The IBA uses cookies to provide you with a better website experience. By continuing to use our site, you are agreeing to the use of cookies.
Manage cookies

Banks, internal investigations and work-product

Back to Banking Law Committee publications

Philip Berkowitz
Littler Mendelson, New York, US
pberkowitz@littler.com

 

Introduction

When faced with unexpected difficulties that may lead to litigation, banks often retain forensic consultants to investigate the matter. Often, a key reason for the investigation is to assist the banks counsel, whether internal or external, to plan for and defend anticipated litigation.

Plaintiffs’ counsel are increasingly setting their sights on discovering the fruits of internal investigations, in the hope that they can bolster their claims, either by demonstrating that the employer’s investigation was inadequate, or by using damaging evidence the investigation may have uncovered.

Consequently, United States counsel may seek to structure the consultant’s retention to take advantage of the attorney work-product doctrine. This doctrine may protect the confidentiality of a third partys report, as well as witness interview notes and related documentation, if they were prepared in anticipation of litigation by, or for, a party or its representative.1

Recent federal court decisions suggest the limits of the work-product doctrine, while providing lessons on how to avoid mandatory production of investigation materials in discovery.

In determining whether a document reflecting an investigation is protected by the work-product doctrine, courts consider whether it was prepared ‘because of the prospect of litigation when the preparer faces an actual claim or potential claim following an actual event or series of events that reasonably could result in litigation’.2 If a document has been used for both litigation and non-litigation purposes, a court must consider ‘the driving force behind the preparation of’ the document, and whether it would have been produced ‘in the ordinary course of business’.3 In the latter case, the document may not receive work product immunity.

However, the fact that the document may have been created for both litigation and non-litigation purposes does not preclude it from enjoying work-product protection. A court considering the issue will examine the circumstances of the document’s creation to determine whether indeed it was prepared in anticipation of litigation, or whether it would have been created in essentially the same form in the absence of litigation.4

Capital One consumer data security breach litigation

A recent federal court case, In re Capital One Consumer Data Security Breach Litigation5 (‘Capital One’), has caused alarm because of the court’s wholesale rejection of the work-product doctrine’s protection of investigative materials. However, companies can learn lessons from that case.

In Capital One, the trial court ordered the bank to provide a forensic companys report to the plaintiffs’ attorneys, rejecting the bank’s argument that it was prepared at the direction of external counsel in anticipation of potential litigation and therefore protected from discovery under the work-product doctrine.

The bank had an existing relationship with a cybersecurity company to support it in the event of a data breach or security incident. The bank had originally retained the firm in March 2015, and had a Scope of Work (SOW) agreement in place with them to provide incident response services, including computer security incident response support, digital forensics, log and malware analysis support; and incident remediation assistance.

In addition, the SOW required the cybersecurity company to provide a final report covering the issues, and if one were necessary, a written technical document outlining the results, along with recommendations for remediation. The bank paid the company for this work from a fund denominated as for ‘business critical’ expenses.

In March 2019, a major data breach occurred, resulting in an unauthorised person gaining access to consumers’ personal information. Consumers filed several class actions. The bank’s external counsel engaged the same cybersecurity company but entered into a new letter agreement with them. The new letter agreement essentially mirrored the services that the cybersecurity company would normally provide to the bank under the SOW. However, unlike the SOW, the agreement provided that all work was to be conducted at the direction of outside counsel to assist counsel in planning a defence to litigation that it anticipated might arise out of the data breach, and that any deliverables were to be produced directly to counsel.

The plaintiffs sought discovery of the forensic report. The bank argued that the work-product doctrine precluded discovery of the report. The court rejected the bank’s argument, and made several observations about why the work-product doctrine did not protect against disclosure of the report:

• While outside counsel entered into a new agreement with the cybersecurity company, the agreement duplicated the SOW already in place between the bank and the company in terms of the services that would be provided. Thus, the bank failed to demonstrate that the company would not have performed substantially similar services in the absence of litigation;

• There was no evidence indicating that counsel had any role in creating the report or that counsel influenced its preparation so as to assist it in defending possible litigation;

• The only difference in the cybersecurity company’s work post-breach was that it was carried out at the direction of counsel, but this did not alter the business purpose of the work;

• The bank had paid for the report from its existing retainer with the company, rather than budgeting it as a legal expense; and

• The bank’s counsel forwarded the cybersecurity company’s report to many individuals at the bank, with apparently limited, if any, consideration as to whether they had a role in formulating the legal strategy – counsel sent it to: approximately 50 employees; a ‘corporate governance office general email box’; the bank’s Board of Directors; four different regulators; and the bank’s accountants.

McGowan v JPMorgan Bank, NA

Another recent case is also instructive. In McGowan v JPMorgan Bank, NA,6 the plaintiff employee of the defendant bank claimed that she was a victim of unlawful discrimination in violation of New York laws. She first filed a complaint internally with the bank’s Human Resources Department, which commenced an internal investigation.

Thereafter, the employee’s attorney emailed the bank informing them that she represented the employee, and in response, the bank’s in-house counsel carried out what the employer claimed was a privileged investigation into her claims for the purpose of rendering legal advice and responding to her allegations.

The plaintiff sought discovery of the investigation files. The bank conceded that the first investigation was not privileged or protected by the work-product doctrine. In view of that concession, the plaintiff argued that the subsequent investigation could not be protected.

However, the court held that the character of the investigation changed once counsel were involved, from one that may not have been for the purpose of mounting a legal defence, to one that was in fact for that purpose. Thus, the court rejected the plaintiff’s application for discovery of the investigation files conducted by counsel.

The court also considered the important and often overlooked doctrine of ‘at issue’ waiver. Under that doctrine, if the defendant takes the position that the otherwise privileged investigation establishes its good faith regarding the legality of its actions, then it waives the privilege. The court rejected the plaintiff’s argument that the defendant’s mere denials and affirmative defences in its answer, to the effect that the defendant had acted in good faith, constituted a waiver. However, the court ordered the defendant ‘to state now whether it intends to offer evidence of the nature of the investigation as any part of the defense…’.

Key takeaways

The above cases demonstrate the following:

• When retaining third-party forensic investigators, the client should direct outside counsel to engage and coordinate the relationships;

• If counsel retains a consultant, allocate retainers and payments to the legal budget;

• Counsel should retain a company other than one the employer normally engages for routine forensic or, for example, cybersecurity assistance;

• The retention agreement between counsel and the vendor should:

– explicitly provide that the retention is necessary to help the law firm prepare for litigation and provide the employer with legal advice;

– identify the services that counsel expects the consultant to perform;

– state how the report will assist counsel in preparing for litigation and providing legal advice; and

– provide that the consultant will not provide a written report unless counsel specifically requests it.

• Counsel’s agreement with the vendor should not include unrelated work, such as remediation under pre-existing SOWs;

• If the employer decides, after consulting with counsel, to use the same vendor for both business/remediation and litigation-related services, it is critical to isolate the litigation-related services that the vendor provides and to describe them in a separate SOW that makes clear how the scope and purpose of the litigation-related work differ from remediation work or pre-existing SOWs;

• The employer should inform counsel of any ongoing or contemplated investigation into the particular incident, in the event counsel wishes to either coordinate the investigations or suspend any related, non-privileged investigation;

• The report should be utilised solely by counsel for litigation purposes;

• Again, prior to authorising a written report, counsel should understand what it will say, and whether the consultant needs to provide one;

• The employer and counsel should limit any report’s distribution to only those who need it for litigation-related purposes, such as in-house counsel, the board of directors, and possibly a small group of employees who need to understand the matter so they may assist counsel in the assessment of potential claims and defences;

• The employer should not provide the report to third parties or to the team responsible for incident response; and

• The employer and counsel should provide clear direction to recipients of the report that it is privileged, confidential, and that they should not disseminate it further.

 

Notes

1 Fed R Civ P 26(b)(3)(a).

2 National Union Fire Ins Co v Murray Sheet Metal Co 967 F2d 980, 984 (4th Cir 1992).

3 Ibid.

4 See, eg, United States v Adlman 134 F3d 1194 (2d Cir 1998).

5 2020 WL 3470261 (ED Va 25 June 2020).

6 2020 WL 1974109 (SDNY 24 April 2020).

 

Back to Banking Law Committee publications

Similar topics

International Bar Association 2024 © Privacy policy Terms & conditions Cookie policy Harassment policy

International Bar Association is incorporated as a Not-for-Profit Corporation under the laws of the State of New York in the United States of America and is registered with the Department of State of the State of New York with registration number 071114000655 - and the liability of its members is limited. Its registered address in New York is c/o Capitol Services Inc, 1218 Central Avenue, Suite 100, Albany, New York 12205.

The London office of International Bar Association is registered in England and Wales as a branch with registration number FC028342.