When a judge ruled last month that Capital One must provide outsiders with a third-party incident response report detailing the circumstances around the bank’s massive data breach, the cybersecurity world took notice.
The surprise decision, in effect, determined that Capital One would need to provide the forensic details — warts and all — about the hack to attorneys representing a group of customers suing the bank. It’s the kind of report that, if made public, could highlight technical and procedural failures that made it possible for a single suspect to allegedly collect gigabytes of data about 100 million people from a bank with $28 billion in revenue.
Typically, hacked organizations are able to keep incident response reports private and avoid costly suits by shielding the details under attorney-client privilege. Not under this decision.
U.S. Magistrate Judge John Anderson of the Eastern District of Virginia ruled that Capital One must provide a Mandiant report that’s likely to include “engagement activities, results and recommendations for remediation” in connection to the breach announced in July 2019. Capital One had argued that the report should remain protected under legal doctrine.
Attorneys and legal experts who reviewed the May 26 ruling agreed it’s the kind of change that would shift the normally placid world of corporate cybersecurity law. In particular, the big companies that hire outside security firms will need to be more careful in how they set up those business relationships.
“This type of directive from the judge could strike fear in the hearts of every company that’s ever hired a vendor to understand and improve their cyber posture,” said Norma Krayem, vice president and chair of the cybersecurity, privacy and innovation practice at Van Scoyoc Associates.
In fact, the judge ruled, the language in the incident response contract between Capital One and Mandiant was nearly identical to the contract guiding the standard cybersecurity services that Mandiant provided dating back to 2015. The bank’s argument that the incident response investigation was outside the bounds of its typical business arrangement was “unpersuasive,” the judge wrote. Mandiant is an incident response unit of the security firm FireEye.
Capital One shared the forensic report with 51 employees, multiple regulators and Ernst & Young, its auditor, following the breach, partially undercutting the bank’s argument that the details were legally protected.
The judge’s ruling essentially functions as a reprimand of the way many incident response firms now interact with their clients, according to Edward McNicholas, co-leader of the privacy and cybersecurity practice at Ropes & Gray. If a security company consistently is selling a client other services while working on retainer, and the differences aren’t clear in contractual language, McNicholas said, there is a risk of losing legal protection in the event of a data breach.
“This is a fascinating decision in part because it pokes at the business model in that it tees off on the idea that they had a pre-existing statement of work,” he said. “This judge just said, ‘This business relationship has grown far beyond what we normally see in this context.’”
Capital One did not respond to a request for comment. The bank has asked a federal court to overturn the magistrate judge’s decision, arguing it is “unworkable.”
The filing comes after a judicial panel last year agreed to combine more than 60 class action suits filed in connection with the breach into a consolidated case. Breaches at other financial firms, including Equifax, have resulted in millions of dollars in payouts in recent years.
The bank announced in July 2019 that the alleged hacker, a former Amazon Web Services employee, exploited a misconfigured firewall to obtain data about 100 million Americans and roughly 6 million Canadian customers. The suspect, Paige Thompson, has pleaded not guilty and is awaiting trial.
The decision is available in full below.
Update, June 12, 7:09AM ET: This story has been updated to reflect that Capital One has asked a federal court to overturn the magistrate decision.