# When Your Breach Report Becomes Evidence: The Capital One Forensic-Privilege Ruling
*After a breach, you hire a forensic firm to find out what happened. Then plaintiffs demand the report — and a court orders you to hand it over. The Capital One ruling is the reason incident-response engagements now get structured so carefully.*
One of the most consequential post-breach rulings for contractors isn't about cybersecurity standards at all — it's about discovery. In the Capital One litigation, a federal court ordered the company to produce its outside forensic firm's incident report to the plaintiffs, rejecting the claim that the report was protected attorney work product.
What the Case Was About
After Capital One's 2019 breach (over 100 million customers), the company's outside counsel directed cybersecurity firm Mandiant to investigate and produce a report. When consumer plaintiffs sought that report in discovery, Capital One refused, asserting the work-product doctrine — which protects materials prepared "in anticipation of litigation."
What the Court Held
The magistrate judge ordered the report produced, and the district judge affirmed. The decisive facts: Capital One had a pre-existing master services agreement with Mandiant for incident-response work — the relationship and retainer predated any litigation; the report was distributed widely for business and regulatory purposes — to dozens of internal personnel, its accountants, and regulators — not solely for legal advice; and the court concluded the investigation would have been done regardless of litigation, so the report was not prepared "because of" the prospect of litigation in the way the doctrine requires. Routing the engagement through outside counsel was not enough, by itself, to cloak an otherwise ordinary-course business investigation in privilege.
Why It Matters for Contractors
- Privilege is structured, not assumed. Whether a forensic report is protected depends on how the engagement is set up — who retains the firm, under what statement of work, for what stated purpose, and who receives the output.
- A separate, litigation-purpose SOW matters. Many organizations now use a distinct, counsel-directed engagement (separate from their operational IR retainer) for the litigation-focused analysis, precisely to preserve a privilege argument.
- Assume your IR report may be discoverable. Write incident-response findings as though a court, a regulator, and a plaintiff may read them — because they might.
Key Takeaways
- In Capital One, the court ordered the Mandiant forensic report produced to plaintiffs — it was not protected work product.
- The problem was structural: a pre-existing IR retainer plus business/regulatory distribution showed the report would have been created regardless of litigation.
- Contractors should design forensic engagements with privilege in mind and assume IR reports can become evidence.
Connect this to building a defensible program in Compliance Tools and the data-breach litigation picture in TransUnion, OPM, and McMorris.
*Source: In re Capital One Consumer Data Security Breach Litigation, 2020 WL 2731238 (E.D. Va. May 26, 2020), aff'd, 2020 WL 3470261 (E.D. Va. June 25, 2020)*