Capital One suffered a breach when credit card applications harvested from their server were posted on GitHub. Due to a misconfigured web-application, the information was accessible to individuals who had intimate knowledge of the flaw and the ability to exploit the misconfiguration. The flaw, however, was so esoteric that it could only have been known to or exploited by someone with very specialized knowledge or extensive experience in the configuration of the server.
As it turns out, the breach was perpetrated by a former Amazon Web Services (A.W.S.) employee, identified as Paige Thompson, who, in the course of her job, recognized the flaw in the configuration of the webserver software. Thompson allegedly exploited this flaw and downloaded and posted approximately 30 GB of data from the Capital One site on GitHub. The information is estimated to have affected over 100 MM individual credit card applications, which contained approximately 140,000 Social Security numbers. The F.B.I. arrested and charged Thompson with the theft of the information.
The Office of the Comptroller of the Currency (O.C.C.) opened an investigation into the incident shortly after the arrest of Thompson when news of the breach leaked to the press. The investigation effectively ended when the O.C.C. announced a consent order in which Capital One agreed to the $80 MM USD fine for the breach. The O.C.C. detailed its findings in a Cease and Desist Order (Order). Specifically, the O.C.C. found that the bank failed to establish an effective risk assessment process prior to using the A.W.S. cloud environment, the bank’s internal audit failed to identify numerous control weaknesses, and the weaknesses that were identified were either not reported to the Audit Committee of the Capital One Board of Directors, or they were reported and the Capital One Board of Directors failed to take effective actions. For this conduct the O.C.C. found that the Bank was in violation of 12 C.F.R. Part 30, Appendix B, “Interagency Guidelines Establishing Information Security Standards.”
The breach, in this case, was a configuration error which could have only been recognized and resolved through extensive experience or knowledge. So how did the O.C.C. find liability for an exploit that is so difficult to find and repair? The O.C.C. determined that the Board never instituted a proper assessment of the controls and safeguards for the data. Capital One never conducted a cyber-risk assessment of the cloud environment which housed the data, and if they had, they might have discovered and remedied the flaw which Thompson was able to exploit.
The Order imposes an action plan on the Capital One Board of Directors to develop and supervise a risk assessment process and reassess the quality and content of reports distributed to the Board. The Order requires a plan to improve the risk assessment process for the bank, develop a cloud operations risk assessment, and enhance the audit and audit reporting processes to the Board. Finally, the Order imposes a page of prescriptive requirements on the Board that range from authorizing corrective actions, ensuring the Bank has sufficient processes in place, and ensuring the Board will hold the Bank’s management accountable for executing the plan with timely and appropriate reporting.
The case, the Consent Order, and the findings by the O.C.C. incorporated in the Order summarize several issues that all banks and their boards review and incorporate into their own processes and procedures. But, the most important take-away is that any and all serious cybersecurity issues should be immediately brought to a board of director’s attention. There are real consequences for a company’s failure to proactively avoid cybersecurity breaches, and boards cannot avoid consequences of cybersecurity incidents by failing to address them.
Forensics Reports and Maintaining Privilege
After the exposure of the data, Capital One hired a forensics firm, Mandiant, to conduct an investigation into the breach of their data. Mandiant was the same firm Capital One had an ongoing relationship with to perform periodic reviews and vulnerability assessments. Due to the ongoing relationship with the firm, Capital One decided that Mandiant would be better equipped to deal with the data breach than another firm that would be less familiar with the Capital One network. Based on the prior relationship, Capital One engaged with Mandiant to conduct the investigation, determine the root cause of the cyber breach, and produce a report.
Capital One initially signed a Master Services Agreement (M.S.A.) with Mandiant in 2015. Under that M.S.A., Capital One signed a series of Statements of Work (S.O.W.s). The S.O.W.s, among other services, provided for cybersecurity response services in the event a cyber-breach would occur. Mandiant thus had a preexisting relationship to provide incident response services.
In addition to the preexisting relationship, Capital One had regularly paid a retainer to Mandiant for their ongoing services. Because the retainer was already established, Mandiant initially deducted the cost of the cybersecurity investigation from the retainer. When the retainer was depleted, Capital One paid for the investigation and report from an account denominated as “business-critical” services as part of their overall cyber budget.
When Capital One suffered the breach, they retained the law firm Debevoise & Plimpton L.L.P. as their cyber breach coach. Then on “July 24, 2019, Capital One and Debevoise signed a Letter of Agreement with Mandiant under which Mandiant would provide services and advice, ‘as directed by counsel,’ in the areas of (1) computer security incident response; (2) digital forensics, log and malware analysis; and (3) incident remediation. These areas reflected the same scope of work Mandiant had already agreed to provide under the M.S.A. and S.O.W.s.” The engagement letter provided that all work by Mandiant for this engagement would be conducted under the direction of the law firm and that deliverables would be provided directly to counsel rather than Capital One.
In September 2019, Mandiant issued their report. The report was initially distributed just to the law firm, but the law firm then either distributed or told Mandiant to distribute the report “to Capital One’s legal department, its Board of Directors, its financial regulators, its outside auditor, and dozens of Capital One employees.” It is unclear from evidence and was omitted from Capital One’s opposition whether the report was distributed for business purposes or in anticipation of litigation.
Plaintiffs in the ensuing case sought to compel the production of the report. Capital One argued that the report should be afforded attorney-client privilege under the work-product doctrine. Work-product privilege applies when two requirements are met; first, the company is actually faced with suit or is preparing for impending litigation, which the court held was the case here. And second, the work-product privilege also requires that the “[r]eport would not have been prepared in substantially similar form but for the prospect of that litigation.”
In the end, the district court ruled that the report was discoverable and outlined a series of missteps, which led the court to find that the second requirement of the attorney work-product doctrine test was not met. First, the court cited the fact that Mandiant had a prior engagement with Capital One for substantially similar services. Mandiant was paid out of “critical business” accounts as opposed to an account associated with their legal budget. The court also noted that the report was widely distributed without evidence of restriction. Finally, the court opined that Mandiant’s engagement with the law firm referenced the preexisting M.S.A. and S.O.W. and thus, the report would not have differed substantially from a report produced pursuant to their previously signed engagements.
There are a number of lessons banks and boards can learn from the Capital One case. First and foremost, boards of directors must make cybersecurity and vulnerability issues part of their regular discussions. The management of the risk assessments and vulnerability management and mitigation need to be supervised from the highest echelons of an organization. Regulators will begin looking at the steps boards have taken to identify, manage and reduce vulnerabilities.
Secondly, banks should limit the distribution of incident response reports to only those individuals necessary for litigation. Banks should avoid sharing the report with other organizations or individuals. The oversharing of a report may result in the inadvertent waiver of privilege. If the distribution of the report is necessary, it should include a confidentiality requirement and language limiting the use to litigation preparation. Finally, the cyber report should not be used for anything other than the preparation of anticipated litigation.
The Capital One case has provided a number of opportunities for reflection, change, and application of lessons learned in the vulnerable cybersecurity environment.
Bob Kardell, Attorney, Baird Holm LLP
Halle Hayhurst, Law Student and Summer Associate, Baird Holm LLP