Many organizations are vigilant that confidential data doesn’t fall into the wrong hands. And when faced with a data leaking, they like these things to stay outside public domain.
However, even though best practices are introduced, not all courts share the same perception of privilege. As some recent court rulings underline, the right of attorney-client privilege for cyber incidents might not be as secure as we once believed.
How Privilege is usually created during a cyber event
The first resource you will be referred to is your licensed attorney after a cyber incident happens and you contact the insurer. This is crucial because the attorney would employ all of the appropriate vendor services on your behalf because you follow the proper protocols.
This covers all those involved in the response: IT forensics experts, the intrusion reporting service, a credit management provider, among others. Traditionally, since it is the lawyer who employs those providers, not you, all are covered under the right of attorney-client privilege.
This includes stuff such as forensics provider reports that determine how the hackers got in, how the attacks are continuing, and other essential information that enterprises do not want to reveal.
However, the other case is that you experience a cyber-attack and directly recruit one of the vendors. When the protection issue eventually resulted in a lawsuit, key reports and conclusions would be discoverable and potentially made public.
There is always a question: Can we personally employ our own attorney and not use the carrier-provided attorney?
The majority of policies demand that you have a pre-approved lawyer (meaning before the time of the claim). You’re free to use them at the time of a lawsuit if the attorney is pre-approved by the carrier.
Regardless, the attorney-client privilege right can be applied in the same fashion by following the procedure of making your attorney employ contractors on your behalf.
However, as we see playing out in court, there may be several limitations to privilege. Capital One’s cyber incident lawsuit is the most recent case.
A Virginia federal court ordered Capital One to reveal its investigative report in late May 2020 linked to a major loss of data in 2019. The court dismissed the claim that, under attorney-client privilege, the study was secured.
During the court hearing, Capital One claimed from the Law360 article linked to above that “it could not be required to sign over the report by cybersecurity expert Mandiant because the paper was intended to support the lawyers of Capital One cope with the litigation.
Yet the magistrate disagreed:
Judge Anderson said, “Capital One has not provided sufficient evidence to show that the incident response services provided by Mandiant would not have been carried out in a substantially similar manner even if there were no prospect of litigation.” “The retention of outside counsel does not, on its own, turn a document into a product of work,” said the judge.
Among the evidence that the judge cited in denying the request by Capital One to keep the study secret was that when the violation happened, the bank had already had a contract with Mandiant, which is now part of the cybersecurity giant FireEye Inc. The corporation had also internally referred to its retainer paid as a “business critical” cost rather than a “legal” expense to the cybersecurity consultants, the judge wrote.
Although there have been other lawsuits challenging the rights of attorney-client, cyber case law is still fuzzy. For instance, a 2017 Experian case revealed that since the study was ordered and planned for their law practice when it was gearing up for litigation, Experian did not have to submit investigative papers for a data breach.
In the other hand, the Capital One judge referenced a 2017 case, according to Law360, where Premera Blue Cross had to deliver a chunk of documentation prepared by Mandiant following a data leak in 2015.
The Sedona Conference is a non-profit organisation devoted to the advanced study of policy and law. During cybersecurity incidents explicitly, they recommend an extension of attorney-client privilege.
According to experts who also commented in the paper, attorney-client privilege and documentation is a challenging field, cyber or not, regardless of what kind of situation.
To or Not to Pre-Select Vendors?
The case of Capital One leads to a concern we frequently get from customers: Do we pre-select the suppliers we want to respond to a breach?
Pre-selecting the suppliers you intend to respond to has traditionally been a valuable method in streamlining the response to a cyber event. Hiring a company that is already familiar with your network and security controls will limit the necessary response time and get you back to business quicker, especially when it comes to IT forensics specialists.
At the time of a case, many forensics companies are not in a position to guarantee their availability. Any security companies may be so swamped by demands for work in a widespread security situation, such as an especially devastating new ransomware strain, that they literally can not get to everybody in a limited period of time.
Sensing the frustration of consumers with this prospect, forensics experts began charging a fixed price for retainer arrangements, regardless of whether the incident management services were necessary.
Although this is a fascinating way to ensure the availability of your favorite seller, as we learned above in the case of Capital One, it will potentially prove troublesome when it comes to defending the privilege of attorney-client forensics files.
That’s because when you pay them long before the real case happened, it might be hard to argue that a retainer paid in advance of a security issue is a legitimate cost.
Next What?
Today, most lawyers or forensics companies will claim that if the attorney employs a vendor for cyber incident response, anything created would come under the right of attorney-client. However, the manner in which courts view privilege can be a significant disturbance to the line of reasoning.
Before there is more case law, there are already best practices and it is to make a counsel oversee the response to the cyber attack and to do the recruitment on your behalf.