In re Dominion Dental Servs. USA, Inc. Data Breach Litig.

Full title: IN RE: DOMINION DENTAL SERVICES USA, INC. DATA BREACH LITIGATION

Court: United States District Court, E.D. Virginia.

Date published: Dec 19, 2019

429 F. Supp. 3d 190 (E.D. Va. 2019)

Opinion

Civil No. 1:19-cv-1050-LMB-MSN

12-19-2019

IN RE: DOMINION DENTAL SERVICES USA, INC. DATA BREACH LITIGATION

Michael S. Nachmanoff, United States Magistrate Judge

ORDER

Michael S. Nachmanoff, United States Magistrate Judge

This matter comes before the Court on plaintiffs' motion to compel Dominion National defendants to produce the Mandiant report and related documents. (Dkt. No. 93). Specifically, plaintiffs seek the report produced by cybersecurity firm FireEye Mandiant ("Mandiant") in the wake of the data breach at issue in this litigation. Defendants oppose the motion (Dkt. No. 96), claiming that the Mandiant report was created to inform legal counsel and litigation strategy and is therefore privileged and protected work product. Having considered the arguments of counsel and reviewed plaintiffs' motion, defendants' opposition, and plaintiffs' reply in support of the motion, (Dkt. No. 98), the Court will grant plaintiffs' motion for the reasons that follow.

I. Background

Beginning in August 2010 and continuing through April 2019, plaintiffs allege that hackers gained access to Dominion National's databases and were able to access personal, financial, and medical information of current and former customers. Pl. Compl. (Dkt. No. 1) at ¶ 2. This information included names, addresses, email addresses, dates of birth, Social Security and taxpayer ID numbers, member ID numbers, and other protected health information. Id. Dominion National defendants discovered the data breach on April 24, 2019, following an investigation of an internal data security alert on April 17, 2019. (Dkt. No. 96) 2.

According to letters sent to the customers of Providence Health Plan on August 20, 2019, Dominion National advised that "[o]n April 24, 2019, through our investigation of an internal alert, with the assistance of a leading cybersecurity firm, we determined that an unauthorized party may have accessed some of our computer servers." (Dkt. No 93-3). Defendants conceded at oral argument that the "leading cybersecurity firm" referenced in the letter is Mandiant. (Oral Argument at 11:08).¹

1 Defense counsel argued that this language did not, in fact, mean that Mandiant assisted in uncovering the computer intrusion and suggested that the sentence was inartfully drafted. The Court finds, however, that there is no other way to interpret this sentence. Accordingly, the claim that Mandiant was engaged solely to provide expert services for the benefit of counsel rather than the obvious benefit to the business of reassuring customers that the breach was being investigated quickly by a reputable cybersecurity firm is severely undermined.

Notably, defendants' relationship with Mandiant began far before the data breach was discovered. Beginning no later than August 1, 2016,² defendants hired Mandiant to investigate, prevent, and remediate data breaches. (Dkt. No. 98) 1. On June 19, 2018, almost one year before the discovery of the data breach in this case, defendants, Mandiant, and BakerHostetler LLP executed a statement of work agreement. (Dkt. No. 98-1). This document contemplates incident response services, including: "computer incident response support, digital forensics support, advanced threat actor support, and advanced threat/incident assistance." Id. at 1. The document also enumerates deliverables, which include incident response service status reporting, an incident response final report (including "recommendations for remediation in a written detailed technical document"), and an incident response executive briefing. Id. at 2. As noted above, Dominion received an internal alert regarding a potential intrusion of its computer systems on April 17, 2019, (Dkt. No. 96) 2, yet nothing in the record reflects that the June 2018 statement of work had expired prior to that date.

2 Exhibit 1 submitted with plaintiffs' reply brief references a master services agreement dated August 1, 2016, between defendant Capital BlueCross ("CBC"), Mandiant, and BakerHostetler LLP; however, this agreement is not included in the record. CBC is the parent company of Capital Advantage Insurance Company, which is the parent company of all the Dominion National defendants.

Mandiant entered into yet another statement of work with BakerHostetler LLP on either April 24, 2019, or April 25, 2019, "for the benefit of [defendant Capital BlueCross]." (Dkt. No. 96-2).³ This April 2019 document, incorporating by reference both the 2016 master services agreement and the June 2018 statement of work, includes a list of deliverables that is virtually identical to those listed in the June 2018 document. Id.

3 The statement of work is dated April 25, 2019, although the signatures of both Mandiant and Capital BlueCross are dated May 14, 2019. The Mandiant report, which was submitted in camera , references a start date of April 24, 2019.

Mandiant concluded its investigation on May 17, 2019, and submitted its final report on August 19, 2019.⁴ On June 21, 2019, Dominion prepared an "incident response communications and support kit" for its client, Providence Health Plan. (Dkt. No. 98-2). This document included the assertion that "we are still investigating this with the assistance of FireEye Mandiant, a world leading cybersecurity firm," id. at 7, and, in a list of "talking points," instructed the client to assure their own customers that Dominion brought in Mandiant to assist in the investigation. Id. at 10. Defendants also appear to have used information gleaned from the Mandiant report in communications with state regulators, although the record is not completely clear on that point. See, e.g. , Dkt. No. 98-4 at 2 (stating to the Indiana Office of the Attorney General that Dominion had no evidence of exfiltration, which mirrors Mandiant's conclusion that it was unable to find any evidence of exfiltration within a certain specified period).

4 The Court has reviewed this report in camera. The facts in the record alone are sufficient to support granting plaintiffs' motion; however, a review of the contents of the report itself reflects that the information is entirely factual, relates directly to the business interests of the defendants, and does not appear to include legal analysis or attorney work product.
--------

II. Legal Framework

As a general matter, parties may obtain discovery regarding any nonprivileged matter that is relevant to any party's claim or defense and is proportional to the needs of the case. Fed. R. Civ.P. 26(b)(1). However, a party may not ordinarily discover documents and tangible things that are prepared in anticipation of litigation by or for another party or its representative. Fed. R. Civ. P. 26(b)(3)(A). But the privileges derived from the work product doctrine are not absolute. United States v. Nobles , 422 U.S. 225, 239, 95 S.Ct. 2160, 45 L.Ed.2d 141 (1975). The party "claiming the protection bears the burden of demonstrating the applicability of the work product doctrine." Solis v. Food Employers Labor Relations Ass'n , 644 F.3d 221, 232 (4th Cir. 2011).

In the Fourth Circuit, to ascertain whether a document was created in anticipation of litigation, the court determines whether it was prepared "because of the prospect of litigation when the preparer faces an actual claim or a potential claim following an actual event or series of events that reasonably could result in litigation." Nat'l Union Fire Ins. Co. of Pittsburgh, Pa. v. Murray Sheet Metal Co. , 967 F.2d 980, 984 (4th Cir. 1992). Accordingly, "materials prepared in the ordinary course of business or pursuant to regulatory requirements or for other non-litigation purposes are not documents prepared in anticipation of litigation within the meaning of Rule 26(b)(3)." Id. On occasion, there may be dual motives underlying the preparation of a particular document. That is, the document may be used both for litigation and for business purposes. In such cases, the court must determine "the driving force behind the preparation of" the requested documents. Id. at 984. The court must consider whether the document would have been created in essentially the same form in the absence of litigation, or the alternative, whether the document "would not have been prepared in substantially similar form but for the prospect of that litigation." United States v. Adlman , 134 F.3d 1194, 1195 (2d Cir. 1998).

Regardless, litigants cannot escape their obligations to disclose underlying facts by communicating them to an attorney or having an attorney direct the fact investigation. In re Zetia (Ezetimibe) Antitrust Litig. , 2019 WL 6122012, at *3 (E.D. Va. July 16, 2019) (citing Upjohn Co. v. United States , 449 U.S. 383, 395, 101 S.Ct. 677, 66 L.Ed.2d 584 (1981) ).

Courts bring these general principles to bear when deciding whether litigants must disclose the contents of investigations conducted in data breach cases. In re Premera Blue Cross Customer Data Security Breach Litigation involved a dispute over a report created by Mandiant under strikingly similar circumstances. 296 F. Supp. 3d 1230, 1245-46 (D. Or. 2017). In the Premera case, the court determined that the defendant was obligated to produce the report and underlying documents related to the report because Premera failed to show that the driving force behind the report's creation was litigation. Id. Rather, "discovering how the breach occurred was a necessary business function regardless of litigation or regulatory inquiries. Premera needed to conduct an investigation as a business in order to figure out the problem that allowed the breach to occur so that Premera could solve that problem and ensure such a breach could not happen again." Id. The court found it relevant that Mandiant had been hired by Premera to perform a scope of work before it was aware of a breach or retained outside counsel, and that scope of work "did not change after outside counsel was retained." Id.

By contrast, the court in In re Target Corp. Customer Data Security Breach Litigation did not compel production of the report at issue. 2015 WL 6777384, at *2 (D. Minn Oct. 23, 2015). Target performed its own independent investigation, which was produced, and the attorneys performed a separate investigation through a retained consulting expert, which was protected. Id. The court in In re Experian Data Breach Litigation also protected the report at issue. 2017 WL 4325583 at *2 (C.D. Cal. 2017). Experian retained Jones Day immediately after discovering the breach and Jones Day in turn hired Mandiant to conduct an investigation to assist it in providing legal advice. Id. The court found persuasive both the timing and the fact that the report was only partially disseminated to Experian's incident response team, suggesting that the report would not have been prepared in substantially the same form or with the same content in the absence of litigation. Id.

In other instances, defendants simply provided access to Mandiant reports without objection. For example, in a data breach case in the Northern District of California, Judge Koh noted that plaintiffs had access to the report produced by Mandiant. In re Anthem, Inc. Data Breach Litigation , 2016 WL 3029783 at *3 (N.D. Cal. 2016). In a recent data breach case in Alabama, the defendant also appears to have provided the relevant Mandiant report. Southern Independent Bank v. Fred's, Inc. , 2019 WL 1179396, at *3 (M.D. Ala. 2019).

III. Analysis

Defendants have not met their burden of demonstrating the applicability of the work product doctrine to the Mandiant report and associated communications. Solis v. Food Employers Labor Relations Ass'n , 644 F.3d 221, 232 (4th Cir. 2011).

To merit protection, the "driving force" behind this report must be litigation. Nat'l Union Fire Ins. , 967 F.2d at 984. Here, the driving force behind the report was not litigation, but business purposes. Defendants rely heavily on an affidavit submitted by one of their employees, Kip Miller, which makes the bare assertion that "without the threat of litigation ... the Mandiant Report would not have been prepared in a substantially similar form and may not have been necessary at all." (Dkt. No. 96-1) 3. This conclusory statement is rebutted by extensive evidence in the record confirming that the report was used for a range of non-litigation purposes. Most significantly, the actual description of services promised in the April 2019 statement of work, which include computer incident response support, digital forensics support, advanced threat actor support, and advanced threat/incident assistance (Dkt. No. 96-2) 1, are almost identical to the services promised in the June 2018 statement of work, entered into by the defendants and Mandiant months before any threat of litigation. The addition of language referencing "under the direction of Counsel" appears to be designed to help shield material from disclosure rather than to fundamentally alter the business purposes of the work. Similarly, the list of deliverables in the April 2018 statement of work includes incident response service status reporting, an incident response final report (including "recommendations for remediation in a written detailed technical document"), and an incident response executive briefing. (Dkt. No. 96-2) 1. As with the list of services, the primary difference between this list of deliverables and the ones in the June 2018 list is the inclusion of small modifying phrases such as "if requested by Counsel." Id. The June 2018 statement of work was not prepared in the face of "an actual claim or a potential claim following ... a series of events that could reasonably result in litigation." Nat'l Union , 967 F.2d at 984 (4th Cir. 1992). The similarity in the services and deliverables outlined in the two statements of work provides compelling evidence that the report would have been "prepared in a substantially similar form" absent the threat of litigation. RLI Ins. v. Conseco, Inc. , 477 F. Supp. 2d 741, 748 (E.D. Va. 2007).

Defendants' case is further undermined by other facts in the record. Defendants publicized the retention and work of Mandiant for "non-litigation purpose[s]" such as reassuring customers and communications strategy. Nat'l Union Fire Ins. , 967 F.2d at 984. Most notably, defendants notified their customers that "on April 24, 2019, through our investigation of an internal alert, with the assistance of a leading cybersecurity firm, we determined that an unauthorized party may have accessed some of our computer servers." (Dkt. No. 93-3). Defendants, in an "incident response communications and support kit," asserted that "we are still investigating this with the assistance of FireEye Mandiant, a world leading cyber security firm" (Dkt. 98-2) 7, and in a list of "talking points," instructed the client to assure their own customers that Dominion brought in Mandiant to assist in the investigation. Id. at 10. It is difficult to conceive of either of these documents serving anything other than a business purpose.

The instant case bears many similarities to the Premera litigation. In Premera , the court noted that Mandiant had an existing scope of work dating back before the discovery of the computer intrusion, just as is the case here. In re Premera , 296 F. Supp. 3d at 1245. Moreover, Premera defendants attempted to shield the report from discovery by creating a new statement of work. Id. ("Premera and Mandiant entered into an amended statement of work that shifted supervision of Mandiant's work to outside counsel."). This mirrors the April 2019 statement of work that Mandiant and defense counsel entered into in this case. As outlined above, in both Premera and the instant case, the "amended statement of work confirms that the scope of the work remained the same." Id. In both cases, there was one investigation, performed by Mandiant. Id. The "change of supervision" to outside counsel "is not sufficient to render all of the later communications and underlying documents privileged or immune from discovery as work product." Like Premera , defendants here have done little to show "that Mandiant changed the nature of its investigations at the instruction of outside counsel and that Mandiant's scope of work and purpose became different in anticipation of litigation." Id. at 1246.

The Target case also supports granting plaintiffs' motion. In Target , following the breach, the defendants pursued a two-track investigation. In re Target , 2015 WL 6777384, at *2 (D. Minn. Oct. 23, 2015). On one track, Verizon conducted a non-privileged investigation on behalf of credit card companies. Id. This track was set up to allow Target to learn how the breach happened and to respond appropriately, and the resultant report was disclosed to plaintiffs. Id. At issue in Target was the separate, second-track investigation specifically designed to provide counsel with the information necessary to help them provide legal advice. Id. Here, defendants have presented no evidence of a two-track investigation. The Mandiant report appears to be the only report commissioned by defendants in connection with the data breach at issue.

The Experian case is likewise distinguishable from this matter. In Experian , the court found that the Mandiant report was created "because of" litigation. In re Experian , 2017 WL 4325583 at *2 (C.D. Cal. 2017). The record contained evidence that Mandiant had worked with Experian in the past on separate matters, but there was no evidence of a continuous business relationship with Mandiant. Id. Moreover, in Experian , the full report was withheld from defendants' incident response team. Here, defendants have not represented that the full report was withheld from them. The Experian court also did not have to consider evidence that defendants notified customers of the retention of Mandiant, a "leading cybersecurity firm," or that defendants reassured clients that Dominion was vigorously investigating the breach with Mandiant's assistance by sharing information regarding the status of the investigation. These facts provide substantial evidence here of the non-litigation, business purposes of the Mandiant report and investigation.

IV. Conclusion

Defendants have failed to show that the report and underlying documents were created because of anticipated litigation and would not have been completed in substantially similar form but for the prospect of litigation. Therefore, the Mandiant report and related underlying documents must be produced within fourteen (14) days of the date of this order. To the extent that there are portions of drafts of the report or other correspondence that defendants contend contain privileged information or work product information, they may be properly withheld subject to a privilege log to be produced within fourteen (14) days of the date of this order.