As we previously reported, the Magistrate Judge in In re: Capital One Customer Data Security Breach Litigation, found that a forensic report that Capital One had claimed was protected by the privilege and work product doctrines needed to be produced because Capital One had not met its burden under the dual-purpose doctrine to show that the report was protected. In re: Capital One Customer Data Sec. Breach Litig. (“Magistrate’s Order”). The forensic report at issue (the “Report”) related to a 2019 data breach where a hacker purportedly accessed and stole highly sensitive customer information from Capital One’s online cloud environment (the “Breach”). Capital One hired outside counsel to investigate the Breach and to help the company prepare for anticipated litigation and regulatory inquiries. To assist counsel’s investigation, outside counsel engaged a cybersecurity consultant (“Consultant”). As developed in the Magistrate’s Order, Capital One had used this same Consultant prior to the Breach in the normal course of its business.

As part of its investigation, outside counsel entered into a new Letter Agreement with Consultant, but this agreement’s scope mirrored the agreement that Consultant already had in place with Capital One. In September 2019, Consultant issued its Report. In discovery, Plaintiffs moved to compel production of the Report. While reciting a number of other relevant facts, the Magistrate’s Order appeared to rely heavily on the fact that Capital One had used the same forensic consultant that it used for ordinary-course-of-business work in reaching its conclusion that the Report was discoverable. Against this backdrop, the Magistrate Judge concluded that Capital One had not presented sufficient evidence to show that the Report would not have been prepared in substantially similar form and with similar content in the absence of litigation. Accordingly, production of the Report was ordered.

On June 9, 2020, Capital One filed objections to the Magistrate’s Order, and asked the Court to set it aside. As explained in the District Court’s opinion affirming the Magistrate’s Order that the Report was not entitled to work product protection, Capital One objected on the grounds that the Magistrate Judge erred by: 1) considering whether the Report would have been created in essentially the same form absent litigation; 2) relying “too heavily on the ‘pre-existing SOW with [Consultant]’ to conclude that [Consultant] would have performed essentially the same services as ‘described in the Letter Agreement’ with [outside counsel]”; and 3) relying on the fact that Capital One used the Report for certain regulatory and business-related purposes after it was created. In re: Capital One Customer Data Sec. Breach Litig. (“Opinion”).

While the Court did not find any fault with the Magistrate’s fact-finding or ultimate conclusions in its June 25, 2020 Opinion affirming production of the Report, the District Court made express that it was a combination of multiple factors that led to the Court’s conclusion:

  • Consultant provided the same services during the privileged investigation that it provided in the ordinary course. Opinion 9.
  • The only significant differences between the Letter Agreement and the pre-existing SOW were that, under the Letter Agreement, the work Consultant performed was at the direction of outside counsel and that the Report was to be initially delivered to outside counsel. Id. at 10. The scope of the agreements were otherwise the same.
  • The Letter Agreement between outside counsel and Consultant provided that Consultant would be paid based on the same payment terms set out in the pre-existing SOW between Capital One and Consultant. Id. at 2. Consultant was paid for its work investigating the Breach from a retainer that it already received from Capital One in the ordinary course of business until those funds were exhausted, and then paid by Capital One from Capital One’s Cyber Budget before those payments were re-designated as legal expenses. Id. at 3.
  • Consultant initially delivered the Report to outside counsel, who then distributed the report, or directed it to be distributed, to “Capital One’s legal department, its Board of Directors, its financial regulators, its outside auditor, and dozens of Capital One employees.” Id. The District Court explained that the extent to which the Report was distributed was “appropriately probative of the purposes for which the work product was initially produced” and that consideration of the Report’s disclosure “underscore[d] Capital One’s business needs.” Id. at 12-13. In other words, the wide distribution of the Report reflected the Report’s business – not litigation – purposes.

The District Court Judge found that these facts, when taken collectively, showed that the Report was not protected work product. Opinion 9, 13-14. Notably missing from the District Court Judge’s Opinion is an analysis of outside counsel’s specific involvement (presumably because there was little involvement in incident response by outside counsel to rely on). See Opinion 10 fn.5 (“More to the point is that there is nothing in the record in this case that would reasonably suggest that this internal report reflects what [Consultant] would have produced absent [outside counsel’s] involvement.”).

Thus, the Court made clear that Capital One does not stand for the proposition that an organization can never use the same consultants that do ordinary course work to conduct a privileged analysis, as some commentators have suggested. See e.g., Capital One Objects to Magistrate Judge’s Ruling Its Forensic Report Discoverable: Here are the Practical Takeaways, The National Law Review, June 12, 2020 (“Ensure that your outside counsel retains a cybersecurity vendor with which you have no preexisting relationship.”). But rather, the Opinion re-enforces the general principle that “[d]ual purpose documents are deemed prepared because of litigation if in light of the nature of the document and the factual situation in the particular case, the document can be fairly said to have been prepared or obtained because of the prospect of litigation.” In re Bard IVC Filters Prods. Liability at *4 (citing United States v. Richey) (emphasis added); see also In re Premera Blue Cross Customer Data Sec. Litig.. In other words, “courts must consider the totality of the circumstances and determine whether the document was created because of anticipated litigation, and would not have been created in substantially similar form but for the prospect of litigation.” In re Bard at *4.

Significantly, the District Court Judge also analogized Capital One’s actions in response to the Breach to those taken by the defendant in In re Premera Blue Cross Customer Data Sec. Litig. (“Premera”). Opinion 11-12. In Premera, a cybersecurity consultant was conducting an ordinary-course-of-business investigation of Premera’s systems under a business-purpose Master Services Agreement (“MSA”) when it discovered the data breach. Opinion 11. After discovering the data breach, Premera entered into an amended statement of work with the consultant, which cosmetically shifted supervision of the work to outside counsel but did not otherwise change the scope of the consultant’s work from what it was doing under the MSA prior to discovery of the breach. Premera, 296 F. Supp. 3d at 1245. The court in Premera concluded that change in supervision of the investigation, without a change in the scope of work, was insufficient to render the consultant’s communications and underlying documents privileged or protected work product. Id.; see also, U.S. v. ISS Marine Serv., Inc. (“Unfortunately for the respondent, this sort of ‘consultation lite’ does not qualify the Audit Report for the protections of the attorney-client privilege. … This sort of arms-length coaching by counsel, as opposed to direct involvement of an attorney, undercuts the purposes of the attorney-client privilege in the context of an internal investigation.”). Likewise, here the District Court Judge found that “Capital One failed to establish” that “the report [Consultant] would have created for Capital One pursuant to its pre-data breach SOW would not have been substantially the same in substance or scope as the report [Consultant] prepared for [outside counsel].” Opinion 11.

The District Court’s Opinion in Capital One does not depart from established dual-purpose doctrine case law. Rather, it highlights that the test for determining whether or not the document at issue would have been created in essentially the same form in the absence of litigation should be (and remains) based on a consideration of the totality of the evidence. Following the reasoning in this Opinion that considers the totality of the evidence, one could argue that the more involved counsel is in incident response, the stronger a claim for work product protection will be.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Nolan Goldberg Nolan Goldberg

Nolan M. Goldberg is a partner in the Litigation Department, co-head of the Data Privacy and Cybersecurity Litigation Group, and a member of the Patent Law Group. His practice focuses on technology-centric litigation, arbitration (including international arbitrations), investigations and counseling, covering a range…

Nolan M. Goldberg is a partner in the Litigation Department, co-head of the Data Privacy and Cybersecurity Litigation Group, and a member of the Patent Law Group. His practice focuses on technology-centric litigation, arbitration (including international arbitrations), investigations and counseling, covering a range of types of disputes, including cybersecurity, intellectual property, and commercial.  Nolan’s understanding of technology allows him to develop defenses and strategies that might otherwise be overlooked or less effective and enhances the “story telling” that is critical to bringing a dispute to a successful conclusion.

Nolan is a registered patent attorney before the U.S. Patent & Trademark Office; and an International Association of Privacy Professionals (IAPP) Certified Information Privacy Professional, United States (US CIPP) and Certified Information Privacy Technologist (US CIPT).


Nolan’s electrical engineering background, coupled with a litigation and risk management-centric focus, allows him to assist companies in all phases of incident response. Nolan often acts as a bridge between the technical and legal response teams (both inside and outside forensic consultants). Nolan uses this deep familiarity with the company and its systems to defend the company in litigations, arbitrations and regulatory investigations, including before the Federal Communications Commission (FCC); Federal Trade Commission (FTC) and before various State’s Attorneys General, including Multi-State investigations.

Nolan has worked on incidents that range from simple phishing attacks on e-mail accounts by cyber-criminals to intrusions by (formerly) trusted inside employees to complex technical breaches of hosted systems by state-sponsored advanced persistent threats (APTs). These incidents have involved both client systems, and systems of a vendor of a client that hosted its data.

It is often the case (both in response to an incident and for other reasons) that a company will want to undertake an assessment of its security posture, but has concerns about the discoverability of any such analysis.  Accordingly, Nolan also frequently assists companies’ scope and conduct privileged security assessments, including “dual purpose” assessments where privileged analysis are also used for ordinary-course purposes.

Commercial Disputes

Nolan also assists companies with commercial disputes, particularly in cases where there is a technology component, including disputes arising from hosted software agreements; outsourcing and managed services agreements; software and technology development agreements and the dissolution of joint ventures.  When these disputes cannot be amicably resolved, Nolan has litigated them in State and Federal Court and in arbitrations, including international arbitrations.

Intellectual Property

Nolan’s work has included numerous patent and trade secret litigations and negotiations, primarily in cases involving computer and network-related technologies. In particular, the litigations have involved at least the following technologies: hosted software; telecommunications, computer networking; network and computer-related security hardware and software; microprocessors, voice-over Internet protocol (“VoIP”); bar code scanners  financial business methods and software, including securities settlement, fail management and trade execution and reporting software; data compression; handheld computers; pharmaceuticals; cardiac electro-stimulatory devices and prosthetics.

Nolan also has experience prosecuting patent applications before the U.S. Patent and Trademark Office in encryption, CMOS, HDTV, virtual private networks (“VPN”), e-commerce, XML/XSL, financial instruments, semiconductor electronics, medical device technology, inventory control and analysis, cellular communications, Check 21 and business methods. Nolan also has conducted numerous freedom-to-operate searches, written opinions, and counseled clients in the areas of bar code scanners, imaging, book publishing, computer networking, business methods, Power Over Ethernet (“PoE”), and digital content distribution.

He has assisted in evaluating patents for inclusion in patent pools involving large consumer electronics and entertainment companies concerning CD and DVD technology.

Computer Forensics and Electronic Discovery

Nolan is often called upon to develop e-discovery strategies to be used in all types of litigations, with a particular focus on selecting appropriate tools, developing proportionate discovery plans, cross border electronic discovery, managing the overall burden and cost of the electronic discovery process, and obtaining often overlooked electronic evidence, including computer forensics. He also assists clients to develop and implement information management programs to reduce expense and risk, meet compliance obligations, and tame e-discovery burdens.

Thought Leadership

Nolan has authored numerous articles and given numerous presentations on emerging issues and trends in both technology and law, and has often been called upon to comment on various media outlets including Business Week, IPlaw360, IT Business Edge,, Forbes, and The National Law Journal.

Prior to practicing law, Nolan was a computer specialist at Underwriters Laboratories (UL).