Embed Size (px)
Citation preview
usinesses are beginning to understand that cybersecurityis an overall business risk and not just a technicalissue. Some are even beginning to see that there is a
role for attorneys. But what is that role? If you listen tomany in the cybersecurity, business, or legal communities,you will hear the same reason: because attorneys’ privilegeskeep everything confidential.
Protecting information from disclosure is an importantobjective in the cyber world. There is no such thing as being“secure.” There are always vulnerabilities that could havebeen found or remediated. There are always more thingsthat a business could have done to protect its networksand secure its data—and the data of its customers, clients,patients, and consumers—if only it would have devotedmore time, money, and resources to cybersecurity. Theproblem is, because it is impossible to be completely secureand be operational, businesses could devote all their resourcesto cybersecurity and, theoretically, still be insecure.
Businesses must treat cyber risk like they do other risksand use business judgment to determine what is reasonablecybersecurity for their unique circumstances. Such decisions,however, require them to use probability analysis and cost-benefit analysis to determine that some risks must be acceptedas a part of doing business. This is a normal process for howbusinesses manage risk. It is also a Monday morning quar-terback’s dream after a business has had an incident or databreach that has impacted others. A great example of howplaintiffs can use such information comes from Grimshawv. Ford Motor Co.,1 the landmark case in which the “FordPinto Memo” was used to show that Ford knew the Pintowould explode under certain circumstances but, because itwould cost $11 per vehicle to redesign, chose to accept therisk because it would cost less to defend against wrongfuldeath lawsuits stemming from such explosions.
690 Texas Bar Journal • October 2018 texasbar.com
B
PrivilegesUnderstanding applicabilityin cybersecurity cases.
BY SHAWN E. TUMA AND JEREMY D. RUCKER
CyberseCurity
texasbar.com/tbj Vol. 81, No. 9 • Texas Bar Journal 691
This scenario is what businesses are hoping to avoid by pro-tecting from disclosure information that is developed and usedduring their pre-incident cyber-risk management process. Oncean incident has occurred, they also want to protect the infor-mation they discover through their investigations.
While “privileges,” whether attorney-client or the work-product doctrine, are certainly great selling points to thesebusinesses to help protect such information, the real questionis, are they really the magic wand for secrecy that many seemto believe?
The Attorney-Client Privilegeand Work-Product Doctrine
The attorney-client privilege is designed to foster clientconfidence and unrestrained communication between aclient and the client’s attorney.The attorney-client privilegeprovides that a client has aprivilege to refuse to discloseand to prevent any other per-son from disclosing confidentialcommunications made to facili-tate the rendition of professionallegal services to the client, orcertain representatives of theclient, and the client’s lawyer,or certain representatives of thelawyer.2
The work-product doctrineis designed to protect the attor-ney’s thoughts, conclusions,legal theories, and mentalimpressions. The work-productdoctrine allows an attorney toexplore both the favorable andunfavorable aspects of a casewithout the concern thatopposing counsel will benefitfrom the attorney’s efforts.Under Texas law, “work prod-uct” comprises: “(1) materialprepared or mental impressionsdeveloped in anticipation of litigation or for trial by or for aparty or a party’s representatives;” or (2) a communicationmade in anticipation of litigation or for trial between oramong a party and the party’s representatives.3
The key takeaway for cybersecurity-related situations isthat the attorney-client privilege protects only confidentialcommunications between an attorney (or the attorney’s rep-resentatives) and the client (or the client’s representative andthe client’s lawyer or the lawyer’s representative) that werenot intended to be disclosed. The work-product doctrine issimilarly limited in that it only protects communications,information, and materials made or developed in anticipationof litigation or trial. Because of these limitations, one can seethat, while these privileges are powerful when they apply,they can also be quite fragile and uncertain.
Lessons From Recent CasesCourts have undertaken complex and fact-specific
inquiries to determine if the attorney-client privilege or thework-product doctrine apply in data-breach litigation cases.The leading cases demonstrate just how precarious it canbe to rely too heavily on privileges while also providingexamples of effective strategies that may improve thechances of protecting certain information.
Use two separate outside teams for investigating in the ordinarycourse of business and in anticipation of litigation. The court in In reTarget Corp.4 found that where Target’s counsel retained an out-side cybersecurity firm to investigate the incident using two sepa-rate teams with different objectives, Target’s counsel could protectcertain information from disclosure. One team’s objective was toassist Target’s outside legal counsel in anticipation of litigation;
the other was to conduct an ordi-nary course of business investiga-tion that was also required by thecredit card brands. Target did notassert attorney-client privilege orwork-product doctrine for theinformation obtained by the sec-ond team. Target did for theinformation obtained by the firstteam. The court denied theplaintiffs’ motion to compel, find-ing that the items were protectedby the attorney-client privilegeand the work-product doctrinebecause Target demonstrated thatthe work on the privileged-trackteam was focused on informingTarget’s outside legal counsel andin-house counsel team about thebreach so that counsel could pro-vide legal advice and prepare todefend the company in litigation.
Outside counsel’s role inthe investigation should be activeand substantive, not perfunctory.The court in In re Premera BlueCross Customer Data Sec. Breach
Litig.5 found that the attorney-client privilege and work-prod-uct doctrine did not protect information where, though out-side legal counsel was given the perfunctory role of“supervising” the investigation, that label alone was mean-ingless without true substantive involvement by legal coun-sel. Premera Blue Cross was sued following a data breachand hired a cybersecurity firm to assess the security of itsnetwork. After the firm discovered malicious software onPremera’s network, Premera retained outside legal counseland amended the statement of work with the cybersecurityfirm to state that outside counsel was supervising the inves-tigation. When the plaintiffs sought certain informationprepared by the cybersecurity firm, the court found suchinformation was not protected by the attorney-client privi-lege or the work-product doctrine because the investigation
The key takeaway forcybersecurity-relatedsituations is that the
attorney-client privilegeprotects only confidentialcommunications between
an attorney (or theattorney’s representatives)
and the client (or theclient’s representative andthe client’s lawyer or thelawyer’s representative)that were not intended
to be disclosed.
692 Texas Bar Journal • October 2018 texasbar.com
did not materially change after outside legal counsel begansupervising the investigation.
Obtain outside counsel first, have counsel retain the investigators,limit dissemination of information. In In re Experian Data Breach Lit-igation,6 the court found that even though Experian had an inde-pendent business duty to investigate an incident, by retainingoutside legal counsel, who then retained a cybersecurity firm toconduct the investigation and prepare a report to assist counselin providing legal advice in anticipation of litigation, such report(and related information) was protected under the work-productdoctrine (without addressing the attorney-client privilege claim).The court explained that, in situations such as this, courts look atsurrounding circumstances to determine if the information wasreally prepared “because of” litigation. In this case, disseminationof the report was extremely limited and the law firm only providedit to Experian’s in-house legal department, not to its incidentresponse team or those working on remediation of the systems,and when shared with Experian’s client, it was pursuant to a jointdefense agreement and redacted.
Best PracticesThe applicability of privileges in the cybersecurity context
is a developing area of the law but there are some best practicesthat can be gleaned, though they too will likely evolve asthe law develops:
1) Remember that the attorney-client privilege applies tocommunications and does not shield facts and the work-product doctrine only applies in anticipation of litigation.
2) Because of the precarious nature of privileges, the bestcourse of action is to prepare by doing everything possible toensure applicability of privileges but carry out the work asthough there will be no privilege. There may not be.
3) Explain this uncertainty and strategy to your clients anddiscuss communications protocols with appropriate members ofthe workforce so they understand what types of things shouldand should not be put into writing. And, make sure they under-stand that “writing” includes everything from traditionalmemos to emails, text messages, Slack, Jabber, and every otherform of electronic communication.
4) You do not have to produce what doesn’t exist. If you donot have to have something in writing, do not put it in writing.
5) When something must be put into writing, becausethere are no guarantees that drafts will be protected, foregohaving multiple “drafts.”
6) Understand that simply copying an attorney on a com-munication may not be sufficient to establish the protections ofthe attorney-client privilege or the work-product doctrine. Theattorney must truly direct the communications.
7) Label documents and email subject lines to show thatthe communication is attorney-client privileged, that theinformation is requested by counsel, and copy counsel onsuch communications.
8) For communications between clients and counsel, seg-regate those regarding legal advice from those that are notlegal in nature but pertain to purely business issues.
9) For pre-incident risk management engagements, someways to help with the applicability of privilege is to hire the
attorney first for the purpose of providing the client with legaladvice on the legal and regulatory implications of its cyber-riskposture. Then, the attorney should retain those consultantsthat are needed to determine what the client’s cyber-risk pos-ture is and how it can be improved, which should be clearlystated in the engagement agreement. The attorney shoulddirect the work of those consultants and maintain a prominentrole in the process so the consultant’s report to the attorneywho is then using the consultants’ work to render legal advicethat is only shared in a controlled manner within the organiza-tion. In other words, the attorney’s role in this process shouldbe legitimate, not perfunctory.
10) For incident response situations, the client should retainlegal counsel first. Counsel should then determine whether par-allel investigative tracks are desirable. Counsel should thenretain the appropriate consultants and ensure the engagementagreement clearly states the consultant’s role vis-à-vis counselas well as the objective of the investigation. Then, counselshould actively and substantively lead the investigation and usethe consultants’ work to render legal advice that is only sharedin a controlled manner within the organization.
Because the “privilege wand” may not be quite so magical,how can attorneys add real value for businesses with cyber-riskmanagement? Attorneys who are experienced in dealing withcyber risk are able to help businesses understand how to assessand manage their unique cyber risk, including potential legaland regulatory liability. Those who regularly serve as a “breachguide” or “breach quarterback” will have experienced numer-ous cyber incidents and data breaches, experience that isinvaluable for helping them develop an effective strategy forprioritizing their resources based upon their real-world risks andbusiness needs. Finally, and perhaps most importantly, when abusiness has an incident, experienced counsel can help themunderstand when the incident is—and is not—a true databreach. While often a fine point, for some this can be a “bet thecompany” distinction. TBJ
Notes1. 119 Cal. App. 3d 757 (1981). 2. Tex. R. Evid. 503.3. Tex. R. Civ. Proc. 192.5. Note, the authors recognize that this is a doctrine and not
a true “privilege.”4. In re Target Corp. Cust. Data Security Breach Litig., 2015 WL 6777384 (D. Minn.
Oct. 23, 2015). 5. In re Premera Blue Cross Customer Data Security Breach Litig., 2017 WL 4857596
(Dist. Or. Oct. 27, 2017).6. In re Experian Data Breach Litig., 2017 WL 4325583 (C.D. Cal. May 18, 2017).
SHAWN TUMA is an attorney widely recognized in cybersecurity and data privacy law,areas in which he has practiced for nearly two decades. He is a partnerin and co-chair of the Cybersecurity & Data Privacy Practice Group atSpencer Fane and works in its Dallas and Collin County offices.
JEREMY RUCKERis an associate attorney of Spencer Fane, where he focuses on cyber-security, data privacy, and corporate transactions. His practice extendsto advising clients on data security and compliance, privacy, and breachresponse.
