Judge Rejects Privilege Claim, Orders Cap One To Turn Data Security Report Over To Plaintiff’s Attorneys

A Judge from the U.S. District Court for the Eastern District of Virginia has ruled that Capital One must provide a copy of a report prepared by cyberforensics provider Mandiant to attorneys suing Cap One on behalf of customers impacted by a 2018 data breach. About 100 million US citizens and 6 million Candian citizens were impacted through the compromise of personally identifiable information gathered in relation to credit card applications. The PI included names, addresses, dates of birth, self-reported incomes, and some credit scores and transaction data. Cap One had contracted with Mandiant in 2015 to provide security incident support “in the event such services were necessary,” according to court documents. After the breach, as Mandiant analyzed the problem and advised the company, class actions were filed in various jurisdictions. Eventually more than 60 cases were consolidated and attorneys requested access to Mandiant’s findings. Capital One argued that the work was protected as a legal document. The court did not agree, and gave Cap One 11 days to turn over the findings.