A court has ruled that Capital One must allow plaintiffs to review a cybersecurity firm’s forensic report related to the bank’s 2019 data breach despite the bank’s protests that it is a protected legal document.
A judge in the U.S. District Court for the Eastern District of Virginia ruled Tuesday that attorneys suing Capital One on behalf of customers could review a copy of an incident response report to prepare for a possible trial. The Virginia-based bank had sought to keep the report private on the grounds that it was protected under legal doctrine. Yet U.S. Magistrate Judge John Anderson said the report, prepared by Mandiant, was the result of a business agreement, and that the legal doctrine argument was “unpersuasive.”
It’s a significant ruling that effectively affords the attorneys suing Capital One with a breakdown of which bank behaviors were successful, and which failed. It’s common for Fortune 500 companies to keep incident response firms like Mandiant on retainer, though it’s rare for those firms’ insights on high profile breaches to be made public. Similar rulings in the future could provide aggrieved customers with ammunition to seek higher pay-outs in court.
Capital One engaged Mandiant in a contract in 2015, with periodic updates in the years since, meant to ensure that the bank could quickly respond to a security incident should one occur, according to court documents. By 2019, the two companies had agreed that Mandiant would provide “computer security incident response support; digital forensics, log, and malware analysis support; and incident remediation assistance.”
The report is expected to detail “engagement activities, results and recommendations for remediation” stemming from the breach announced in July 2019. The bank said at the time that data about 100 million Americans and some 6 million Canadians was compromised by a single person.
The alleged hacker, Paige Thompson, is a former Amazon Web Services employee accused of exploiting a misconfigured firewall to access customers’ personal information. Thompson has pleaded not guilty and is awaiting trial.
In the year since the breach, Capital One has hired Chris Betz as its chief information security officer, poaching him from CenturyLink, and hired Andy Ozment, former CISO at Goldman Sachs, as its head of technology risk.
A judicial panel last year agreed to combine more than 60 class action suits filed in connection with the breach into a consolidated case.
Read the most recent ruling in full below.