District court requires bank to produce consultant’s data breach report
On May 26, a magistrate judge of the U.S. District Court for the Eastern District of Virginia ordered a national bank to produce to plaintiffs in litigation a forensic analysis performed by a cybersecurity consulting firm regarding the bank’s 2019 data breach, concluding the report was not entitled to work product protection. As previously covered by InfoBytes, in July 2019, the national bank announced that an unauthorized individual had obtained personal information of credit card customers and people who had applied for credit card products. According to the order, after the data breach, the bank’s outside counsel directed a cybersecurity company, which had been engaging in periodic work with the bank since 2015, to prepare a report “‘detailing the technical factors that allowed the criminal hacker to penetrate [the bank]’s security.’” Plaintiffs, in a class action against the bank for the data breach, sought to obtain the report in discovery, but the bank opposed the production, arguing that the report was protected work product created under an agreement with outside counsel in anticipation of litigation.
The court rejected the bank’s argument, concluding that the bank did not show the consultant’s scope of work under the outside counsel agreement “was any different than the scope of work for incident response services,” and that the bank had not shown the firm would not have performed the services “without the prospect of litigation.” Moreover, the court noted, “[t]he retention of outside counsel does not, by itself, turn a document into work product.” The court compelled production, holding that the report was not entitled to protection under the work product doctrine.