On May 26, 2020, a judge in the U.S. District Court for the Eastern District of Virginia ordered Capital One to release its incident report produced by cybersecurity firm Mandiant in the wake of Capital One’s March 2019 data breach that exposed the personal information of approximately 106 million people in the U.S. and Canada.
The court ruled that due to a pre-breach business arrangement between Capital One and Mandiant, the incident report did not fall under the work product doctrine, which provides immunity to materials prepared in anticipation of litigation.