Cyber Risk Management: Walking the Privilege Tightrope

This is the 3rd and final post in our cyber insurance series. The first two are here and here.

While it presents more than a few challenges–not the least of which is its cost–cyber insurance has become an essential tool for managing information security risk in today’s business environment. But cyber insurance doesn’t cover all the risks organizations face during the response to an incident. During the intense, often chaotic activity that follows a security incident, response teams can create additional legal risks that enterprises must understand and manage.

Specifically, litigants may use the results of an investigation against the organization in civil, regulatory, or criminal proceedings. In most cases, litigants seek evidence of negligence, indications that an organization “knew, or should have known” about the conditions that led to a breach. That makes incident reports and other documents targets for anyone taking legal action against the victim of a breach or other security incident.

Most enterprises engage external legal counsel as part of their response to a security breach, so what documents related to the incident are protected by attorney-client privilege—and what documents aren’t—has been a highly contested issue in some breach cases. Consequently, what reports teams create, who creates them (and how), what they contain, and how widely the company distributes them become critical issues. 

Generally speaking, only documents and conversations created in response to or anticipation of litigation are privileged. But generalities don’t stand up in court. And in this case, the lack of clear legal precedent, the rapidly evolving legal environment, and the immaturity of the cyber insurance market combine to make specifics elusive. Simply put, there are no clear-cut rules on how best to approach document preparation to ensure privilege protection. 

At our recent CIO roundtable, Charisse Castagnoli and Judy Selby had excellent advice for enterprises on this critical issue. Castagnoli is an adjunct professor of law at John Marshall School of Law, and Selby is a partner with Kennedys, an international law firm. Their discussion with the CIO roundtable was the foundation for our previous posts on cyber insurance. (Note: This discussion of attorney-client privilege applies only to the United States, and enterprises should work closely with legal counsel to manage these issues.)

Essentially, enterprises should review their incident response plans and relationships with existing security vendors and legal firms. What vendors and attornies a company works with, when they work with them, and why they hire them are will have a direct impact on the ability to maintain attorney-client privilege on critical documents. At the same time, what incident reports contain and how widely security teams distribute them will often determine their standing in any legal proceeding. Management teams that wait until after an incident to work through these issues create additional risk for the enterprise.

Understanding the Problem

Castagnoli and Selby outlined these first steps in understanding the privilege issue:

  • Assume You Will Lose Privilege: While they will fight for the privilege, organizations should assume they will lose those legal battles. Doing so will help control what information is in critical documents. Facts rarely enjoy privilege, so keep reports fact-based, excluding any reasoning or speculation based on inconclusive evidence. Conclusions based on opinions and theories should never find their way into incident reports that may end up as evidence in legal proceedings.

  • Follow the Akin Gump Checklist: Akin Gump, a law firm specializing in cyberlaw, created a checklist for conducting an IR in a fashion that maximizes the chances for maintaining the privilege and avoiding disclosure. The list focuses on how an organization chooses incident response vendors, who hires them, how they conduct the investigation, and what documents they create. 

  • Look at the Existing Case Law: Several recent cases are worth examining. Selby said that the decision in the Capital One case “lays out a roadmap of how courts are going to look at these issues and the pitfalls to avoid.” Castagnoli also said that Guo Wengui v. Clark Hill, PLC could provide valuable guidance.

Structure and Vendor Relationships

The combination of the Akin Gump Checklist and these court cases provide the best guidance for enterprises, at least for now. We won’t go into all of the gory details here, but Castagnoli and Selby did make these essential points:

  • Hire Outside IR Counsel: Internal security teams should follow their normal incident response processes, creating a report detailing what happened and what data the attack may have disclosed. The organization should also consider retaining a separate outside counsel specifically for the incident. That law firm may hire an independent incident response vendor that focuses on the root cause analysis. It may be possible to forgo a written root cause analysis entirely. But in cases where a written root cause analysis is necessary, following the Akin Gump guidelines increases the likelihood that a court of law may deem the incident report privileged. 

  • Hire a Different IR Vendor for Root Cause Analysis: Most organizations have preferred vendors that are familiar with their environments, which can make IR more efficient. But in the eyes of the courts, it’s a tricky transition for vendors that companies use for “business purposes” to those they engage “in anticipation of litigation.” Using existing vendors and relying on pre-existing agreements and statements of work may substantially decrease the likelihood that a court will find an incident report created by that vendor privileged. Having dedicated outside counsel hire a different vendor (or have one on retainer) may increase the chances of maintaining privilege.

  • Review Agreements with Existing Security Vendors: Courts may view incident reports created under pre-existing statements of work and retainers as “business-related” work, not “attorney work product” prepared in anticipation of litigation. Carving out such language from existing vendor agreements can help.

  • Understand the Control Group: A control group is a tiny group of individuals who can communicate and share documents under attorney-client privilege. Castagnoli said CISOs “shouldn’t take it personally” if they’re excluded from this group, as it’s focused on potential litigation.

  • Limit the distribution of the IR report: In the Capital One Case, the court focused on the fact that people distributed the incident report widely, both inside and outside of the company. The wide distribution caused the court to question whether the company prepared the report in anticipation of litigation or for more general business purposes. 

Conclusion

Controlling the flow of information and properly structuring vendor relationships are essential elements of managing additional legal risk during an incident response. While we’ve provided a basic outline for approaching the problem, enterprises should work closely with legal counsel and their cyber insurance carrier to address the issue.

Jamie Lewis