Do the Legal Rules Governing the Confidentiality of Cyber Incident Response Undermine Cybersecurity?
It’s not entirely clear to what extent law firms’ emphasis on protecting attorney-client privilege and work product immunity alters the course of data privacy investigations.
Published by The Lawfare Institute
in Cooperation With
When businesses suspect that they may have experienced a cyber incident, their first call is typically not to a cybersecurity firm, public relations outfit or even their cyber insurer. Instead, it is increasingly to a lawyer. These lawyers—many of whom market themselves as “breach coaches”—then coordinate all subsequent elements of the response to their client’s potential cyber incident, including the efforts of the client’s internal personnel and those of third-party cybersecurity and public relations firms that the lawyer hires directly. More than 4,000 cyber incidents in 2018 were handled in this manner. Similarly, the cybersecurity firm Crowdstrike reports that 50 percent of its investigations were directed by an attorney in 2020. This approach is accepted so widely that in-house attorneys explicitly recommend it in their professional publications and many cyber insurers provide policyholders with 800 numbers to call in the event of a cyber incident that go directly to an independent law firm rather than the insurer.
Lawyers’ pole position in coordinating cyber incident response is driven predominantly by their capacity to shield any information that is produced during that process from discovery in a subsequent lawsuit. Under long-standing case law, communications between consultants and attorneys who hire them to help provide legal advice to a client are shielded by the attorney-client privilege. Additionally, any documents and mental processes of third-party consultants that are produced in reasonable anticipation of litigation—whether or not they are communicated to the attorney—are similarly shielded from discovery under the work product immunity doctrine.
Putting lawyers, rather than technical security firms, in charge of data breach investigations can influence the incident response process in many ways, and it’s not entirely clear to what extent law firms’ emphasis on protecting attorney-client privilege and work product immunity alters the course of those investigations. We are an interdisciplinary group of researchers—in law, political science and computer science—who are investigating this question. We are particularly interested in the prospect that these confidentiality doctrines have the potential to significantly undermine the efficiency and effectiveness of cybersecurity controls and processes. To look at this question, we are interviewing and surveying a broad range of participants in the cybersecurity ecosystem—including breach coach lawyers, cyber-insurance personnel and digital forensic investigators.
Some of the potential distorting effects of attorney-client privilege and work product doctrine are well known, if only because they have played out so visibly in high-profile data breaches. For instance, several salient cases suggest that firms wishing to preserve the confidentiality of their post-breach efforts should consider launching dual investigations, with one focused on understanding the root causes of an incident and potential security solutions, and the other intended solely to facilitate the efforts of the company’s lawyers. Doing so can limit the risk that post-breach assessments of legal and regulatory risks may be discoverable because they are combined with nonlegal materials, such as recommendations for improving future cybersecurity protocols. This was the strategy that Target employed when hackers stole 41 million payment card numbers from the retailer in 2013. In holding that the results of the second investigation were shielded from discovery in a subsequent class-action lawsuit, the court emphasized that this investigation was conducted solely for legal purposes. Not only does this approach have the obvious potential to inflate the costs of cyber incident response, but it may well undermine the effectiveness of such responses by creating confusion about the distinct responsibilities of the two investigative teams.
By contrast, when firms victimized by cyberattacks have tasked cybersecurity firms with both supporting their lawyers and helping them to shore up their technical defenses, courts have been much less willing to treat any resulting communications as privileged. This was the result when health insurer Premera hired security firm Mandiant to conduct a security audit, which detected a year-long breach that affected 11 million customers’ personal information. After the breach was discovered, Premera amended Mandiant’s statement of work and instructed it to report directly to its external counsel. In holding that Mandiant’s ultimate report was not protected by privilege, the court emphasized that Mandiant had been engaged prior to the discovery of the breach and that its report was not solely intended to provide legal advice. Documents, the court reasoned, “prepared for a purpose other than or in addition to obtaining legal advice and intended to be seen by persons other than the attorney” are not privileged.
Unlike Premera, Target was willing to go to extreme—and expensive—lengths to protect that attorney-client privilege in the aftermath of its 2013 breach, perhaps because it knew that the incident was likely to lead to litigation. But for many breached firms, paying for a dual-track investigation is costly and inefficient. Nor is it entirely clear that it’s a necessary step for preserving attorney-client privilege. A 2021 ruling held that a forensics report for a 2018 data breach of the Marriott hotel chain was privileged, even though the report was prepared by IBM, which had also provided pre-breach security services to Marriott. Though IBM had been working with Marriott since 2011, following the investigation, the company entered into a new statement of work with Marriott and BakerHostetler, the law firm the hotel chain retained to manage the breach investigation.
Our preliminary investigations suggest that attorney-client privilege and work product doctrine create potential distortions that may go much deeper than triggering occasional inefficient dual-track cyber-incident investigations. For instance, in the course of our initial conversations with participants in the cybersecurity ecosystem, we have learned that lawyers coordinating cyber-incident investigations routinely refuse to make forensic reports produced by cybersecurity firms available to cyber insurers. Such disclosure, these attorneys worry, could constitute a waiver of attorney-client privilege. Irrespective of the accuracy of this concern—which has not yet been tested in court—this practice may deprive insurers of potentially useful information that they could use to improve their underwriting processes or to advise other policyholders. Some attorneys, moreover, go even further, instructing their clients and cybersecurity firms not to disclose forensic reports to the client’s internal information technology (IT) personnel, lest a court interpret that report to have been produced for business, rather than legal, purposes.
Some of our preliminary discussions suggest even more fundamental ways in which lawyers’ efforts to preserve confidentiality may undermine cybersecurity. For instance, some industry participants tell us that attorneys increasingly instruct forensic investigation teams not to record their findings in a written report at all, because of the potential that such a report could make its way into the hands of plaintiffs’ lawyers. Instead, forensic experts are instructed to explain the results of their investigations either via stripped-down PowerPoint presentations or through entirely oral presentations. This, of course, raises the prospect that any information communicated to clients that may allow them to improve their cybersecurity efforts in the future will not be fully understood by them or accurately communicated to others within the firm.
Similarly, the rules governing confidentiality appear to create the perverse incentive for firms to hire different security firms to run post-breach investigations from the ones that already provided pre-breach monitoring services. This reduces the speed of response as another firm must be engaged, contracted and provided with network access, all while an adversary has already infiltrated the target’s networks. Further, the new firm may be unfamiliar with the network environment, often needing to navigate new software and IT portals to access monitoring tools and the corresponding logs.
Perhaps most perniciously of all, current rules may even disincentivize firms from taking proactive steps to conduct cybersecurity audits or other forms of monitoring. Since privilege and work product immunity attach only to documents produced when a firm reasonably anticipates litigation or communicates with attorneys to secure legal advice, these protections may not apply to materials produced to help detect a future breach. So companies may be less inclined to engage in those efforts directly or to hire cybersecurity firms to do so on their behalf. And even when they do, they may be reluctant to use the same firms for post-breach investigations that they hired for pre-breach monitoring, even if the firms coordinating pre-breach monitoring are more familiar with their computer systems and could conduct a faster forensic investigation.
Beyond distorting what information is documented and shared, current confidentiality rules create operational and business complexities. Because they place lawyers at the center of incident response, they cause law firms to charge large hourly fees, control communications, and even choose which forensics firms are hired. This disrupts established relationships and work patterns between internal IT firms and external cybersecurity vendors. In some cases this disruption may produce a variety of benefits that have nothing to do with confidentiality. For instance, some lawyers claim they are particularly adept at efficiently managing multiple work streams spanning technical investigation, ransomware negotiation, regulatory notifications, public relations and insurance. Others dispute these alleged benefits; some security professionals claim that centralizing communications through lawyers creates bottlenecks and delays, and even accuse lawyers of unmeritocratic hiring.
We are still working to understand the prevalence of these different practices for preserving attorney-client privilege, and their impact on the investigation process and findings. But policymakers, insurers and security researchers are all struggling to assemble reliable datasets about cyber threats and the effectiveness of different countermeasures. The Cyberspace Solarium Commission report issued in 2020 even recommended that Congress establish a new Bureau of Cyber Statistics specifically to collect statistical data on cybersecurity. So it’s worth considering how concerns about attorney-client privilege and work product doctrine may be contributing to those challenges by influencing the processes for investigating breaches, sharing and aggregating information about those breaches, and learning from past cybersecurity incidents.
It’s not clear how big a problem confidentiality considerations are for cybersecurity investigations and data collection, so it’s hard to know what the right solution is—or, indeed, if any solution is even needed. Jeff Kosseff has proposed the creation of a “stand-alone privilege for cybersecurity work” so that firms will be less reluctant to hire security professionals to assess and audit their computer systems. But it’s also possible that creating new privileges around cybersecurity could make it harder for people to sue firms in the aftermath of breaches, thereby limiting those firms’ accountability. On the other hand, it remains an open question how effective such lawsuits have been at incentivizing better cybersecurity practices.
The influence of attorney-client privilege and work product immunity on cybersecurity raises many more similarly open questions. It seems possible that the doctrines governing attorney-client privilege and work product have had the unintended consequences of undermining cybersecurity, information sharing about data breaches, and insurers’ ability to collect empirical data about cybersecurity incidents and the most effective countermeasures to prevent and mitigate those incidents. Given how central lawyers have become to breach response, and how high a priority maintaining confidentiality is for many of them, these questions are worthy of more study and attention as technical experts, policymakers and insurers all grapple with the best ways to learn from cybersecurity incidents. We would welcome any readers with experience on these issues to contact us directly so that we can learn more about how the laws governing attorney-client privilege and work product can promote, or undermine, effective cybersecurity.