Fri, Jun 21, 2019
Legal counsel’s role in cybersecurity has evolved significantly over the past ten to fifteen years. While lawyers traditionally were called in to reactively handle lawsuits and regulatory actions, they now contribute to shaping proactive cyber planning, assessment, and resiliency efforts, including incident response.
Apart from their legal knowledge, lawyers have always provided clients a safe place for hard debate and even harder decision-making. The American Bar Association explains that the “underlying purpose” of the attorney-client privilege is “to encourage persons to seek legal advice freely and to communicate candidly during consultations with their attorneys without fear that the information will be revealed to others.”1 It is also well established that disclosures of information to experts/consultants—who are necessary for a lawyer to render legal advice to a client—do not waive the privilege.
In the cyber context, too, the case law strongly supports privilege (and attorney work-product) protections over consultants engaged by counsel in the aftermath of a data breach. For example, in early 2015, the District Court for the Middle District of Tennessee denied Visa’s discovery requests relating to materials produced by two security firms that Genesco’s counsel engaged to, respectively,
With respect to proactive (non-breach) cyber risk assessments, a recent February 2019 decision from the Premera Blue Cross breach litigation5 provides critical insights into how courts are likely to address privilege assertions. The Premera case stems from a data breach disclosed in 2015. Class actions were filed and discovery battles ensued. The court considered a broad range of document categories set forth in Premera’s privilege log; the highlights included analyses of privilege assertions over security audits and assessments. In this regard, the court noted as follows:
Regarding Premera’s audits and investigations of their information technology and security, Premera’s general information technology and training . . . the Court is not persuaded that these were primarily done with legal purpose and not business purpose.6
Observing that “[a]s a business, Premera needs periodically to audit its information technology and security and training,” the court stated that the audits “would have happened regardless of any pending litigation or regulatory investigations.”7 The court was particularly skeptical of two audits that occurred years before Premera’s breach, referring to such audits as simply “normal business functions,” and while Premera claimed that its counsel was involved in the audits, the court flatly remarked that “Premera cannot shield them from discovery by delegating their supervision to counsel.”8
The fact that case law is now developing on the issue of cyber-related privilege makes clear that lawyers are increasingly playing a meaningful role in this space. However, there are some key lessons learned that are food for thought for both in-house and outside lawyers:
Read Tips from the Trenches: Make Your Company Less Attractive to Cyber Enforcement
This article has been published in PLI Current: The Journal of PLI Press, Vol. 3, No. 2 (Spring 2019), https://www.pli.edu/PLICurrent
A version of this article has been published in the Course Handbook for PLI’s Twentieth Annual Institute on Privacy and Data Security Law.
Sources
1 Am. Bar Ass’n, Task Force on the Attorney-Client Privilege, Task Force Report to the ABA House of Delegates 4 (2005), https://www.americanbar.org/content/dam/aba/directories/policy/2005_am_111.authcheckdam.pdf
2 Genesco, Inc. v. Visa USA, Inc., No. 3:13-cv-00202 (M.D. Tenn. Mar. 25, 2015).
3 In re Target Corp. Customer Data Sec. Breach Litig., No. 14-2522 (D. Minn. Oct. 23, 2015).
4 See also In re Experian Data Breach Litig., No. 15-01592 (C.D. Cal. May 18, 2017) (reports created by Mandiant consultants retained by outside counsel deemed to be attorney work product).
5 In re Premera Blue Cross Customer Data Sec. Breach Litig., 2019 WL 464963 (D. Or. Feb. 6, 2019).
6 Id. at *7 (emphasis added).
7 Id.
8 Id.
9 Id. at *8.
10 Compare McNamee v. Clemens, 2013 WL 6572899 (E.D.N.Y. Jan. 30, 2013) (no privilege; PR firm only provided standard services not necessary in order to provide legal advice, and therefore disclosing documents to firm resulted in waiver), with King Drug Co. v. Cephalon, Inc., 2013 WL 4836752 (E.D. Pa. Sept. 11, 2013) (privilege applied; consultants preparing business and marketing plans were the client’s “functional equivalent”).
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.
Services include drafting communications, full-service mailing, alternate notifications.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.