Cyber-crime is perhaps the number one threat that most companies face today. Investing in strong cybersecurity, therefore, is crucial for safely operating any type of business in this modern age. Cybersecurity is the protection of internet-connected systems and data from cyberattacks. However, with the constant and rapid development of technology, there is no way to ever achieve complete security. Companies must manage their "cyber-risk" just like any other risk using probability and cost benefit analysis. However, this type of analysis and investigation into what vulnerabilities a company faces, how best to prioritize and suggestions on how to improve cybersecurity can be very dangerous if disclosed. A written vulnerability assessment report that proves a company was aware of the risks it faces is likely to become an Exhibit A in a lawsuit against the company after a data-breach. The issue then becomes how to keep this company information confidential and not subject to discovery in court?
Neither federal nor state courts recognize a stand-alone privilege for cybersecurity work product or communications. The best vehicle to protect this information is via attorney-client privilege or the work product doctrine. But how affective are these privileges in protecting this crucial information, and under what circumstances are they applied? It is a severe misinterpretation to assume that the mere involvement of an attorney and these accompanied privileges is an automatic stamp of confidentiality on cybersecurity reports and correspondences. The privileges are designed to protect a specific kind of information and thus are limited. While powerful when they do apply, they don't apply to a wide array of information. The attorney-client privilege protects communications between attorneys and clients in the course of seeking and providing legal advice. The privilege exists to foster client confidence and promote unrestrained communication between client and attorney. The work product doctrine, unlike attorney-client privilege, is not absolute and is limited to protect written records of the attorney's thought processes and legal strategies made in anticipation of litigation.
This begs the question, what must the attorney's role be in preserving privilege in cybersecurity measures and breach response? Answer: an active and substantive role.
The Court in In re Premera Blue Cross Customer Data Sec. Breach Litig., found attorney-client privilege and the work product doctrine inapplicable to the company information because legal counsel's role in the cyber investigation was merely perfunctory. Counsel must be able to demonstrate that the information gathered is actively tailored and focused on offering legal advice or in preparation of litigation and is not information used for ordinary course of business. This presents a challenge to companies using in-house counsel who often navigate dual roles, offering both legal and business advice, thus making it difficult to prove what advice or work products are actually in anticipation of litigation. An effective and successfully utilized strategy is for companies to use two separate legal teams. An outside counsel brought in specifically for the purpose of providing legal advice in connection with a cybersecurity vulnerability investigation will avoid the dual role issue that an in-house counsel would face. A court is more likely to view the analyses and conclusions reached by outside counsel as action taken to provide legal advice or to defend against a distinct lawsuit and not part of a standard corporate function. Attorneys must actively direct the work of the cybersecurity consultant. Their involvement should not be formalistic; rather they should be included in every email and have final say over all decisions and statements made to the company officials as well as outside parties.
These privileges will not attach through inactive or passive attorney involvement. The attorney-client privilege and work product doctrine do not function as magic wands that simply protect any and all cybersecurity issues that a company may face. It is critical for lawyers working to prevent cyberattacks or responding to a cyber intrusion to have a clear understanding of how to properly utilize these privileges.
Conclusion and Takeaways
1. Be proactive. Companies should recruit outside counsel to investigate any cyberattacks or to assess cybersecurity weaknesses.
2. Keep attorney roles active and tailored. All communications should run strictly between outside counsel and the vendor used for the breach response, including any reports or findings. Outside counsel should meet with in-house counsel to review the findings and offer legal advice to insure proper implementation of any remedial measures.
3. You can't produce what you don't have. If it doesn't need to be in writing, don't write it down. Be mindful that these privileges are precarious in nature and should not be relied upon if not necessary.
Shawn E. Tuma & Jeremy D. Rucker, Privileges: Understanding Applicability in Cybersecurity Cases, 81 Tex. B. J. 9 (2018).
Robert W. Anderson & Eric B. Levine, Protecting Privilege Before and After a Cyber Breach, L.J.N (2018).