A judge in the U.S. District Court of the Eastern District of Virginia has ruled that Capital One must allow plaintiffs to review a cybersecurity firm’s forensic report related to the bank’s 2019 data breach. Capital One sought to keep the report private on the grounds that it is a protected legal document.

According to a Cyberscoop report, attorneys suing Capital One on behalf of customers could review a copy of an incident response report to prepare for a possible trial. U.S. Magistrate Judge John Anderson said the report, prepared by Mandiant, was the result of a business agreement, and that the legal doctrine argument was “unpersuasive,” notes Cyberscoop. 

"It’s a significant ruling that effectively affords the attorneys suing Capital One with a breakdown of which bank behaviors were successful, and which failed. It’s common for Fortune 500 companies to keep incident response firms like Mandiant on retainer, though it’s rare for those firms’ insights on high profile breaches to be made public. Similar rulings in the future could provide aggrieved customers with ammunition to seek higher pay-outs in court," says the report. 

According to the report, Capital One has hired Chris Betz as its chief information security officer (CISO) and hired Andy Ozment, former CISO at Goldman Sachs, as its head of technology risk.