UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF FLORIDA
Master File No. 22-20955-Civ-GAYLES/TORRES
In re LAKEVIEW LOAN SERVICING DATA BREACH LITIGATION
ORDER ON MOTION FOR RECONSIDERATION OF ORDER ON PRODUCTION OF INVESTIGATIVE REPORTS
The parties have briefed and presented argument with respect to a continuing discovery issue surrounding Plaintiffs’ efforts to compel production of investigative reports prepared by cybersecurity firms Mandiant and Protiviti over Defendants’ objections. Defendants contend that they are protected from disclosure because they were prepared in anticipation of litigation and adverse regulatory proceedings after an unauthorized access to certain devices in Bayview’s network (the “breach”). The Court agreed in its Order denying production entered June 12, 2024. [D.E. 211]. Plaintiffs now contend that the work product protection recognized by the Court was actually waived because these documents themselves were disclosed to mortgage industry regulators following the breach. Plaintiffs argue that the Court’s original Order on this matter overlooked that issue, thus warranting reconsideration. And they renew their efforts to gain production of the documents. [D.E. 218]. Upon initial review of the briefing on this issue, the matter was addressed again at a discovery hearing conducted December 19, 2024. After considering the
parties’ arguments, the Court requested supplemental briefing on the legal issues raise by the motion and, specifically, additional caselaw that might prove relevant to the analysis. The parties complied with that request and filed their well- prepared supplemental memoranda. [D.E. 257, 264]. After considering the parties’ supplemental briefing on this matter as well
as argument of counsel and the record presented, the Court finds that reconsideration is warranted because Plaintiffs’ position is sound. Defendants are compelled to produce the two investigative reports at issue because the Court prematurely deemed them work product. It turns out that they are not under a correct application of the dual purpose test that we are revisiting in this Order.
And, though any work product protection may have also been waived to boot, we do not reach that waiver question for the reasons explained below. I. BACKGROUND In October 2019, Mandiant and Bayview Asset Management, LLC (“Bayview”) entered into a Master Services Agreement (“MSA”) and executed a
Statement of Work (“SOW”) that secured Mandiant’s services in the event of a data incident, which would be defined at the time of engagement. To be ready to quickly provide services in the event of a data incident, Mandiant gathered information about Defendants’ systems, security tooling, logging, and other relevant matters. On December 2, 2019, a different security company, Protiviti, was engaged by Bayview through its counsel, BakerHostetler, to provide various services, two of
which were related to data privacy or information security but unrelated to the breach. Prior to BakerHostetler engaging Protiviti, Protiviti had not entered into any SOW with Defendants to provide similar work. In June 2021, Mandiant and Bayview executed a renewal SOW for Mandiant to continue to be at the ready so that Bayview could respond quickly in the event of
a data incident. Mandiant was purportedly not actively performing any work at the time the breach was discovered. But when the breach was discovered on December 7, 2021, the only work Mandiant had performed for Bayview was the report providing an assessment of Bayview’s ability to support requests that may be made by Mandiant during an incident response engagement. Otherwise, Mandiant was
simply at the ready to quickly respond if a data incident occurred. And, four days after the breach was discovered, Bayview’s counsel BakerHostetler engaged Mandiant to perform the forensic investigation related to the breach. After that investigation was completed, an internal report was prepared for counsel’s review. That report has not been produced in the litigation.
Nevertheless, Plaintiffs moved to compel production of the internal reports created by Mandiant and Protivity. Plaintiffs argue that these reports were created within the ordinary course of Bayview’s business and, therefore, are not protected work-product. In their motion for reconsideration, Plaintiffs further support that take by emphasizing the pre-existing business relationship between the investigative consultants and Bayview long before counsel was retained after the breach. And during that relationship, the consultants provided various security
reports on matters purportedly related to the security issues involved in the breach. So Plaintiffs claim that this ongoing relationship evidences a business purpose behind the post-breach reports as opposed to any work product protected analysis for counsel. The Court’s earlier Order, however, rejected these arguments based on the
dual purpose nature of the investigative reports. And the Court understood that there was a pre-existing relationship between the consultants and Bayview (a fact that Plaintiffs’ supplemental filings focus on). So nothing in the motion for reconsideration changes the outcome with respect to that finding. Though the Court may be wrong on that score and reasonable minds may disagree, the Court
stands by its original position for the reasons laid out in the June Order, at least based on the information then known to the Court. But the Court did not fully appreciate, however, what the second part of the motion for reconsideration is focused on. There Plaintiffs argue that, even if work product initially immunized these reports from discovery, that work product
protection was lost following Bayview’s communications and disclosures to its regulator. On this score there is agreement by the parties that the Multistate Mortgage Committee (“MMC”) is a multistate regulatory agency enlisted to protect consumers in the mortgage business, to identify and prevent mortgage fraud, and to generally help regulate the mortgage industry. As it itself describes its role, the MMC is “a representative body of state mortgage regulators appointed by the Conference of State Bank Supervisors (CSBS) and American Association of
Residential Mortgage Regulators (AARMR) to represent the examination interests of the combined states under the Nationwide Cooperative Protocol and Agreement for Mortgage Supervision. The MMC’s primary focus is on nationwide mortgage lenders and servicers operating in 10 or more states.”1 As part of that responsibility, the MMC wears many hats. At the front end
of things, MMC conducts regular audits and compliance review of member Banks that are licensed by and registered in the participating States. These regular examinations are designed to review “multi-state banks for safety and soundness and compliance with applicable laws, including coordination with the host state supervisors, the appropriate federal bank regulatory agency and bank
management. . . . Also, the home state supervisor shall consult with the host state and should use host state examiners to examine for compliance with host state laws regarding community reinvestment, consumer protection and fair lending, in those states that have enacted such laws.”2 The same regulatory body, however, can also conduct specific investigations
under the enforcement mechanisms that participating States have adopted.
1 See MMC’s 2019 Mortgage Examination Manual at 9 (available at https://www.csbs.org/sites/default/files/external-link- files/MMC%20Mortgage%20Exami nation%20Manual%20v2%20- %20May%202019.pdf). 2 See Nationwide Cooperative Agreement for Mortgage Supervision § 4.1 (Dec. 9, 1997) (available at https://www.csbs.org/sites/default/files/2017-11/ nationwide_coop_agrmnt.pdf). Specifically the “home state supervisor shall be primarily responsible for initiating enforcement actions against a multi-state bank. . . . Enforcement actions to address
violations of host state laws where possible shall be taken jointly by home state and host state supervisors.”3 One such enforcement action arose here after the Breach took place involving Bayview and its affiliated entities. As the MMC described its investigation in a consent decree agreed upon with Bayview:
[O]n becoming aware of and due to the Incident, on or about April 1, 2022, the State Mortgage Regulators, as coordinated by the MMC, commenced a multi-state targeted cybersecurity examination . . . of Respondents covering the period of January 1, 2020 through September 30, 2022, in order to determine Respondents’ compliance with applicable State and Federal laws and regulations and assess the effectiveness of Respondents’ information technology (“IT”) and cybersecurity program. . . . The Multi-State Cybersecurity Examination was conducted by the State Mortgage Regulators from the states of California, Florida, Maryland, and Washington. The Multi-State Cybersecurity Examination of Respondents was conducted pursuant to their respective statutory authorities, and in accordance with the protocols established by the CSBS/AARMR Nationwide Cooperative Protocol for Mortgage Supervision as well as the Nationwide Cooperative Agreement for Mortgage Supervision. . . . The Report of Examination was issued by the MMC to Respondents on May 4, 2023, and identified alleged compliance violations of State and Federal law related to Respondents’ IT and Cybersecurity Program. . . . Consent Order Re Bayview Asset Management, LLC and affiliates (Dec. 31, 2024) (available at https://www.mass.gov/consent-order/bayview-asset-management-llc- and-affiliates-consent-order) (“Consent Order”).
3 See Nationwide Cooperative Agreement for Mortgage Supervision § 5.1 (Dec. 9, 1997) (available at https://www.csbs.org/sites/default/files/2017-11/ nationwide_coop_agrmnt.pdf). As memorialized in this Consent Order, which resulted in a final administrative penalty assessed against Bayview in the amount of $19,629,400 plus costs, the results of that examination showed that Bayview had “deficient IT and
cybersecurity practices, which allegedly constitute violations of certain federal and state-specific compliance laws and regulations . . . [including] insufficient IT patch management, insufficient centralized IT vulnerability remediation monitoring and enterprise reporting, insufficient IT inventory tracking, and failure to appropriately encrypt certain personally identifiable information when that data was at rest.” Ibid. To resolve these allegations, Bayview agreed to the penalty in the consent Order that also incorporated specific remedial measures and a corrective action plan that it
would take going forward. During the course of this MMC investigation that led up to the entry of the Consent Order, Bayview and MMC traded correspondence related to whether Defendants were in compliance with federal and state regulations by adequately investigating and responding to the breach. To bolster its defense to MMC’s
criticisms of its cybersecurity investigation, including the specific criticism that it lacked a “root cause report,” Bayview voluntarily produced the Mandiant and Protiviti reports. Notably, Bayview does not contend that this production was compelled by any particular order, subpoena, decree or demand sent from MMC. Nor does Bayview claim that their production was under the auspices of any
particular confidentiality agreement of any kind at the time of the production. But Bayview insists that the confidential nature of the reports remained intact for various reasons. First and foremost, The Federal Secure and Fair
Enforcement for Mortgage Licensing Act (“SAFE Act”) directs state regulators to establish and maintain the National Multistate Licensing System & Registry (“NMLS”) to coordinate supervision of the residential mortgage industry. This provision expressly recognizes and preserves the privileged nature of information and documents provided to the NMLS. Specifically, 12 U.S.C. § 5111 provides:
Except as otherwise provided in this section, any requirement under Federal or State law regarding the privacy or confidentiality of any information or material provided to the Nationwide Mortgage Licensing System and Registry or a system established by the Director under section 5108 of this title, and any privilege arising under Federal or State law (including the rules of any Federal or State court) with respect to such information or material, shall continue to apply to such information or material after the information or material has been disclosed to the system. Such information and material may be shared with all State and Federal regulatory officials with mortgage or financial services industry oversight authority without the loss of privilege or the loss of confidentiality protections provided by Federal and State laws. 12 U.S.C. § 5111(a). Further Bayview points out that section 5111 expressly preempts any state open records law that would provide lesser protections. Id. at § 5111(c). And section 5111 also provides that “[i]nformation or material that is subject to a privilege . . . under paragraph (a) of this section shall not be subject to: Subpoena or discovery, or admission into evidence, in any private civil action. . . .” Id. at § 5111(b)(2). Hence Bayview concludes that the production of its fact work product to the MMC investigators did not waive or forfeit its work product protection because the Mandiant and Protiviti reports fall under the express protections of section 5111 as a matter of federal law. Second, Bayview would note that the conduct and conclusion of the MMC investigation into the Breach fully took into account this protection. The Consent
Order itself memorialized that: State Mortgage Regulators, pursuant to their respective books and records requirements, are entitled to access privileged and confidential information related to Respondents investigation into the incident, including, but not limited to, assessment and root cause reports (“Incident Investigation Materials”). Further, the State Mortgage Regulators access to such Incident Investigation Materials is an important supervisory function. Such information is treated by the State Mortgage Regulators as confidential supervisory information and thus exempt from disclosure under the Secure and Fair Enforcement for Mortgage Licensing (“SAFE”) Act, applicable state law, and the CSBS/AARMR Protocol and Agreement, and the disclosure of the Incident Investigation Materials does not act to terminate the confidential and privileged nature of the information. Consent Order, supra at 6.
Plaintiffs on the other hand argue that Bayview’s bold reliance on section 5111 fails to sustain its continued work product claim to reports that it voluntarily disclosed to an adversary. Plaintiffs argue that the SAFE Act applies exclusively to the NMLS that is an online database that manages licenses for companies and individuals in the financial services industry. The MMC, however, operates its own platform for use during examinations. And its Mortgage Examination Manual provides: “[T]he MMC does not send, receive, or request transmission of unencrypted electronic non-public sensitive information. The MMC uses Box (MMC Exam Platform) as a tool to securely disseminate information. The MMC Exam Platform allows both examiners and MMEs to share information.”4
Thus, while the MMC has access to the NMLS for information relating to MMEs, i.e., Bayview and the related Defendants, it does not use the NMLS to exchange examination-related materials directly with MMEs. And, most importantly, Defendants’ decision to waive work-product protection was made as a result of direct discussions with the MMC without the application of an express
confidentiality agreement between the parties. The Reports were shared by BakerHostetler (defense counsel) directly to the MMC, without any confidentiality agreement (and outside the scope of the NMLS). [D.E. 264 at 11 (citing D.E. 218-1 (Exh. 18 at 2-4))]. II. ANALYSIS
To refresh our collective recollection, we start by acknowledging that the Court’s initial decision deeming these Reports to be protected work product was a close call. Courts in our Circuit have used either the primary purpose or dual purpose test in addressing similar claims of work product protection. Goosby v. Branch Banking & Trust Co., 309 F. Supp. 3d 1223, 1234 (S.D. Fla. 2018). Under
the primary purpose test, a document is protected “as long as the primary motivating purpose behind the creation of the document was to aid in possible
4 MMC Mortgage Examination Manual at 15, supra n.1. future litigation.” Id. at 1233 (quoting United States v. Davis, 636 F.2d 1028, 1040 (5th Cir. 1981)). With the dual purpose test, “even if a document has some purpose
within the ordinary course of business, the document is protected as work product if it is substantially infused with litigation purpose.” Id. (quoting Devs. Sur. & Indem. Co. v. Harding Vill., Ltd., No. 06-21267CIV, 2007 WL 2021939, at *2 (S.D. Fla. July 11, 2007) (emphasis added)). This Court has previously found that it “view[s] the issue from a practical standpoint” and looks to whether litigation was
one important reason for the creation and use of a document. See, e.g., Van Calcar v. Royal Caribbean Cruises, Ltd., No. 14-20280-CIV-Cooke/Torres, 2014 WL 12861855, at *3 (S.D. Fla. Nov. 19, 2014); Button v. Royal Caribbean Cruises, Ltd., No. 12-23624-Civ-Ungaro/Torres, 2013 WL 12064489, at *5 (S.D. Fla. June 25, 2013). And that view is now a majority view among the circuits. See, e.g., United
States v. Deloitte LLP, 610 F.3d 129, 138 (D.C. Cir. 2010) (“a document can contain protected work-product material even though it serves multiple purposes, so long as the protected material was prepared because of the prospect of litigation.”) (collecting cases); but see United States v. El Paso Co., 682 F.2d 530, 542 (5th Cir. 1982) (anticipation of litigation must be the “primary motivating purpose” behind
a document’s creation in order to fall within the work product privilege). Based on this line of authority, the Court found that the Reports were protected under the work production privilege’s dual purpose test. See also In re Experian Data Breach Litig., No. SACV 15-01592, 2017 WL 4325583, at * 2-3 (C.D. Cal. May 18, 2017) (the court found that “Mandiant conducted the investigation and prepared its report for [outside counsel] in anticipation of litigation, even if that wasn’t Mandiant’s only purpose” and, therefore, it was protected work product); In
re Marriott Int’l Inc. Customer Data Sec. Breach Litig., MDL No. 19-MD-2879, 2021 WL 2660180 (D. Md. June 29, 2021) (because Marriott had retained IBM to provide the services specific to assisting BakerHostetler in providing legal advice to Marriott, the documents related to the consultant’s investigation were protected attorney work product).
But had the record clearly evidenced that litigation investigation was a far less important consideration, and that corporate business reasons predominated over the creation of these reports in the first place, the outcome should have been different. So before turning to the waiver arguments that the Court anticipated being the focus of the discussion on this motion, let’s turn back to the work product
issue and reconsider whether we need to take a different approach for these two reports. A. Whether the reports can still be treated as work product It is axiomatic that a document primarily prepared for business or corporate governance purposes is not privileged just because it is prepared by counsel or her agents. So even in cases that have led the charge in favor of the dual purpose or
“because of” tests, like the Second Circuit in United States v. Adlman, documents that fall within that scope are not protected: Where a document is created because of the prospect of litigation, analyzing the likely outcome of that litigation, it does not lose protection under this formulation merely because it is created in order to assist with a business decision. Conversely, it should be emphasized that the “because of” formulation that we adopt here withholds protection from documents that are prepared in the ordinary course of business or that would have been created in essentially similar form irrespective of the litigation. It is well established that work-product privilege does not apply to such documents. United States v. Adlman, 134 F.3d 1194, 1202 (2d Cir. 1998) (emphasis added). In that case, for instance, the Court upheld application of the work product privilege to tax-related documents generated by an accountant and counsel that analyzed the benefits, proposed methods, and potential litigation risks of a corporate merger and restructuring contemplated by a corporation. Even though this analysis was grounded on business-related purposes, i.e. an evaluation of a proposed corporate restructuring, the Court found that it could still be protected as work product because it also was generated with anticipated litigation by the IRS in mind. Id. at 1195 (“It proposed possible legal theories or strategies for Sequa to adopt in response, recommended preferred methods of structuring the transaction, and made
predictions about the likely outcome of litigation.”). Notably, however, the Court remanded the dispute back to the District Judge to determine if the business purpose predominated:
Whether it can fairly be said that the Memorandum was prepared because of that expected litigation really turns on whether it would have been prepared irrespective of the expected litigation with the IRS. If the district court concludes that substantially the same Memorandum would have been prepared in any event—as part of the ordinary course of business of undertaking the restructuring—then the court should conclude the Memorandum was not prepared because of the expected litigation and should adhere to its prior ruling denying the protection of the Rule. Id. at 1204 (emphasis added). The Court’s original Order in this dispute understood these principles and applied them to the facts then available in the record. The Court’s review of the
supporting materials evidenced a consultant’s report prepared for counsel in anticipation of litigation filed by aggrieved customers who would likely claim that the data breach was Defendants’ fault. That anticipated litigation, like the looming IRS audit and challenge in Adlman, was not just possible; it was likely. Hence, the Court deemed the work product privilege to be plausibly asserted even though there
were other business interests that were relevant to their creation in the regular course of Bayview’s business, including the responsibility of helping to identify and fix the breach. That assessment, however, may have been hasty. What the Court then did not appreciate was how central these two “privileged” reports were in Bayview and
Defendants’ compliance with the regulatory framework it was duty-bound to follow. The record submitted on the motion for reconsideration, which the Court has reviewed at length, evidences that these two reports per se played a far more central purpose in Bayview’s regulatory compliance. According to the regulations governing its operations, and as the Consent Order now available to the Court
makes clear, “assessment and root cause reports” are required by the State Mortgage Regulators as part of the company’s duty to maintain books and records under the laws of each participating State in which it does business. And when an MMC investigation is required, those root cause reports are required to be turned over to the MMC examiners as part of the MMC’s “important supervisory function.” Consent Order, supra at 6.
So, absent any alternative report prepared outside of the sphere of work product that could be submitted in their place, Bayview’s unredacted submission of these two work product reports when the MMC demanded the root cause reports evidences only possible conclusion: the predominant purpose for the creation of the reports was for regulatory compliance – a factor that the Court’s original Order
assumed was not the case. The Court’s original review of the record showed that Bayview’s data breach investigation was an ancillary part of its operations, which primarily involve mortgage lending. But these regulations – most of whom Bayview and Defendants have pointed us to – illustrate the central purpose that data maintenance compliance has in its day-to-day operations in accordance with the
participating States licensing authority. That change in course has one clear ramification. We cannot deem the generated reports to be work product, under the dual purpose test that we believe to be bound by, unless we find that there is something in the reports that, but for the anticipated litigation, would not have been there in the ordinary course of
Bayview’s business. As Adlman put it, we are obligated to determine “whether the Memorandum studying the tax implications of the contemplated restructuring would have been prepared in substantially similar form regardless whether litigation was contemplated, and thus was not prepared ‘because of’ the expected litigation.” 134 F.3d at 1203. So if the same report, and same factual analysis in the reports, was going to be drafted and submitted as part of the regulation’s root cause requirements, then anticipation of litigation falls by the wayside.
In other words, our original conclusion simply was based on the conclusion that litigation defense did not have to be the primary reason for the creation of the document. So even if business interests were also being addressed through the investigators’ work product, the attorney work product protection prevailed. But what we failed to appreciate was this other aspect of the dual purpose test: if the
primary purpose for the document was for business reasons, and the document would have been created as is even if lawyers and their agents had no role, can the document still be work product? The answer, according to the courts of appeal that have addressed this, is no. Take, for instance, the Ninth Circuit’s application of the dual purpose test.
That circuit formally adopted the dual purpose test long ago that, to qualify for work-product protection, documents must: (1) be “prepared in anticipation of litigation or for trial” and (2) be prepared “by or for another party or by or for that other party’s representative.” In re Grand Jury Subpoena, 357 F.3d 900, 907 (9th Cir. 2004). In circumstances where a document serves a dual purpose, that is, where
it was not prepared exclusively for litigation, then the “because of” test is used. Id. Dual purpose documents are deemed prepared because of litigation if “in light of the nature of the document and the factual situation in the particular case, the document can be fairly said to have been prepared or obtained because of the prospect of litigation.” Id. In applying that test in a case analogous to this one, the Ninth Circuit held in United States v. Richey that the dual purpose test did not protect a tax
appraiser’s work file that was generated, at the direction of counsel, to provide valuation services and advice in connection with a conservation easement owned by a partnership that was used to claim a charitable tax deduction on the partnership’s tax return. 632 F.3d 559, 562 (9th Cir. 2011). Work product protection was claimed when the IRS balked at the deduction and issued an IRS
summons for documents. The partnership argued, like Bayview, that litigation was anticipated by counsel when the tax review was initiated and thus the appraiser’s work was protected even though much of that same work was used to prepare the tax return in question. The district court agreed with that argument under the dual purpose test, but the Ninth Circuit reversed, citing Adlman, because the
record evidenced a legal requirement to prepare the very same documents in connection with the tax return. A key part of this was an appraisal report prepared by the appraiser that was attached to the return, which the court found critical to the analysis: “Had no appraisal report been attached to the Peskys’ 2002 federal income tax return, the Taxpayers would have been ipso facto ineligible for any
charitable deduction as a result of the contribution of the Easement. Had the IRS never sought to examine the Taxpayers’ 2003 and 2004 federal income tax returns, the Taxpayers would still have been required to attach the appraisal to their 2002 federal income tax return.” Id. at 568. The district court thus erred in treating the work papers as work product even if a lawyer retained the appraiser to conduct that review and even though litigation with the IRS was anticipated. “Considering the totality of the circumstances, we cannot properly conclude that the appraisal
work file ‘can be fairly said to have been prepared or obtained because of the prospect of litigation.’” Id. Using these consistent circuit cases as our guide in the absence of Eleventh Circuit precedent to the contrary, our conclusion that these two reports were work product must be reconsidered under the dual purpose test. The Court finds that
litigation purpose was only a tangential reason for their creation; instead, based on the current available record they were primarily created as part of Bayview and Defendants’ obligation to comply with regulatory obligations owed to their state regulators and, if necessary, in compliance with their duty to provide root cause reports in the event of a data breach. Even after complying with the MMC’s
demand for these root cause reports, it turned out that Bayview was still liable for breach of its compliance requirements under the law to the tune of $19 million. That sum would undoubtedly have even been greater had the MME found that Bayview failed to prepare or provide root cause reports when requested as part of this investigation. Hence, the record shows that these reports would have been
prepared and submitted to the MMC even if they were generated by an investigator that did not report to or ever deal with BakerHostetler. There is no better evidence for this than Bayview’s admission that the reports were turned over without redaction and without any qualification in order to be “helpful” to the investigation. How would that production be any different than an appraisal report attached to an IRS tax return that was mandated by law? The legal duty to provide that type of information pre-existed any attorney retention or prospect of litigation.
Bayview would stand on stronger footing, of course, if the reports had not been summarily turned over and, instead, simply being a source for a separately- created document that would be used as the root cause report. In that case, any particularly sensitive findings targeting the prospect of litigation could have been omitted, while leaving intact factual information generated during the course of
that multi-purpose investigation. Perhaps that is how Bayview and similar entities should deal with these problems in the future. But the record shows that this is not what happened here. In sum, by turning over these reports in this way in order to comply with their legal obligations to prepare root cause reports, no work product protection was
generated even though litigation was a factor in their creation. The predominant reason for their creation was regulatory compliance for regulators who could levy significant penalties against Bayview. Under the dual purpose test, this unique legal duty to produce these reports overwhelms any ancillary litigation purpose. So these documents are not, then, “dual purpose” documents; they are primarily
corporate compliance documents that have no privilege attached to them. Further support for this reconsideration is found in the same cases the Court analyzed in reaching its earlier conclusion. In a key case that Bayview cited, which was applying Ninth Circuit’s dual purpose test, In re Experian Data Breach Litig., No. 15-01592, 2017 WL 4325583 (C.D. Cal. May 18, 2017), the court denied the plaintiffs’ motion to compel a third-party investigator’s report and documents related to the investigation of a data breach event. In that case, when Experian
learned that one of its systems was breached, it retained the law firm Jones Day for legal advice regarding the attack. In turn, Jones Day retained Mandiant to conduct an analysis of the attack. According to Experian, the only purpose of that report was to assist Jones Day in providing legal advice to Experian regarding the attack, realizing that Experian’s own experts lacked sufficient resources. Id. at *2
(emphasis added). In their motion plaintiffs argued that because Experian had independent business duties to investigate any data breaches and it hired Mandiant to do such work, the expert report was not work product. Id. at *2. The court rejected that argument, reasoning that Mandiant was hired by Jones Day to assist the lawyers
in providing legal advice to the client in anticipation of litigation. And most notably, the court relied on the fact the report as a whole was only turned over to the lawyers. There was no discussion or any mention of the report being produced wholesale to any third party, nor was there any issue about production of the report as part of the finance company’s regulatory compliance.
To the contrary, the court’s analysis affirmatively relied on the fact the report as a whole was not turned over to anyone, even those within the client’s operations. Selected portions of the report were in fact provided to a team of personnel from Experian’s “Incident Response Team” to assist in their remediation efforts. But the court’s opinion took pains to point out that these selected portions were limited for that purpose: “If the report was more relevant to Experian’s internal investigation or remediation efforts, as opposed to being relevant to defense of this litigation, then
the full report would have been given to that team. The evidence here establish that Jones Day instructed Mandiant to do the investigation and, but for the anticipated litigation, the report wouldn’t have been prepared in substantially the same form or with the same content.” Id. at *2 (emphasis added). In measuring the Experian decision by the standards adopted in the Ninth
Circuit, Second Circuit, and elsewhere, it is indeed a proper application of the dual purpose test for the simple reason that the court found that business purposes (like assisting in remediation efforts) were not the predominant reason for the document’s creation. And had it been, the opinion is recognizing on its face that the outcome would be very different because in that case it “would . . . have been
created in substantially similar form [even with] the prospect of that litigation.” Id. at *1 (quoting In re Grand Jury Subpoena, 357 F.3d at 908) (alteration added). In following that correct decision here, however, the Court overlooked a critical factual difference. Frankly, perhaps the record before the Court at the time of the initial Order should have been enough to distinguish this case. But apologies
aside, the record is crystal clear now, especially after we have the benefit of the Consent Order that Defendants entered into with the participating State regulators in December 2024. Unlike Experian, these attorney-mandated reports were in fact turned over, in wholesale fashion, to these third parties because of the regulatory duty to provide “root cause” reports in connection with an MME investigation. Bayview was legally obligated to do so. By generating these reports, Bayview was complying with its legal obligations and would have had to do so, with the same
reports, even if counsel had never been hired and legal work product had never been requested. So, under the dual purpose test that the Court was purportedly following in its initial Order, these reports should not have been deemed work product. See also In re Premera Blue Cross Customer Data Sec. Breach Litig., 296 F. Supp. 3d 1230, 1246 (D. Or. 2017) (compelling production of Mandiant reports
over work product objection; “the Court concludes that Premera has not shown that all of the underlying documents relating to the Mandiant reports were created because of anticipated litigation and ‘would not have been created in substantially similar form but for the prospect of litigation.’”) (quoting United States v. Richey, 632 F.3d at 568).
Other similar decisions applying the dual purpose test are in accord with this analysis. For instance, in Wengui v. Clark Hill, PLC, No. 19-3195, 2021 WL 106417, (D.D.C. Jan. 12, 2021), Judge Boasberg was following the same dual purpose test that the D.C. Circuit adopted in United States v. Deloitte LLP, 610 F.3d 129, 137 (D.C. Cir. 2010) (applying because of test: “a document can contain protected work-
product material even though it serves multiple purposes, so long as the protected material was prepared because of the prospect of litigation.”) (remanding work product finding for further examination to determine if portions of auditor’s report would have been created irrespective of litigation). There a plaintiff's personal information collected by his former law firm/defendant was hacked by a third party, leading to a lawsuit against the law firm. The plaintiff sought production of reports of forensic investigations into the cyberattack. The firm resisted, claiming that the
documents sought by plaintiff were produced by external security-consulting firm Duff & Phelps, retained by outside litigation counsel, and therefore, were covered by both the attorney client privilege and work product. Id. at *2. The court compelled production of the reports because the firm “has not met its burden to show that the Report, or a substantially similar document, ‘would [not] have been
created in the ordinary course of business irrespective of litigation.’ ” Id. at *5 (quoting Banneker Ventures, LLC v. Graham, 253 F. Supp. 3d 64, 72 (D.D.C. 2017)). Further support for that conclusion was found in the fact the subject report was, not only shared with outside counsel, but produced to firm leadership and personnel as well as the FBI that investigated the hack. Based on these facts, the court
concluded that “the Report was shared this widely because it was the one place where [defendant] recorded the facts of what had transpired,” all of which evidenced that the vendor had a more far-reaching role than merely assisting outside counsel in preparation for litigation. Id. at *12-13. That analysis is certainly quite analogous to the record presented here.
When push came to shove, Bayview did not generate a root cause report separate and apart from the Mandiant and Protiviti reports. Instead, it simply turned the reports over to the MMC. Why? Because the record shows that was what Bayview had to evidence its compliance with its regulatory obligations to properly investigate any such data breach. That fact, as in Wengui, underscores that the overarching purpose for the investigation and the report focused on corporate and regulatory compliance as opposed to legitimate litigation needs. So, like the report
produced in Wengui, the work product nature of the report evaporates because the report would clearly have had to be created whether or not litigation was also anticipated. Again, nothing stopped Bayview from requesting different reports from the consultants. For instance, Mandiant could have generated two separate reports;
one for the lawyers and in house counsel, and another report with selected portions of the main report for use as the root cause report. And then that second report could have been produced during the MME’s investigation. Under those circumstances, the dual purpose test properly applied would allow for such a distinction between the two reports. See, e.g., Maldondo v. Solara Med. Supplies,
LLC, No. 20-12198, 2021 WL 8323636, at *1-3 (D. Mass. June 2, 2021) (denying production of main work product report prepared by examiner hired for data breach investigation; law firm hired examiner to perform a privileged forensic investigation into the incident to assist the attorneys in providing legal advice to the company, as well as a separate report (already produced in discovery) originally
intended for submission to Federal Trade Commission for regulatory purposes). For whatever reason that did not happen here. The reports were produced to counsel first and then re-produced in their entirety to the MMC as being tantamount to the root cause report. That renders the same document a prototypical regulatory document, required by law, that would have been generated and produced even absent any law firm’s involvement or litigation being anticipated. Under the dual purpose test, that report does not possibly qualify as
work product. Accordingly the motion for reconsideration is Granted and the Court now enters this Order that deems the documents at issue to fall outside the protection of the work product doctrine. Defendants are compelled to produce the Mandiant and Protiviti reports to Plaintiff subject to the Court’s Confidentiality Order.
B. Whether any work product privilege was waived Given the Court’s reconsideration of the underlying work product claim, there is no urgent need now to tackle the waiver issue as originally intended. That is because the documents at issue are not work product in the first place, so they are not any more unprotected now that they were turned over to the MMC. And indeed, as discussed above, that wholesale production to the MMC evidences why
the document is not work product under the rule of decision that governs here. A few points will still be addressed, however. Assuming the documents are work product in the first place, Plaintiffs argue that the production of the reports to the MMC constitutes a waiver of the protection in their entirety. And Defendants’ argument, urging application of the selective waiver doctrine to allow
the reports to retain their work product protection, should be rejected. We agree that the selective waiver doctrine would have no bearing here based on the majority view of the circuits that such a doctrine does not shield production of documents turned over to an adversary. See, e.g., In re Columbia/HCA Health Care Corporation Billing Practices Litig., 293 F.3d 289 (6th Cir. 2002). Under this view courts should reject the concept of “selective waiver” and hold that a voluntary
disclosure to one’s adversary is a waiver as to all adversaries. See id. at 306 (a company cannot “pick and choose to which adversaries [it would] reveal documents”) (alteration in original). The record here shows that, at the time of their production to the MMC, the reports were produced to stave off any penalties or findings of non-compliance
arising from the participating States’ laws and regulations. That MMC’s investigation was clearly potentially adverse to Bayview and Defendants at the time it was conducted given the possibility of penalties or sanctions that could be levied. So under the voluntary waiver concept, Bayview’s decision to produce the entire reports to the MMC would ordinarily foreclose any claim now to assert work
product protection in subsequent litigation. That is especially true where production of work product to an adversary is done without the cover of an express confidentiality agreement, court order, subpoena, or other form of compulsion on which one could rely in disputing that any voluntary waiver ever took place. And here there is no dispute that no specific
document was executed or relied upon at the time the documents were produced. See also In re Steinhardt Partners, L.P., 9 F.3d 230, 235 (2d Cir. 1993) (“Once a party allows an adversary to share the otherwise privileged thought processes of counsel, the need for the privilege disappears.”) (rejecting idea of selective disclosure adopted by some courts and holding that company’s transmittal to SEC— a potential litigation adversary—of memorandum prepared by company attorney in response to agency inquiry waived document’s work-product protection as to
shareholder plaintiffs in subsequent litigation). On the other hand, we are not going to make a definitive finding on this score. The same regulatory backdrop and documentation that the Court has reviewed in connection with the section above does reveal an arguable basis to find that production of these documents under an MME process, if demanded by a state
regulator as was done here, does not give rise to a waiver. Defendants have presented a persuasive argument that their litigation privileges are expressly preserved from waiver/forfeiture by operation of statute. Even if this MMC’s investigation is sufficiently adversarial, Defendants point to the fact the context of the disclosure was based on the MMC’s statutorily-driven examination under the
auspices of the NMLS. An aspect of this regulatory framework involves specific examinations like this one, all of which fall under the umbrella of the Federal Secure and Fair Enforcement for Mortgage Licensing Act (“SAFE Act”), which directs state regulators to establish and maintain the NMLS for the purpose of coordinating supervision of the residential mortgage industry. This statute also
recognizes and preserves the privileged nature of information and documents provided to the NMLS: Except as otherwise provided in this section, any requirement under Federal or State law regarding the privacy or confidentiality of any information or material provided to the Nationwide Mortgage Licensing System and Registry or a system established by the Director under section 5108 of this title, and any privilege arising under Federal or State law (including the rules of any Federal or State court) with respect to such information or material, shall continue to apply to such information or material after the information or material has been disclosed to the system. Such information and material may be shared with all State and Federal regulatory officials with mortgage or financial services industry oversight authority without the loss of privilege or the loss of confidentiality protections provided by Federal and State laws. 12 U.S.C. § 5111(a) (emphasis added). Further Bayview points out that section 5111 expressly preempts any state open records law that would provide lesser protections. Id. at § 5111(c). And section 5111 also provides that “[i]nformation or material that is subject to a privilege . . . under paragraph (a) of this section shall not be subject to: Subpoena or discovery, or admission into evidence, in any private civil action. . . .” Id. at § 5111(b)(2). Hence Bayview understandably argues that the production of its work product to the MMC investigators would not waive or forfeit its work product protection because the Mandiant and Protiviti reports fall under the express protections of section 5111 as a matter of federal law. And even if they are not expressly related to the NLMS licensing process, as Plaintiffs point out, they are still within the auspices of the regulatory framework that ultimately gave rise to the MMC’s examination in this case. The MME protocol cited by the Court above clearly suggests that this process is part and parcel of the overall regulatory system that federal and state regulators have agreed to follow with respect to multi-state institutions like Bayview and Defendants. Upon review of the statute and the regulations cited, Defendants have a compelling argument that an MMC’s investigation does not fall outside the protection contemplated by the statute. Why would it? The MME protocol was agreed upon precisely to enforce compliance with federal and state laws. It would be incongruous if the statutory confidentiality imposed by the statute is limited to only the initial licensing and regular maintenance process, but withers once there is a specific
investigation by the same regulatory authorities if notice of a specific violation is received. At least at first blush, that makes little sense. There is an old saying in judicial circles that “when in doubt, leave it out.” There is a certain clarity in that approach because it prevents idle hand wringing over legal issues that are ultimately not necessary to the required outcome. We will leave this debate over the legal effect of this statute on traditional voluntary disclosure principles right there. Because these documents cannot qualify as work
product, application of the privilege-preserving language of the statute is a moot point. We do so with the caveat that the statute does not save Bayview from the effect of the Court’s earlier analysis. In other words, the statute may immunize disclosure of otherwise protected documents on a selective waiver argument. But the converse is not true: unprotected, non-work product documents do not magically become privileged, by operation of this same statute, when they are turned over to MMC
investigators or other NLMS-related authorities. The statute arguably only preserves the protection that already exists under the law so, as in this case, if that governing law does not in fact apply then the statute has nothing to protect as a shield against relevant discovery in a civil action. Here, we have found on reconsideration that these reports do not qualify as privileged work product based on how they were generated and the proper application of the dual purpose test. When they were produced to the MMC investigating this data breach, there was no work product to waive. They are primarily business and regulatory-related documents that were required to be produced by law. Section 5111 thus has no bearing here because there is no privilege or legal protection to exempt from the traditional application of federal or state legal principles. Those principles, correctly applied, result in no legal protection for these reports from the normal rules of discovery. And section 5111 does not create a work product immunity where none existed. In sum, we will table for a future case whether a work product-protected investigative report loses that protection when mandatorily produced to an MMC investigator. This case does not call for a final answer to that interesting question because there is no work product-protected report to begin with. IT. CONCLUSION For the reasons set forth above, Defendants shall produce to Plaintiffs the Mandiant and Protiviti reports at issue within seven days of this Order. Defendants’ objections to the related discovery requests are Overruled. The pending motion for reconsideration [D.E. 218] is GRANTED. The Court’s Order entered June 12, 2024 [D.E. 211] is VACATED. DONE AND ORDERED by the Court this 27th day of March, 2025.
<= G. TORRES United States Magistrate Judge
Page 30 of 30