Capital One had a pre-existing relationship with Mandiant/FireEye. After C.O. had its cloud breach, Mandiant produced a report which C.O. had delivered to outside counsel to try to get it qualified as legal work product that is protected from disclosure in lawsuits.

Not working. https://twitter.com/snlyngaas/status/1266115795886759937

Reading the judge's opinion here, as well as thinking about other rulings it cites and the law on legal work product privileges generally, personally (in my off-the-cuff Twitter opinion) trying to protect breach investigation/response materials will--and should--often be futile.

Why?

Quite simply, even if somehow, magically, no possibility of litigation-related liability were to exist in the aftermath of some breach, it's always necessary to rapidly identify, at a bare minimum, how the breach occurred and what measures must be taken to prevent a repeat.

This information will be inherently be at least partly technical in nature, and that it must be shared with technical staff to assess what and whether immediate technical measures are needed. Regardless of any potential for litigation.

Would it be possible to have two parallel breach investigations run, a "bare" technical investigation that essentially investigates the minimum possible and a much broader "How badly did we screw up? " investigation run by a law firm with technical investigators? Perhaps.

But even were such a strategy successful in mitigating the litigation risk of having a more damaging report disclosed the "bare" report would look risk looking neglectful in that same litigation.

And certainly such contortions wouldn't aid improving the orgs security.

Bottom line: if you're an organization contemplating the litigation risk that could arise from being woefully negligent and getting breached, the best way to reduce that risk is to reduce negligence. Don't count on being able to prevent that negligence from coming to light.
IMHO.