A loss for Capital One may have wider consequences for defendants’ ability to shield breach investigation reports from discovery. This article addresses the implications of a recent Virginia federal court’s decision rejecting the bank’s claim that its attorney-directed post breach incident report is protected work product, including the decision’s potential chilling effects on companies’ discussions after a breach, and steps companies might take to protect forensic reports, with insight from Holland & Knight and Faegre Drinker Biddle lawyers. It also includes advice from Arnold & Porter on an alternative approach to handling forensic facts. See “Capital One Breach Demonstrates Risk of Overlooking Vulnerabilities When Sending Data to the Cloud” (Aug. 14, 2019).