Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/6/2021
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

8 Ways to Preserve Legal Privilege After a Cybersecurity Incident

Knowing your legal distinctions can make defense easier should you end up in court after a breach, attack, or data loss.

When an organization faces a cybersecurity incident, taking appropriate steps to preserve the attorney-client privilege and work-product protection is critical, particularly given that government investigations or litigation can follow. Courts are applying the privilege more narrowly and may require a company to disclose documents in litigation that the business believed were confidential, including details on how a company was compromised and how many of its clients were affected by the attack.

Related Content:

Incident Response: 3 Easy Traps & How to Avoid Them

Special Report: Building the SOC of the Future

New From The Edge: rMTD: A Deception Method That Throws Attackers Off Their Game

Earlier this year in Wengui v. Clark Hill, a federal court declined to apply the privilege to a consultant's investigative report of a cyber breach despite being retained by counsel. The court found that the defendant company relied on the report solely for its root cause analysis, which would have occurred in the ordinary course of business.

Generally, to protect communications and work product, organizations must demonstrate that their purpose was for legal advice or made in anticipation of litigation, not ordinary business reasons. Here are eight key actions organizations should take to preserve privilege during a cybersecurity incident.

Involve Counsel at the Outset
Counsel should lead and supervise every aspect of a breach investigation. If a cyber incident has occurred or is suspected, in-house counsel should be promptly notified. But because they often provide business and legal advice, it is prudent to retain outside counsel as well, since investigations in some countries only apply the privilege with external counsel.

Counsel Should Retain Third Parties
Counsel should retain third parties, such as forensic teams, with a retainer agreement stating the third party is being retained to assist counsel in providing legal advice in anticipation of litigation. If a company retains them directly, a court may be more likely to find it was prepared in the ordinary course of business. 

Have a Separate Vendor Agreement for Breach Response 
Organizations retain vendors to perform a variety of routine work from penetration testing to audits. If an organization retains the same vendor in response to a cyber incident, breach counsel should retain them under a separate agreement and clearly define the incident-specific scope of work as distinct from the pre-existing business relationship. Communications and work product are more likely to remain confidential if a distinct statement of work is used for breach response rather than a master services agreement.

Treat Legal Fees as a Legal Expense 
Characterizing legal fees as a business, IT, or cybersecurity expense may be convenient for budgets, but it can make a legal investigation look like a business one. To avoid disclosure, an organization should pay legal fees out of its legal budget.

Separate Business from Legal Communications
Organizations should avoid mixing protected information with communications reflecting ordinary business purposes. Employees should label documents "Privileged and Confidential," "Prepared at the Direction of Counsel," or "Prepared in Anticipation of Litigation" when it relates to legal advice or anticipated litigation. Where feasible, organizations should have a dual-track investigation where one team conducts an investigation in the ordinary course of business and a separate team provides the organization with legal advice. 

Consider Whether a Report Is Necessary
If so, include in writing it is being prepared for the purpose of anticipated litigation or legal advice.

When there is a cyber incident, counsel relies on a forensic team to understand what happened and as a factor to formulate the legal strategy. Such analysis is often memorialized in a report, which unsurprisingly is sought after discovery in litigation or a regulatory proceeding. An organization should consider whether it needs the report in the first place, and if so, the report should avoid business matters and include counsel's mental impressions, conclusions, and legal opinions. 

Limit Distribution of Protected Information 
Organizations should avoid sharing the forensics report or other protected communications with third parties and even employees beyond those who need to know. This includes not using the report for business purposes, like public relations or responding to shareholder inquiries. Distribution should be tracked to demonstrate limited distribution. If information must be shared more widely, provide it in a way that will not compromise the privilege or work product protection. 

For example, provide a separate nonprivileged summary report to a board of directors, public relations consultant, auditor, or regulator. If an organization must disclose the full report, for example, to comply with regulatory requirements, the organization should expressly state that it does not intend to waive privilege through disclosure. 

Continue to Guard Against Risk of Disclosure, Even if Information Is Protected
Though privilege can prevent disclosure, organizations should assume protected information could be disclosed. Therefore, in protected communications and work product, avoid speculating, discussing matters that are outside the scope of a cyber incident, and including damaging business information that is peripheral to the investigation.

The law around what is attorney-client privileged or work product is constantly evolving. Nevertheless, best practices can make disclosure less likely. Upon discovering an incident, retaining counsel who then retains third parties with agreements specific to incident response is key.

Similarly, bifurcating business from legal analysis in investigations is critical, including providing reports on a need-to-know basis and paying legal expenses from legal budgets. Finally, and importantly, by assuming disclosure can happen, organizations can limit the amount of information that is subject to disclosure in the first place.

Caroline Morgan is a Partner at Culhane Meadows PLLC, the largest national women owned full-service law firm in the country. She counsels companies on navigating state, federal and international data privacy and breach notification laws, including the California Consumer ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CarolineMorgan
100%
0%
CarolineMorgan,
User Rank: Author
7/12/2021 | 10:13:05 PM
Re: Relate advice here to cyber liability insurance
As a disclaimer please note that I am not providing legal advice and these communications do not create an attorney client relationship. Some carriers have third party vendors that are approved just like they have panel counsel. That said, the attorney can still retain the vendor even if ultimately the carrier is paying.  
dapa1206
100%
0%
dapa1206,
User Rank: Apprentice
7/8/2021 | 9:15:06 AM
Relate advice here to cyber liability insurance
Really good read.  Thank you.  Regarding how forensic skills are brought in under legal rather than business auspices, what about instances where cyber liability insurance is invoked?  Often in the policy the provider has a list of forensic servicers and may be involved in brokering those services.  Is there any specific advice around maintaining the attorney client privilege when getting forensic (or other) services via the cyber insurnace instrument?
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-38095
PUBLISHED: 2021-08-05
The REST API in Planview Spigit 4.5.3 allows remote unauthenticated attackers to query sensitive user accounts data, as demonstrated by an api/v1/users/1 request.
CVE-2021-32598
PUBLISHED: 2021-08-05
An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerability In FortiManager and FortiAnalyzer GUI 7.0.0, 6.4.6 and below, 6.2.8 and below, 6.0.11 and below, 5.6.11 and below may allow an authenticated and remote attacker to perform an HTTP request splitting...
CVE-2021-32603
PUBLISHED: 2021-08-05
A server-side request forgery (SSRF) (CWE-918) vulnerability in FortiManager and FortiAnalyser GUI 7.0.0, 6.4.5 and below, 6.2.7 and below, 6.0.11 and below, 5.6.11 and below may allow a remote and authenticated attacker to access unauthorized files and services on the system via specifically crafte...
CVE-2021-3539
PUBLISHED: 2021-08-04
EspoCRM 6.1.6 and prior suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in processing user-supplied avatar images. This issue was fixed in version 6.1.7 of the product.
CVE-2021-36801
PUBLISHED: 2021-08-04
Akaunting version 2.1.12 and earlier suffers from an authentication bypass issue in the user-controllable field, companies[0]. This issue was fixed in version 2.1.13 of the product.