Kip Boyle: Hi, I'm excited to share that we have a new free bonus just for you.

Jake Bernstein: We've started publishing our very own quarterly Cyber Risk Management Journal. It's loaded with over 30 pages of useful content taken directly from our podcast. Here's how we make each new edition.

Kip Boyle: We start by transcribing the four or five episodes that we've published in the previous three months.

Jake Bernstein: Next, we send our editor and designer the transcripts that are supporting materials for those episodes.

Kip Boyle: Then they revise all the text. They put clickable links in for all the resources, and they create the best look and feel for each episode.

Jake Bernstein: And finally, we, Kip and I, make sure the finished PDF is ready for you.

Kip Boyle: So download the current edition now. All you have to do is go to b.link/CRMJ. That's the letter B dot L-I-N-K forward slash C-R-M-J.

Jake Bernstein: And if you like it, share it with your friends and encourage them to subscribe to the Cyber Risk Management podcast. Now on with the show.

Speaker 3: Welcome to the Cyber Risk Management podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle and your virtual cyber security council is Jake Bernstein. Visit them at cyberriskopportunities.com and focallaw.com.

Kip Boyle: Jake. Hi, what are we going to talk about today?

Jake Bernstein: Hey Kip. Today, we're going to talk about the lessons learned from the Capital One consumer data security breach litigation ruling that talks about attorney client privilege and work product doctrine for data breach reports.

Kip Boyle: Ah, welcome back legal episodes.

Jake Bernstein: That is right. And today's topic got a fair bit of press. It focuses on a May 26th, 2020 order issued by a US magistrate judge in the MDL, which stands for Multi-district Litigation that came out of Capital One's March 2019 data breach.

Kip Boyle: I can't define most of the words you just used.

Jake Bernstein: Multi-district litigation just means that a whole bunch of lawsuits were filed against Capital One and they were consolidated into one court.

Kip Boyle: Ah. Okay. And what about magistrate judge? How is that different from a vanilla ordinary judge?

Jake Bernstein: A magistrate judge is... They specialize in kind of discovery type disputes, and they are lower ranked than a full district court judge. They're kind of like assistant judges in a way, so they have less power. And you can always choose to kind of like not see a magistrate judge, but they're useful.

Kip Boyle: So they're like the assistant to the regional judge?

Jake Bernstein: Kind of. Yes.

Kip Boyle: Nevermind. If anybody just The Office, I'm just channeling my inner Michael Scott.

Jake Bernstein: So just to be fair, to be technically accurate, we're actually also mostly talking about that work product doctrine. But we'll discuss the attorney client privilege too.

Kip Boyle: Well, that's great. So attorney client privilege is super important. I'm sure we'll continue to talk about it on the podcast in future episodes. It's a very important part of our work as practitioners, right? I'm routinely talking to customers about the need for ACP and when they should activate it and when it's not necessary. So this continues to be super important, and this particular situation that we're going to talk about today may result in a change in the way that we use attorney client privilege in our work. So this is a very important topic. But work product doctrine. That's a little different. I don't know if we've talked about that. So maybe we should spend a few moments talking about that.

Jake Bernstein: We should, for sure. But I think actually before we do, we should go over the background of this case, because it's a lot easier to talk about work product in context.

Kip Boyle: Okay. Yeah. Let's do that. Okay. So the Capital One breach. There's so many interesting things about it because we could focus on what exactly was done to cause the breach, which I think is really interesting, right? The operational aspects of that. But let's look at what happened downstream of the actual breach, which happened in March of 2019. So it took Capital One months really. It wasn't until mid July for them to discover it. Then they actually went public with it on July 29th, 2019. So just over a year ago. And of course, right after the announcement, brace yourself for impact because lawsuits were filed, many of them. Totally typical. Happens crosstalk.

Jake Bernstein: Then they were consolidated into the new word that we learned, multi-district litigation.

Kip Boyle: Supervised by the magistrate judge. Did I say that right?

Jake Bernstein: No. The magistrate judge would be in charge of the discovery aspects. There's a federal district judge in charge.

Kip Boyle: I'll get it. I'll get this right sooner or later. Sooner or later, I will learn all of these little nuances. It's kind of fun actually. Okay. But one of the most important things to know here, dear listeners, is that Capital One hired a high profile cyber security firm named Mandiant long before the March 2019 breach. And that's important here because Mandiant, kind of like my company but they're much bigger, deliver cybersecurity services to their clients. There was an existing relationship between Mandiant and Capital One. And actually, there was a master services agreement between Capital One and Mandiant November 2015. And as you do with an MSA, whenever Capital One wanted Mandiant to do something new, they would just write a statement of work and then purchase orders and invoices would fly back and forth. And then new things would be delivered. It's a typical approach.

One of the things that Capital One paid Mandiant for, and this is where things start to converge, is incident response services on demand. So as an example, on January 7th, 2019, there was a statement of work that was issued and it was... Let's see. Capital One bought 285 hours of incident response services from Mandiant. It's kind of the upshot of this statement of work. And this is where things continued to converge. At the time of the statement of work being executed, Capital One made a critical decision. They had to decide what kind of an expense was this, right? Because they needed to account for it in their general ledgers. And they decided to call it a business critical expense. They could have called it a legal expense, but they did not. And that's going to be important, right?

Jake Bernstein: It is. It's actually interesting. One of the frustrating aspects of this case and this discussion, frankly, is that there really isn't a hundred percent clear conclusion. So maybe they could have classified it as legal, maybe that would have mattered, but maybe they couldn't have. So we can talk about that, but to continue the story.

Kip Boyle: The fact that they did it is what's important.

Jake Bernstein: It is. Yes. So just as soon as that breach was discovered, which was actually July 19th, 2019, Capital One went ahead and immediately retained an outside law firm to provide legal advice about the breach, which is-

Kip Boyle: And that's typical. Right?

Jake Bernstein: That's very typical as well. Within five days of being hired, Capital One, the outside law firm and Mandiant, signed a letter agreement that basically referred back to the November 2015 MSA and just kind of stated that Mandiant would be working at the direction of council. It's kind of the magic language. But payment and all other terms were looked at that at the MSA and the SOWs.

Kip Boyle: Now, this is something that we encounter all the time, Jake and I, because we're sometimes serving common clients and this whole episode absolutely bears on us firsthand because one of the things we have to do when we serve a common client is we have to figure out how will the contracts be written, right? Does Jake's law firm have a contract with the client and then Cyber Risk Opportunities has a separate contract with the client? And therefore we really have two business relationships going on, but that we're just sort of coordinating with each other. Or would we do something... What's it called? A three-party agreement, right? Where three entities sign a contract, a single contract. So we're all parties to a single contract. So there's different ways to do it. What we're learning is it matters.

Jake Bernstein: It does. And now you've hit upon why this is frustrating to us in particular is that it does matter. It has very real, very immediate kind of consequences to the way that we do business.

To kind of cut down a bit on this very long story, by September 4th, 2019, Mandiant had done a whole bunch of work and prepared a very nice report. It is referred to as the Mandiant Report. I know. Stunning, right? And it is the focus of our discussion. So why? Well, the plaintiff's lawyers want this report. Kip, why do they want the report?

Kip Boyle: Yes, that's the obvious thing, right? Is why would they want the report? Well, because the report is going to contain everything that Mandiant found out about the data breach, including all of Capital One's security practices at the time of the breach. So if they could get that report, then an expert witness would be able to pick apart Capital One's cybersecurity program and make it sound like they were not practicing reasonable cyber security in some way, shape or form. Perhaps they would come up with a very long list. And as somebody who just wrote his first expert report for a lawsuit, I totally get this.

Jake Bernstein: Yeah. So I was actually going to ask you that. I said you have firsthand experience with what this means.

Kip Boyle: I do now.

Jake Bernstein: How valuable would that Mandiant report be to someone, if it was you trying to pick apart Capital One's program? It's hard to imagine doing a good job of picking apart the program without that report. Right?

Kip Boyle: Right. Yeah. So in my particular case, I had at my disposal as part of the discovery, an internal incident report, and it was marvelous for me to have that because if I didn't have it, I would have to write... Essentially I'd have to write a ghost incident report based on all the evidence so that I could understand what happened. Right? I'd have to piece everything back together again, and that would be a mountain of work. So this is a huge shortcut. Not only that, but my sense is that if I have to write a ghost incident report, it's not as credible as a real report written by somebody who was actually there.

Jake Bernstein: It wouldn't be credible, not because you don't know what you're doing, but because you've been hired to pick them apart.

Kip Boyle: Right.

Jake Bernstein: The purpose of it is just very different. As an aside, it's interesting to note that the internal investigative report that you had access to almost certainly was attempted to get protection in a similar way, and that failed, obviously, otherwise you wouldn't have gotten it.
Okay. So it's pretty clear that Capital One wouldn't want to give the report over to the plaintiffs.

Kip Boyle: Only if they had to.

Jake Bernstein: Only if they have to. So now we'll turn back to those legal doctrines. The first one is easy, I think. The attorney client privilege is reasonably well understood. It's one of the most important evidentiary privileges recognized by Anglo American law. And basically what it does is encourage total transparency between client and lawyer by protecting communications that are for the purpose of providing legal advice. I would say that most people understand this one kind of intrinsically. The whole idea is like, "Oh, if I tell my lawyer, the lawyer can't be made to tell on me."

Kip Boyle: Right.

Jake Bernstein: And while I want to always point out that no privilege is absolute, the attorney client privilege is difficult to breach without the client's consent.

Kip Boyle: And as you are reviewing this right now, I can't help but to think about my current favorite lawyers show Better Call Saul, and ACP is just something that is just threaded throughout the storyline of that show. And many other movies and shows where there's a lawyer or legality. So yeah, this is like fundamental. Everybody should understand this to a degree.

Jake Bernstein: You're totally right. This concept really is embedded in our culture at this point. And it's old. It dates back hundreds of years to English Common Law. So now the work product doctrine is a little different. I would say that outside of litigation circles, way fewer people have even heard of it. What you find is that if you go into the federal rules of evidence at FRE 502, you will find that work product protection is quote, "The protection that applicable law provides for tangible material or its intangible equivalent prepared in anticipation of litigation or for trial."

Kip Boyle: Oh my gosh. Yeah. I mean, tangible material. Okay. I can imagine what tangible material is, but prepared in anticipation of litigation over trial. It's like, okay, that's pretty ephemeral. Right? Okay. So let me see if I can sort of restate it. Anything a lawyer creates while planning for litigation potentially falls under work product doctrine, right?

Jake Bernstein: I would say in short, yes. However, there is a competing doctrine here, which is that evidentiary privileges in general are disfavored because what they really do is shield evidence from the truth seeking process. And this means that judges are going to do something that judges love to do, which is to narrowly construed things. In other words, we're going to limit the... We recognize this as important, but we're going to limit it to kind of as narrow a place as we can. By the way, this is how it should be. We want this. We want to have these very important principles, but we also don't want courts to hesitate to set aside these types of privileges if they think there is an abuse or a major impediment to finding the truth.

Kip Boyle: Okay. Well, it's interesting because as somebody who doesn't practice law, everything that you just said is not familiar to me, and I can only imagine the thought process of a judge in making these judgements, right? Narrowly construing things. It's like, wow. I mean, it just feels like splitting hairs and whatnot, but I like it. I agree. That's probably the way it should be.

Jake Bernstein: Exactly. It's really an important thing to have the nuance here. And I think this case is a really good example of how courts can and do limit the work product doctrine. Here we have a magistrate judge who painstakingly recites principles of law. Here are some of them. The fact that there is litigation does not by itself cloak materials with work product immunity.

Kip Boyle: Okay. So these are quotes right out of the decision?

Jake Bernstein: They are. And most of them are coming from other cases. Here's another one. The material must be prepared because of the prospect of litigation. The corollary is that materials prepared in the ordinary course of business or pursuant to regulatory requirements or for other non-litigation purposes are not documents prepared in anticipation of litigation.

Kip Boyle: Okay. It's continuing to converge here. Right, everybody? Can you see it coming together?

Jake Bernstein: This is one of my favorites. The court must determine the driving force behind the preparation of each requested document in resolving a work product immunity question.

Kip Boyle: This is the best hair splitting ever.

Jake Bernstein: It is, but it's also... It's so important.

Kip Boyle: Absolutely.

Jake Bernstein: You see where this is going. So what are you thinking? Where do you think this is going?

Kip Boyle: Okay. Well, I know, and I probably could have predicted it if I was sitting in the courtroom. But the court decided that the Mandiant report of the data breach incident was not prepared because of litigation, but rather because Capital One needed to understand what had happened for business reasons, right?

Jake Bernstein: More or less. Now personally, I will admit that I think the magistrate judge really went a little far. And I think that I'm... I doubt I'm alone, at least on the defense bar, in hoping that this decision gets limited to some way, either on appeal or just with the facts. I think first of all, this is one of those cases where I think it could have actually gone either way. And we'll talk about the way that this did go and what that means for us and our customers and clients.

But the judge here, the magistrate judge here said that the determinative issue is whether the Mandiant report would have been prepared in substantially similar form, but for the prospect of that litigation and people should know that but for causation is a very kind of standard legal tool. The idea being that sometimes we need to determine why something happened, but for causation is kind of... It's very similar to like a root cause analysis, right? That would be a security version of the same concept, which is you want to know why did this breach happen? So we call it root cause. Judges and lawyers tend to call that but for.

Kip Boyle: You're telling me there's a whole course in law school about but for?

Jake Bernstein: Well, I mean, there's a whole course in law school on evidence and that's part of it. And causation is actually more a part of... I would say it's a more general concept even than evidence. This one's tough because this report, the Mandiant Report, which by the way, is capital R throughout this report here, it did clearly serve multiple purposes.

Kip Boyle: Well, and that's ordinary. That's common and ordinary. Right? When I'm serving as a chief information security officer for an organization, I often will rely on a report for multiple purposes. And you kind of want that if you can because that's conservation of resources, both in terms of the creation of the report, but also in terms of actually understanding the report... Sorry, understanding the event that the report is analyzing. Because there's a lot of things you need to do. I mean, there's a lot of decisions that need to be made. Different parts of the organization either respond differently, and you don't want to convene multiple reports, which would then require you possibly to convene multiple meetings. And then in your own head as a manager, you're trying to reconcile two reports, which maybe they don't totally line up. So then you're introducing a lot of ambiguity. Nobody wants that. Right?

Ideally as a manager, you want everything in one report. I totally see that. So in specific things, right? How do you prevent this from happening again? What are the actual risks here, and how do they need to be managed? Should somebody be held accountable for doing something that they shouldn't have done, or maybe they did something that they shouldn't have done, or they avoided doing something they should have done? Anyway. So yeah, there's lots of reasons why you want a report. And boy, I hope this doesn't end up being the new thing.

Jake Bernstein: So the court actually does go through and starts listing all the different ways this Mandiant Report was used. It was passed around to four different regulators. It was used internally for Sarbanes-Oxley disclosures. It was used to prepare an FAQ for the head of finance who used it.

Kip Boyle: And that's all good, right? This is all good.

Jake Bernstein: It is all good. I would say that if you had wanted to prevent this ruling, then the best way to do that, I think, and this is what the kind of the court hints at, is to have the outside counsel hire a fresh company to do incident response. I do want to talk with you, Kip, in our remaining time about why that might be not desirable. But I do think that based on this ruling, the court really fixated on the fact that Capital One had hired Mandiant before the breach, years before, had this existing MSA and SOW in place. And that the contractual language was identical. Mandiant gets around. There's a whole bunch of cases where there is a Mandiant Report. And the court goes through some of those and says basically, at the risk of oversimplifying, that in cases where the Mandiant Report was protected, generally Mandiant was hired by the law firm specifically for the purpose of investigating the breach, as opposed to kind of this ongoing relationship.

Now, what I want to ask you, Kip, is aren't there benefits to having an ongoing relationship with an incident response firm and then having that same firm help with a breach like this?

Kip Boyle: Oh gosh, yes. Yeah. And the answer is yes. And some of the reasons for that kind of run to... Some of the things I was talking about before. Efficiency, effectiveness, familiarity, I mean, every company is different. Even if they're direct competitors, they're typically different, they're organized differently, they do things differently. So one of the challenges with any outside vendor, let alone somebody who's going to help you with instant response is they have to understand your business. They have to understand how you make money. They have to understand your risk appetites, your risk tolerances, the nature of the sensitive data that you collect and where you tend to keep it. The less an outside firm understands about all those things, the more difficult and awkward it can be to work with them. They might reach bad conclusions, right? Because simply lack of familiarity. That's a big reason why I would want my incident responder to understand me.

Jake Bernstein: Yeah. And I would say what frustrates me here is that this feels very much like a situation where the judge is putting form over substance. And I think this is exactly the kind of decision that is ripe to be changed on appeal. For those wondering, this is how common law gets made. This is how the law evolves through through judges. Basically you can envision a situation where a judge is like there are really good policy reasons that we should protect this type of report, even though the company didn't follow the exact kind of magic words. And generally speaking, the history of law is interesting. There was a time period where if you said the magic words, you got the result you wanted. We generally don't want that. Right? We don't want that for many reasons.

It makes it easy to defraud. It makes it easy to cause problems. It makes it easy to lose protection when you shouldn't lose protection. And I think this is a case that, again, I really hope gets changed on appeal, overturned in some fashion, or just limited because I want to be able to have clients have an IR company on retainer and to have those companies be the one who helps prepare the report, even if there is litigation that ensues and not have to worry as much about whether or not work product is going to be thrown out and the report is going to be given over. I just think that if it really does come down to the language in a letter and an MSA or SOW that the judge here is kind of missing the point.

I don't necessarily expect this particular judge to understand that just because it's very specific to, I think, cybersecurity issues. And what's really interesting is somewhere floating around out there in the Sedona conferences archives is a whole white paper about... Maybe we need a cyber security information privilege as kind of a new privilege, just because it takes so many people to generate reports. It's so complicated. And think about it this way, Kip, if companies are in a position where everything that they learn, they fear is going to get turned over to the other side in a lawsuit so that they can be Monday morning quarterback, what do you think is going to happen?

Kip Boyle: Well, they're going to be way more careful about generating that kind of content, and they're going to be way more careful about documenting that content. Right?

Jake Bernstein: So here's the problem. In reality, that means they're not going to generate the content. So they're not going to know, which is going to actually decrease everybody's security because more and more people will take a head in the sand approach of, I just don't want to know. Right? I don't want to know. It's better and easier-

Kip Boyle: God knows we don't have enough of that going on already.

Jake Bernstein: Right. That's already the problem. We're trying to work. This podcast exists in large part to prevent that. And here you have a magistrate judge kind of pouring some cold water on this and it is frustrating. So I do hope that this gets fixed or there are clear ways to kind of get around this decision because we really don't want this to be the rule.

Kip Boyle: Well, I think it's interesting where the court referenced cases where Mandiant's Reports were protected, and those were cases where Mandiant was hired by the law firms specifically for the purpose of investigating the breach. So in a way, there's already an established pattern of working like that.

Jake Bernstein: There is.

Kip Boyle: And we can't ignore that, right?

Jake Bernstein: No, we shouldn't ignore that. Like I'm saying, this is one of those situations where the judge hints at magic language. And though I don't think it's appropriate, if there's magic language, use it. I mean, I think that's a clear statement and it is really... But it does go back, by the way, to this concept of hiring a new firm. That's part of the problem here is that a lot of those times Mandiant is brought in new, right? There actually is another case where Mandiant was already involved. And that was the same... It's called Dominion Dental. It's a December 2019 ruling out of the Eastern District of Virginia. And same result as this one, which is the... As it says here, "The defendants failed to show that the Mandiant Report would not have been completed in substantially similar form, but for the prospect of litigation."

And in other words, what they're saying is, "Oh, you would have done that anyway, whether there was litigation or not, because you hired Mandiant and you had a similar MSA and a similar SOW." I don't like that result.

Kip Boyle: Okay. Interesting. But you and I now need to figure out what we're going to do, because if a customer comes to us and says, "Hey, I want to do cyber risk management. I want to be practicing reasonable cyber security, but at the same time, I know that I'm going to have to make tough choices about which risks I'm going to actively manage and which ones I'm not. And I really don't want, in the case of a future lawsuit, I really don't want somebody seeing the list of risks that I chose not to manage at this time." So, hey, Kip and Jake, can you do this work? And can you provide us with privilege?" Now we need to be really careful, right? How we do it.

Jake Bernstein: We do, and I would say that our situation hasn't altered that much. And a part of the reason is that neither of us are really... Or I should say you specifically are not really typically doing incident response work. I think if you were, then you could absolutely find yourself in the Mandiant position here. I think that the work that we do can be protected. We probably need to be relying more on attorney-client privilege and there's ways that we can do that. But I really do think... And again, this actually goes back perfectly well to that Sedona conference paper about cybersecurity information privilege. Because again, it really fits the purpose behind these privileges, which is we want to encourage truthfulness and transparency, but people who think they're going to get burned by gathering the full information aren't going to do it.

Kip Boyle: Yeah. I mean, I have colleagues and friends who lament the fact that the cyber security information security profession, that we don't have the kind of root cause investigations that you see in air transportation. Like when an aircraft crashes and then the United States government has either a duty, a right or a permission based on where the aircraft does crash to do the investigation. The results of those investigations are released to the public. And there are protections around them. And the whole system is devised to increase flight safety, to make air travel more safe, more reliable, and to assure future fliers that this is a paramount important thing that the airline industry is doing. Why shouldn't we have something comparable?

Jake Bernstein: That would create a different paradigm, but maybe we should. I mean, I think it's a really good point. Though it hasn't happened yet in the United States where a cyber attack results in the type of loss of life that an airliner crash does, it could happen.

Kip Boyle: It absolutely could happen. Oh my gosh. It absolutely could happen. You could actually make the case now, because I've seen the studies. It's a bit indirect, but ransomware attacks on medical facilities, which result in operational disruptions. I've already seen some studies that says that the mortality rate for patients in that medical facility increases.

Jake Bernstein: I'm sure it does.

Kip Boyle: Right. So we're starting to see some indirect issues there, but in the future-

Jake Bernstein: That actually gets almost pretty direct. Right? I shut down a hospital's IT systems, it's not really surprising that people hooked up to machines in that hospital die at a higher rate.

Kip Boyle: Right. I don't think we're at the point yet where we can say, "Well, Mr. Jones and Mrs. Smith, they both died unnecessarily soon because of that."

Jake Bernstein: Right. That's where it gets hard.

Kip Boyle: I mean, you can look at the data in aggregate. Yeah, you can look at the data in aggregate, but I don't think we can actually pin it to specific people and draw a direct line. But in the future, let's say, and we've seen this already in demonstration, let's say that there's an autonomous vehicle. It has four passengers. It gets cyber attacked. And as a result, the car is commanded to drive through a red light and it's struck in an intersection in a T-bone and two of the four passengers are killed. There you go. And I don't think that's unfortunately too far away.

Jake Bernstein: No, perhaps not. And I think that is certainly the case. We should wrap this up, but I think this has been an really interesting episode.

Kip Boyle: Yeah. I hope everybody agrees. And I'm proud that we didn't make this a mega episode. It looks like we're pretty much on time.

Jake Bernstein: Pretty much.

Kip Boyle: So thanks everybody for sticking with us. And that does wrap up this episode of the Cyber Risk Management podcast. So today, what did we talk about? The Capital One data breach litigation and what we can learn about work product protection based on this recent court decision. We'll see you next time.

Jake Bernstein: See you next time.

Speaker 3: Thanks for joining us today on the Cyber Risk Management podcast. Remember that Cyber Risk Management is a team sport, so include your senior decision makers, legal department, HR, and IT for full effectiveness. So if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at cyberriskopportunities.com and focallaw.com. Thanks for tuning in. See you next time.