Pub. 15 2020-2021 Issue 4

WWW.NEBANKERS.ORG 14 There are a number of lessons banks and boards can learn from the Capital One case. First and foremost, boards of directors must make cybersecurity and vulnerability issues part of their regular discussions. The management of the risk assessments and vulnerability management and mitigation need to be supervised from the highest echelons of an organization. COUNSELOR’S CORNER — continued from page 13 In September 2019, Mandiant issued their report. The report was initially distributed just to the law firm, but the law firm then either distributed or told Mandiant to distribute the report “to Capital One’s legal department, its Board of Directors, its financial regulators, its outside auditor, and dozens of Capital One employ- ees.” It is unclear from evidence and was omitted from Capital One’s opposition whether the report was distributed for business purposes or in anticipation of litigation. Plaintiffs in the ensuing case sought to compel the production of the report. Capital One argued that the report should be af- forded attorney-client privilege under the work-product doctrine. Work-product privilege applies when two requirements are met; first, the company is actually faced with suit or is preparing for impending litigation, which the court held was the case here. And second, the work-product privilege also requires that the “[r]eport would not have been prepared in substantially similar form but for the prospect of that litigation.” In the end, the district court ruled that the report was discover- able and outlined a series of missteps, which led the court to find that the second requirement of the attorney work-product doctrine test was not met. First, the court cited the fact that Mandiant had a prior engagement with Capital One for substantially similar services. Mandiant was paid out of “critical business” accounts as opposed to an account associated with their legal budget. The court also noted that the report was widely distributed without evidence of restriction. Finally, the court opined that Mandiant’s engagement with the law firm referenced the preexisting M.S.A. Bob Kardell, Attorney, Baird Holm LLP Halle Hayhurst, Law Student and Summer Associate, Baird Holm LLP and S.O.W. and thus, the report would not have differed sub - stantially froma report produced pursuant to their previously signed engagements. Lessons Learned There are a number of lessons banks and boards can learn from the Capital One case. First and foremost, boards of direc- tors must make cybersecurity and vulnerability issues part of their regular discussions. The management of the risk assess- ments and vulnerability management and mitigation need to be supervised from the highest echelons of an organization. Regulators will begin looking at the steps boards have taken to identify, manage and reduce vulnerabilities. Secondly, banks should limit the distribution of incident response reports to only those individuals necessary for litigation. Banks should avoid sharing the report with other organizations or individuals. The oversharing of a report may result in the inadvertent waiver of privilege. If the distribution of the report is necessary, it should include a confidential - ity requirement and language limiting the use to litigation preparation. Finally, the cyber report should not be used for anything other than the preparation of anticipated litigation. The Capital One case has provided a number of opportuni- ties for reflection, change, and application of lessons learned in the vulnerable cybersecurity environment. 