In re Capital One Consumer Data Sec. Breach Litig.

In re Capital One Consumer Data Sec. Breach Litig.

Opinion

MEMORANDUM OPINION AND ORDER

This matter is before the court on plaintiffs' motion to compel production of Mandiant Report [*2]  and related materials. (Docket no. 412). Plaintiffs have filed a memorandum in support (Docket nos. 413, 416), Capital One has filed an opposition (Docket no. 435), and plaintiffs have filed a reply (Docket nos. 445, 447). The court heard argument on this motion on May 15, 2020. Having reviewed the pleadings filed by the parties and considered the arguments raised by counsel, and for the reasons stated below, the court finds that Capital One has not carried its burden of establishing that the Mandiant Report is entitled to protection under the work product doctrine.

Background

Capital One entered into a Master Services Agreement ("MSA") with FireEye, Inc., d/b/a Mandiant ("Mandiant") on November 30, 2015, and thereafter entered into periodic Statements of Work ("SOW") and purchase orders with Mandiant pursuant to the MSA. (Blevins Dec1. ¶ 4, Docket no. 435-1). As stated by Jeffrey Blevins II, a senior manager of Capital One's Cyber Security Operations Center, "one purpose of the MSA and associated SOWs was to ensure that Capital One could quickly respond to a cybersecurity incident should one occur. As a financial institution that stores financial and other sensitive information, it [*3]  is critical that Capital One be positioned to immediately respond to any potential compromise of the security of its systems." (Id. at ¶5). The SOWs with Mandiant provided for incident response services in the event such services were necessary. (Id. at ¶ 6). Capital One paid Mandiant a retainer for the SOW that was executed with Mandiant on January 7, 2019, and it entitled Capital One to 285 hours of services from Mandiant. (Id. at ¶ 8). In February 2019 Capital One designated the retainer paid to Mandiant as a "Business Critical" expense and not a "Legal" expense. (Docket no. 416-3 at 13, Docket no. 435 at 18). The SOW between Capital One and Mandiant in 2019 provided that Mandiant would provide incident response services during the covered period in the following areas: computer security incident response support; digital forensics, log, and malware analysis support; and incident remediation assistance and that Mandiant would provide a detailed final report covering the engagement activities, results and recommendations for remediation in a written detailed technical document. (Docket no. 416-2 at 3-4).

As described in detail in the Corrected Representative Consumer Class Action [*4]  Complaint (Docket no. 354), in March 2019 a data breach occurred whereby an unauthorized person gained access to certain types of personal information relating to Capital One customers. In its opposition, Capital One states that on July 19, 2019, it confirmed that a data breach had occurred. (Docket no. 435 at 6). On July 20, 2019, Capital One retained Debevoise & Plimpton ("Debevoise") to provide legal advice in connection with the data breach incident. (Cantwell Dec1. ¶3, Docket no. 435-2). On July 24, 2019, Debevoise and Capital One signed a Letter Agreement with Mandiant whereby Mandiant agreed to provide services and advice concerning "computer security incident response; digital forensics, log, and malware analysis; and incident remediation." (Docket no. 435-2 at 6-8).¹ The Letter Agreement provides that the payment terms were to be the same as those set out in the SOW dated January 7, 2019, between Capital One and Mandiant and the parties would abide by the applicable terms in the SOW and MSA between Capital One and Mandiant dated November 30, 2015. (Id.). While the Letter Agreement provides for the same services to be performed by Mandiant under the same terms as the SOW and [*5]  MSA, the Letter Agreement provides that the work would be done at the direction of counsel and the deliverables would be provided to counsel instead of Capital One. (Id.). On July 26, 2019, an addendum to the Letter Agreement was prepared whereby the engagement of services would also include penetration testing of systems and endpoints. (Id. at 10).

Full case includes Shepard's, Headnotes, Legal Analytics from Lex Machina, and more.