On May 26, the Federal District Court for the Eastern District of Virginia ordered Capital One to produce its cybersecurity incident response report, rejecting the contention that the report was privileged. Capital One had contended that the report was prepared in anticipation of litigation following discovery of its March 2019 data breach, and therefore protected by the work product doctrine. The court concluded that the report had business and regulatory compliance purposes, and that Capital One failed to produce sufficient evidence showing that it would not have been produced in a “substantially similar form” in the absence of anticipated litigation.
