Tag Archives: Privilege

Attorney Client Privilege in Cyber Land

Historically, attorney-client privilege was used to protect conversations between attorneys and their client as they were preparing their defense.

While that is still the case, there is a lot of information that companies that were breached might not want to get out to the folks suing them. If it is not done right, it is highly unlikely that the information will be protected.

Some of examples of doing it wrong.

After a data breach occurred, Capital One retained a law firm that later entered into an agreement with Mandiant for various cyber-related services (including incident remediation), which required that Mandiant provide deliverables to the firm, rather than to Capitol One.  Plaintiffs sought release of the report created by Mandiant (regarding the factors leading to the breach), arguing that it was prepared for business and regulatory purposes and therefore was not privileged, while Capital One argued that the report was privileged because it was prepared in anticipation of litigation.  Capital One lost and they had to turn over the report.

Plaintiffs filed a motion to compel Dominion Dental Services to produce a report created by Mandiant, a cybersecurity firm.  Dominion claimed that the report was created to inform legal counsel and create a litigation strategy, and thus was privileged and protected by the attorney work-product doctrine.  The court stated that Dominion had not met its burden of demonstrating that the materials were protected work-product and held that the materials were not privileged because (1) Mandiant had a relationship with Dominion prior to the breach, and which anticipated services in the event of a breach occurring; and (2) Dominion used the materials for non-litigation purposes.  

There are more of these. The wall for attorney-client privilege is filled with holes.

This means that you need prepare for how you are going to respond in case of a breach.

BEFORE the breach.

Some things to figure out:

  • Failure to distinguish the parameters of retaining an outside consultant for the creation of a breach report can increase the risk of this report not being covered within the work-product doctrine. THIS MEANS THAT YOU NEED TO COMPARTMENTALIZE WHAT YOU ARE DOING. Likely one project/vendor for incident cleanup and a different one for legal prep.
  • Retainers for vendors used in preparing a breach report should be categorized as a legal expense. BREACHED COMPANIES WHO HAD ENGAGED MANDIANT BEFORE THE BREACH AND CLASSIFIED THE EXPENSE AS AN IT EXPENSE HAVE A HARD TIME CHANGING THEIR MIND LATER. BUT CLASSIFING IT AS A LEGAL EXPENSE DURING NORMAL TIMES AND HAVING THEM REPORT TO “IT” IS ALSO A PROBLEM.
  • Only share the data breach report for legal purposes, and share the report with as few individuals in the organization as possible. SEE COMPARTMENTALIZE ABOVE. IF YOUR LAW FIRM DOES NOT UNDERSTAND THIS, THEY ARE THE WRONG LAW FIRM TO HANDLE THE TASK.
  • Proceed with caution when using a data breach report outside of litigation purposes.

Now is the time to figure things out. Before you need to use it. Credit: ADCG

When Do You Call The Lawyer After a Breach

Nick Merker, partner at Indianapolis based law firm Ice Miller, spoke at Black Hat on the subject. Nick has been involved in over 500 cyber incidents and has learned a few things in the process.

When lawyers become involved in a cyber incident, the consider things like compliance (like HIPAA), insurance, liability, evidence preservation and lawsuits. It is rare that IT folks think like lawyers; especially when their house is on fire.

Courts are starting to think differently about attorney-client privilege and that requires some serious contemplation.

In particular, the underlying facts of a breach are probably not confidential.

If you want to protect privilege, you have to do it right.

One example he gave was a document used in a real case. A redacted version of the document was used in court, but an unredacted one was given to regulators. That probably won’t work.

A lawyer can help you. below is a story on how not to do it. Credit: ZDNet

The Rutter’s gas station/convenience store chain was ordered to turn over a data breach report to opposing attorneys. U.S. Magistrate Judge Karoline Mehalchick said the report, authored by Kroll Cyber Security, could not be shielded from discovery as customers who were affected by the breach are suing Rutters.

Mehalchick said that privilege does not apply to the specific report in question because there was no evidence that Rutter’s or its law firm ordered the third-party investigation with any reasonable or obvious expectation of a future lawsuit.

That is a really odd thought. Who would think that after a major breach you weren’t going to get sued?

The problem is that Rutter’s did not get legal advice or if they did, they need to sue the lawyer for malpractice.

Generally, using an attorney that already has a relationship with the company to run a breach investigation or using an in-house attorney is generally problematic since privilege only exists if there is an expectation of a lawsuit and if you are expecting to be sued, you are probably not going to use your general business lawyer or in-house counsel to run your defense.

Bottom line, there are number of ways to do this right and maximize your odds being able to invoke privilege successfully, but flying by the seat of your pants is not one of them. Credit: SC Media