] and the [MSA]," dated November 30, 2015. On July 26, 2019, Capital One, Debevoise, and Mandiant executed an Addendum to the Letter Agreement that purported to expand the engagement to include "penetration testing of systems and endpoints." Unlike the MSA and prior SOWs, however, the Letter Agreement provided that all work completed by Mandiant was to be conducted at the direction of Debevoise (not Capital One) and that any deliverables were to be produced directly to Debevoise (not Capital One).
On September 4, 2019, Mandiant issued its report pursuant to the Letter Agreement and Addendum (the "Report"). Initially, the Report was sent directly to Debevoise and later, by Debevoise or at Debevoise's direction, to Capital One's legal department, its Board of Directors, its financial regulators, its outside auditor, and dozens of Capital One employees. Mandiant was paid for the services reflected in the Report from a retainer Mandiant had already received from Capital One under the 2019 SOW, and after that retainer had been exhausted, with funds paid directly by Capital One from its Cyber budget, which payments were later re-designated as legal expenses.
On June 9, 2020, Capital One, pursuant to Federal Rule of Civil Procedure 72, filed its Objections. The sole issue now before the Court is whether the Report is entitled to work product protection.
As agreed, on June 12, 2020, Plaintiffs submitted their response [Doc. 566] ("Opp."); and on June 16, 2020, Capital One, who has waived a hearing on the Objections [Doc. 555], submitted a reply [Doc. 577] ("Reply"). Accordingly, the Objections are ripe for review.
II. LEGAL STANDARD
A. Federal Rule of Civil Procedure 72(a)
Rule 72(a) permits a party to submit objections to a magistrate judge's ruling on non-dispositive matters such as discovery orders. Fed. R. Civ. P. 72(a); see also 28 U.S.C. § 636(b)(1)(A).
When presented with an objection under Rule 72, the district court is to review the objected-to order under the "clearly erroneous or contrary to law" standard. 28 U.S.C. § 636(b)(1)(A); see Malletier v. Haute Diggity Dog, LLC, 2007 U.S. Dist. LEXIS 14244, 2007 WL 676222, at *1 (E.D. Va. Feb. 28, 2007). The Fourth Circuit has held that the "clearly erroneous" standard is deferential and that findings of fact should be affirmed unless review of the entire record leaves the reviewing court with "the definite and firm conviction that a mistake has been committed." Harman v. Levin, 772 F.2d 1150, 1153 (4th Cir. 1985) (citing United States v. U.S. Gypsum Co., 333 U.S. 364, 395 (1948)). Meanwhile, a decision is considered "contrary to law" "when it fails to apply or misapplies relevant statues, case law, or rules of procedure." Attard Industries, Inc. v. U.S. Fire Ins. Co., 2010 U.S. Dist. LEXIS 80785, 2010 WL 3069799 at *1 (E.D. Va. Aug. 5, 2010) (citing DeFazio v. Wallis, 459 F. Supp. 2d 159, 163 (E.D.N.Y. 2006)). And in this respect, this Court has noted that for questions of law, "there is no practical difference between review under Rule 72(a)'s contrary to law standard and [a] de novo standard." Bruce v. Hartford, 21 F. Supp.3d 590, 594 (E.D. Va. 2014) (citing Robinson v. Quicken Loans Inc., 2013 U.S. Dist. LEXIS 56210, 2013 WL 1704839, at *3 (S.D. W.Va. Apr. 19, 2013)).
In its Objections, Capital One centrally claims that the Magistrate Judge erred as a matter of law with respect to its application of the applicable standard for determining work product protection. Objs. at 12 ("The Magistrate Judge misapplied the Fourth Circuit's 'because of' standard"). Although that application implicates underlying factual findings, none of those facts appear to be materially disputed; and Capital One's challenge is, in substance, based on an issue of law. The Court therefore reviews the Objections primarily under the "contrary to law" standard.
In support of its Objections, Capital One has produced two supplemental declarations, see Objs., Exs. A & B; and Plaintiffs challenge whether Capital One can present and the Court should consider new evidence at this point. The Court concludes that it is not precluded from receiving new evidence, see Harleysville Ins. Co. v. Holding Funeral Home, Inc., 2017 U.S. Dist. LEXIS 76486, at *6, 2017 WL 2210520 (W.D. Va. May 19, 2017) (citing United States v. Frans, 697 F.2d 188, 191 n.3 (7th Cir. 1983) (Rule 72(a) "do[es] not necessarily restrict district court review of a magistrate's findings" and the district court may "receiv[e] additional evidence or conduct[ ] a full review"), and has considered the two recently-submitted declarations. However, as Capital One admits, these declarations only "clarify" the arguments previously raised before the Magistrate Judge and do not introduce either new issues or new arguments not raised below. See Objs. at 3, n.2; see also Reply at 7 ("Regardless of whether the Court considers the additional evidence, it should still sustain" the Objections); id. at 9 ("[W]hile the facts detailed in the . . . declaration sharpen and clarify some of the issues raised in the [May 26 Order], none of the arguments Capital One makes in its Rule 72 Objections relies solely on this new material.").
B. Work Product Protection
Parties may obtain discovery regarding any nonprivileged matter that is relevant to any party's claim or defense and is proportional to the needs of the case. Fed. R. Civ. P. 26(b)(1). However, a party may not ordinarily discover documents "that are prepared in anticipation of litigation by or for another party or its representative." Fed. R. Civ. P. 26(b)(3)(A).
In determining whether a document was created in anticipation of litigation, a court must decide if the document was prepared "because of the prospect of litigation when the preparer faces an actual claim or a potential claim following an actual event or series of events that reasonably could result in litigation." Nat'l Union Fire Ins. Co. of Pittsburgh, Pa. v. Murray Sheet Metal Co., 967 F.2d 980, 984 (4th Cir. 1992) (emphasis added). And where, as here, the relevant document may be used for both litigation and business purposes, the court must determine "the driving force behind the preparation of" the requested document. Id. at 984. In that connection, work product that would have otherwise been produced "in the ordinary course of business" does not receive work product immunity. Nat'l Union, 967 F.2d at 984 (citing Goosman v. A. Duie Pyle, Inc., 320 F.2d 45, 52 (4th Cir. 1963)).
In determining the "the driving force behind the preparation of" a particular document, courts have applied what has become known as the RLI test, based on the pronouncements in RLI Insurance Co. v. Conseco, Inc., 477 F. Supp. 2d 741, 748 (E.D. Va. 2007). Under the RLI test, a court focuses on (1) whether the document at issue was created "when [the] litigation is a real likelihood, [and not] . . . when that litigation is merely a possibility[,]" RLI, 477 F. Supp. 2d at 748 (citing Nat'l Union, 967 F.2d at 984); and (2) whether the document would have been created in essentially the same form in the absence of litigation, id. at 747 (citing United States v. Adlman, 134 F.3d 1194, 1195 (2d Cir. 1998) (citing Nat'l Union, 967 F.2d at 984)). Ultimately, the party "claiming the protection," here Capital One, "bears the burden of demonstrating the applicability of the work product doctrine." Solis v. Food Employers Labor Relations Ass'n, 644 F.3d 221, 232 (4th Cir. 2011).
III. ANALYSIS
In its Objections, Capital One argues that the Magistrate Judge erred as a matter of law because he: (1) applied the second prong of the RLI test (whether the document would have been created in essentially the same form absent litigation) as part of the Fourth Circuit's "driving force" test; (2) relied too heavily on the "pre-existing SOW with Mandiant" to conclude that Mandiant would have performed essentially the same services as "described in the Letter Agreement" with Debevoise; and (3) relied on subsequent regulatory and business uses of the Report in determining that the Report is not entitled work product protection. Id. at 7-8. None of these contentions is availing.
As an initial matter, the Court notes that Capital One had previously acknowledged that both prongs of the RLI test applied in determining whether work product protection exists for the Report. See [Doc. 435] at 10-11 ("To determine whether a document was prepared 'because of' the prospect of litigation, this Court must first ask whether Capital One 'face[d] an actual claim or a potential claim following an actual event or series of events that reasonably could result in litigation. . . [and] [t]he second prong of the Fourth Circuit's 'because of' inquiry asks whether the document 'would not have been prepared in substantially similar form but for the prospect of that litigation.'") (quoting E.I. Du Pont de Nemours & Co. v. Kolon Indus., Inc., No. 3:09-cv-58, 2010 WL 1489966, at *3 (E.D. Va. Apr. 13, 2010) (quoting RLI, 477 F. Supp. 2d at 748)). Its current position - that the second prong of the RLI test does not apply to the circumstances of this case - is fundamentally at odds with its previous position; and as a result, there is a substantial issue whether Plaintiff is barred from taking that position at this point under the invited error doctrine. See United States v. Ellis, 1999 U.S. App. LEXIS 2690, at *16, 1999 WL 92568 (4th Cir. 1999) (holding that even if the complained-of instructions below were erroneous, defense counsel had invited their use and cannot rely on that error as a basis for relief) (citing Wilson v. Lindler, 8 F.3d 173, 175 (4th Cir. 1993) (en banc)).
In any event, Capital One's view that the second prong of the RLI test does not apply in this case is misconceived. In that regard, Capital One contends in substance that where, as here, the work product documents are created only after the prospect of litigation arises, see Objs. at 17, the "driving force" test should not include the second prong of the RLI test and essentially ends in favor of protection upon determining, as the Magistrate Judge did in this case, that the Report was created in anticipation of litigation. But there is nothing in the "driving force" test that suggests such a limiting gloss. The second prong of the RLI test captures one of the core inquiries identified by the Fourth Circuit in National Union: whether the work product would have otherwise been produced in the ordinary course of business. Indeed, the Fourth Circuit in Nat'l Union did not end its analysis upon determining that a document was created in the presence of foreseeable and likely litigation, but also considered whether the work product would not have been prepared in substantially similar form but for the prospect of litigation. See Nat'l Union, 967 F.2d at 984. Capital One's argument that the "driving force" test must begin and end with whether litigation was foreseeable ignores the substance of the test articulated in Nat'l Union.
As mentioned above, Capital One had previously embraced the RLI test as properly reflecting the "because of" or "driving force" standard announced in Nat'l Union; and other courts have similarly concluded that the RLI test is an appropriate formulation, as does the Court in this case. See, e.g., In re Dominion Dental Servs. United States, 429 F. Supp. 3d 190, 192-94 (E.D. Va. 2019) (Nachmanoff, J.); In re Premera Blue Cross Customer Data Sec. Breach Litig., 296 F. Supp. 3d 1230, 1245 (D. Or. 2017); see also Charles Alan Wright, Arthur R. Miller, and Richard L. Marcus, 8 Federal Practice & Procedure § 2024 (2d ed. 1994)) ("The 'because of' standard . . . considers the totality of the circumstances and affords protection when it can fairly be said that the document was created because of anticipated litigation, and would not have been created in substantially similar form but for the prospect of that litigation.") (internal quotations and citations omitted). Therefore, for the above reasons, the Magistrate Judge was correct to apply both prongs of the RLI test in assessing Capital One's assertion of work product protection.
In applying the RLI test, the Magistrate Judge determined that the first prong was clearly satisfied, finding that "[t]here is no question that at the time Mandiant began its 'incident response services' in July 2019, there was a very real potential that Capital One would be facing substantial claims following its announcement of the data breach." Order at 7. However, as to the second prong of the RLI test, the Magistrate Judge determined that Capital One failed to establish that the Report would not have been prepared in substantially similar form but for the prospect of that litigation. There appears to be no dispute as to the Magistrate's finding concerning the first prong and, after de novo review, the Court concludes, after considering the totality of the evidence, that the Magistrate Judge properly applied the second prong in concluding that the Report did not enjoy work product protection.
Capital One contends that the second prong of the RLI test was incorrectly applied as a matter of law because the Magistrate Judge gave dispositive effect to the pre-existing SOW with Mandiant, when in fact, at Debevoise's instruction, Mandiant changed the nature of its investigation, the scope of work, and its purpose in anticipation of litigation; and as a result, "Mandiant's investigation and report would have been very different if Capital One had engaged Mandiant to investigate the Cyber Incident for business purposes" because, in that scenario, "Mandiant's investigation would have focused on remediation." Objs. at 18 (emphasis in original).
In this regard, Capital One suggests that a Mandiant report produced at the direction of counsel would pertain to "causation issues pertinent to legal liability determinations." Objs. at 18. But that explanation does not sufficiently address how such issues fall outside the scope of the 2019 SOW, particularly since issues regarding causation and/or legal liability are grounded in the facts Mandiant was tasked with investigating under the 2019 SOW as part of its incident response services.
But that contention appears hollow in light of the respective scope of services covered under the Letter Agreement and the 2019 SOW, which are identical; and the Addendum [Redacted] see also Letter Agreement (stating that "unless inconsistent with the terms of this Letter [Agreement], Counsel [Debevoise], Client [Capital One] and Mandiant will abide by the applicable terms set forth in the SOW and Master Services Agreement between Mandiant and Client dated November 30, 2015 . . .") and Addendum. In fact, the primary difference between the 2019 SOW and the Letter Agreement is a specific reference in the Letter Agreement to the Cyber Incident and the role Debevoise would play. In light of these similarities, the Magistrate Judge found that the Report would have been, in the absence of Debevoise's involvement, likewise similar, particularly given that the "only significant evidence that Capital One has presented concerning the work Mandiant performed is that the work was at the direction of outside counsel and that the final report was initially delivered to outside counsel." Order at 8. Those findings were neither clearly erroneous nor contrary to law. In short, no difference between what Mandiant produced and what it would have produced in the ordinary course of business absent Debevoise's involvement can be reasonably inferred from any differences in substance between the 2019 SOW and Letter Agreement; and Capital One failed to produce evidence sufficient to establish any such likely differences.
[Redacted]
In support of its position that the Report is substantially different than what Mandiant would have otherwise provided absent the prospect of litigation and Debevoise's involvement, Capital One points to the relatively short and somewhat conclusory internal report that Capital One's Cyber Organization team produced in response to the Cyber Incident. [Doc. 558], Ex. 2 (under seal). With this internal report as a backdrop, Capital One cites cases finding work product privilege where there were investigations parallel to counsel-led investigations. But those cases indicate that a parallel investigation was but one factor, among others, in the court's analysis and generally did not discuss in any detail how the parallel investigations materially differed in form or substance from the counsel investigation at issue. See, e.g., In re Target Corp. Customer Data Sec. Breach Litig., 2015 U.S. Dist. LEXIS 151974, 2015 WL 6777384, at *2 (D. Minn. Oct. 23, 2015) (upholding company's claim of protection over third-party firm's investigation when a separate, non-privileged investigation had been conducted to determine "how the breach happened" but only after conducting an in camera review); In re Experian Data Breach Litig., 2017 U.S. Dist. LEXIS 162891, 2017 WL 4325583, at *2 (C.D. Cal. May 18, 2017)). More to the point is that there is nothing in the record in this case that would reasonably suggest that this internal report reflects what Mandiant would have produced absent Debevoise's involvement. And as the Magistrate Judge correctly concluded, Capital One, who bears the burden, has not provided sufficient evidence to explain whether any parallel investigation by Mandiant would have been substantially different in substance than the counsel-led investigation at issue here. Order at 8.
In support of its position that the Magistrate Judge erred as a matter of law in applying the applicable test, Capital One relies on the distinguishing features of two cases denying work product protection to a Mandiant investigative report: Premera and Dominion Dental. In Premera, Mandiant was already conducting a "review [of] Premera's data management system" when it discovered the data breach at issue, after which it continued its work in investigating the breach; and the court found that Mandiant's data breach investigation was not protected as work product because "[t]he only thing that appear[ed] to have changed involving Mandiant was the identity of its direct supervisor, from Premera to outside counsel." In re Premera, 296 F. Supp. 3d at 1245. In Dominion Dental, Mandiant's company-client, Mandiant, and the company's outside counsel had entered into an agreement to do the work done almost a year before discovery of the underlying data breach; and that prior agreement expressly contemplated that Mandiant's work would be conducted alongside outside counsel. Dominion Dental, 429 F. Supp. 3d at 191.
None of the relied upon aspects of either Premera or Dominion Dental dictates or suggests an opposite result in this case. Although Mandiant did not provide any services pertaining to the data breach incident in this case until after it had entered into the Letter Agreement, unlike in Premera, and the MSA and SOWs did not specifically mention working with outside counsel, as in Dominion Dental, Capital One failed to establish, like the companies in Premera and Dominion Dental, that the report Mandiant would have created for Capital One pursuant to its pre-data breach SOW would not have been substantially the same in substance or scope as the report Mandiant prepared for Debevoise. After all, both contractual arrangements were virtually identical; and based on the record in this case, it would be unreasonable to think, given identical contractual obligations under the pre- and post-data breach SOWs, that had Mandiant not provided to Capital One through Debevoise all the information required under the SOW concerning the breach, it would not have provided that same "business critical" information directly to Capital One in discharge of its obligations under the pre-data breach MSA and SOW. In short, Capital One failed, as did these other companies, to satisfy the "because of" test. See In re Premera, 296 F. Supp. 3d at 1244 ("Premera has not shown that . . . the documents would not have been created in substantially similar form but for the prospect of litigation") (internal quotations omitted); Dominion Dental, 429 F. Supp. 3d at 194 (holding that, notwithstanding an affidavit from the company that the Mandiant report would not have been prepared in substantially similar form and may not have been necessary at all without the threat of litigation, Dominion Dental had not carried its burden after noting the "almost identical" description of Mandiant's services in the statement of work prior to and after the data breach). Cf. In re Experian Data Breach Litig., 2017 WL 4325583, at *2 (finding that a Mandiant report was entitled to work product protection because "Mandiant's previous work for Experian was separate from the work it did for Experian regarding this particular data breach," while not addressing in detail distinctions in the nature and scope of the pre-breach and post-breach Mandiant engagements).
Nor did the Magistrate Judge improperly rely on the Mandiant Report's post-production distribution. As courts have recognized, post-production disclosures are appropriately probative of the purposes for which the work product was initially produced. Cf. In re Experian Data Breach Litig., 2017 WL 4325583, at *2 ("If the report was more relevant to Experian's internal investigation or remediation efforts, as opposed to being relevant to defense of this litigation, then the full report would have been given to that team."). Here, the Magistrate Judge referenced that distribution simply to underscore Capital One's business needs for a Mandiant produced report, see Order at 8 (the distribution of the Mandiant Report showed "that the results of an independent investigation into the cause and the extent of the data breach was significant for regulatory and business reasons"), not, as Capital One contends, for the purpose of stripping away work product protections from an otherwise protected document. Objs. at 23. [Redacted] The Magistrate Judge did not commit legal error when he referred to the Report's post-production disclosures.
That distribution was to approximately 50 employees, a "corporate governance office general email box," Capital One's Board of Directors, and "four different regulators and to Capital One's accountant." Order at 4-5, 8.
Because the Court finds that the Report is not protected work product, it does not address Plaintiffs' alternative positions that Capital One waived protection over the Report or that the Report must be disclosed pursuant to Federal Rule of Civil Procedure 26(b)(3).
Capital One argues that the practical realities created by the Order are "unworkable," especially for heavily-regulated companies like itself. Objs. at 19. Specifically, Capital One contends that the Order "incentivizes companies to either (a) forego keeping an incident response vendor on retainer or (b) hire a new, unfamiliar vendor to investigate any incident from which litigation is expected to result." Id. at 19-20; Reply at 11. But that contention ignores the alternatives available to produce and protect work product, either through different vendors, different scopes of work and/or different investigation teams. See, e.g., Objs., Ex. 5 (Ben Kochman, Law360, It's Getting Harder To Hide Consultants' Data Breach Reports, available at: https://www.law360.com/articles/1279264?scroll=1&related=1 (last accessed June 19, 2020) ("[Michael] Phillips [chief claims officer at the cybersecurity analytics company Arceo.ai] agreed that [the Order] still 'provides a road map to preserving privilege in an investigation,' if companies are careful to distinguish data breach investigation reports as a distinct form of communication with their cybersecurity consultants. 'Companies and their security partners should consider creating separate statements of work for breach investigations,' Phillips said, adding that 'a company's data breach investigation process should look and feel different than typical operations with a managed security provider.'")). --------
In sum, Capital One had determined that it had a business critical need for certain information in connection with a data breach incident, it had contracted with Mandiant to provide that information directly to it in the event of a data breach incident, and after the data breach incident at issue in this action, Capital One then arranged to receive through Debevoise the information it already had contracted to receive directly from Mandiant. The Magistrate Judge, after considering the totality of the evidence, properly concluded that Capital One had not established that the Report was protected work product; and the Order was neither clearly erroneous nor contrary to law.
IV. CONCLUSION
For the foregoing reasons, after de novo review of the Order, it is hereby
ORDERED that Capital One's Rule 72 Objections to Order Granting Plaintiffs' Motion to Compel Production of Mandiant Report [Doc. 556] be, and the same hereby are, OVERRULED and the Magistrate Judge's Memorandum Opinion and Order [Doc. 490], dated May 26, 2020, be, and the same hereby is, AFFIRMED; and it is further
ORDERED that that Capital One provide forthwith a copy of the Mandiant Report to Plaintiffs pursuant to the terms of the Protective Order entered in this action.
The Clerk is directed to docket this Order in the lead case (1:19md2915), as required per PTO-1.
/s/_________
Anthony J. Trenga
United States District Judge Alexandria, Virginia
June 25, 2020