Considering Legal Privileges in the Cybersecurity Context

Posted by

Any organization that is cognizant of its cybersecurity obligations faces a fundamental problem: the greater the effort to increase security, the greater the number of documents generated, memorializing those efforts. Those documents could be discoverable in the event of litigation.

The law of privilege in the context of pre-breach planning, including application of the attorney-client relationship to third-party technology vendors and security engineers, remains largely uncharted. The thought leaders at The Sedona Conference are taking steps to help frame the dialogue and set the stage for development of decisional law in the area of privilege. The Sedona Conference working group 11 on data security and privacy liability (WG11) has released its draft “Commentary on Attorney-Client Privilege and Work-Product Protection in Cybersecurity Context.” While there is no established law on the topic, WG11 aptly outlines the established contours of privilege law, and provides a thoughtful discussion of the growing potential applications for such privilege in the cyber context:

  • Pre-breach assessments of the organization’s information security posture (e.g., technical and gap assessments) 
  • Tabletop exercise handbooks and results 
  • Internal audit reports 
  • Reports to third parties (e.g., clients or insurers) 
  • Post-hoc analyses of prior incidents
  • Forensic investigation of the breach 
  • Draft information security policies and procedures 
  • Communications with vendors and public relations firms.

The inclusion of outside counsel in pre-breach planning, as well as incident response, remains an important step in establishing and protecting the attorney-client privilege. However, as pre-breach cybersecurity assumes its place among standard business operations, the inclusion of in-house counsel and third-party vendors may place strain on traditional notions of the attorney-client relationship. While this area of law develops, organizations are well advised to set parameters for addressing cybersecurity issues, and, like all potential litigants, to avoid generation of unnecessary documents and communications that could be subject to discovery.