"In their zeal to preserve the confidentiality of incident response efforts, lawyers frequently undermine the long-term cybersecurity of both their clients and society more broadly.”
That’s the disturbing conclusion of a research paper How Legal Privilege Undermines Cybersecurity by Daniel Schwarcz (University of Minnesota Law School), Josephine Wolff (The Fletcher School of Law and Diplomacy, Tufts University) and Daniel W. Woods (University of Edinburgh), based on interviews with attorneys and security, risk and insurance professionals.
The paper details how attorneys influence both ongoing cyber risk assessments and post-incident reporting to make sure no paper trail exists that could be discovered and used as evidence in a lawsuit. The study found that “Lawyers said they explicitly tried to prevent risk assessment reports that showed significant or glaring vulnerabilities (e.g., color-coded with red labels or dramatic “high-risk” warnings),” effectively putting legal defense ahead of cyber defense.
Here's an important legal distinction for cybersecurity and risk professionals to understand. Courts have held that reports on risk assessments from before an incident are typically not protected under attorney-client privilege – they are part of the normal work of the organization for business purposes. Firms have a better chance of protecting after-incident reporting under privilege or work product doctrine because those investigations could more plausibly be done in anticipation of litigation than pre-breach security work. The finding that lawyers also get involved in pre-incident reporting is an indication of the extent of their influence.
Join the FAIR Institute. Membership is free to qualified professionals. Network with, learn from the leaders in quantitative risk management.Lawyers at the Center of Cybersecurity
As study co-author Josephine Wolff explains, “The big security firms that do security audits, run tabletop exercises and do risk assessments are often contracted through a law firm, and reporting is being sent to legal representation before it goes to the client…We heard from some of the lawyers, if assessments or audits say your security is really bad, then that will never reach the client. They don’t want it to be discoverable in the event there is a security incident.”Likewise, incident responders and forensic firms “feel constrained because if they say anything the lawyers don’t like, they’re not going to hire them for their other clients.”
To take it from a lawyer’s point of view, court rulings in recent years on evidence and discovery, particularly in the Capital One data breach case in 2020, turned what had been best practice on its head. Capital One hired Mandiant for an incident investigation in preparation for an expected legal challenge, the bank argued, but the judge said no, it was not privileged and must be turned over to the plaintiffs because, among other reasons, the bank had waived privilege by giving the report to its cybersecurity staff.
As a result, says Wolff, an associate professor of cybersecurity policy at The Fletcher School, “Lawyers said to us, ‘We never let the forensic firms write down recommendations in a report. As soon as you have a recommendation written down, the courts will say, well, why didn’t you look at this thing? Clearly you are negligent’.” Wolff says that lawyers often insist that incident reporting take place on Zoom calls to avoid a written record.
Solutions to Legal Privilege vs Cybersecurity
To get a useful incident report, Target did one forensic breach investigation just for lawyers to stay privileged and another for business purposes that was discoverable, Wolff says. Another tactic: Get a report that’s just the facts about the incident (which are always subject to discovery) but without recommendations (the part that can get you into legal trouble). “The real answer to the question is we need some policy reform so you can do an investigation in a way that you don’t have to constantly worry this is going to show up in court,” Wolff says.
Wolff and her co-authors offer two main suggestions:
>>A cybersecurity privilege for cyber professionals and their clients, much as courts now recognize doctor-patient privilege.
>>Better information sharing about cyber incidents, by increasing requirements to report to the federal government or some private information-gathering entity, to glean what can be learned from incidents without revealing too much confidential information.
What’s been your experience with legal issues around cyber risk assessments or cyber incident reporting? Share in the comments section below.
