- In any given cyber incident, security professionals have to momentarily shift gears and think like lawyers, according to Nick Merker, partner at Ice Miller LLP, while speaking at Black Hat earlier this month.
- While companies will have attorney-client privileges, some underlying facts of the security incident, such as the attacker's access point, are exceptions to that privilege, Merker said. "My analysis on your notification obligations, or the fact that I can't be brought to testify against you, that's what privilege is going to protect," he said.
- Companies cannot redact pieces of the report submitted to a regulator to adhere to partial privilege, he said. "If you disclose any portion of this document, you're going to waive privilege on the whole document," Merker said.
Short of a federal incident reporting law, depending on the type of incident, companies determine what they are willing to disclose. In some cases, too much transparency can reflect poorly on the company. In other cases, insufficient transparency is even worse.
While security professionals may not be deeply involved in the legal aspects of a security incident, they have to be aware of attorney-client privileges and where it balances against incident response. If a security professional who is not part of a privileged chain of communication implements any security solution the lawyer might mention, this act will waive privilege.
"Be very careful when you're communicating about the results of a security incident. If a lawyer sends you an email, then don't take that email and forward it on," said Merker. "Don't go down to the water cooler and start talking outside of the walls of privilege to other folks in the organization."
In anticipation of litigation, a company might be compelled to develop documentation for its defense, which was the case for Clark Hill. And as a result, as the case highlights, privilege can easily be waived following an incident, even though the organization followed best practices in incident response.
Guo Wengui is suing Clark Hill due to a 2017 data breach that exposed his asylum in the U.S. Wengui is accusing the law firm of insufficiently protecting his information. In anticipation of litigation, Clark Hill opened an investigation into the breach using a third-party cybersecurity company, eSentire, and another attorney-hired firm, Duff and Phelps.
But if a company wants to do a litigation defense investigation, it should be done separately from the ordinary course of business investigation, which is often recommended by attorneys.
The ordinary course of business investigation consists of typical security incident cleanup. It's a forensic report describing the chain of events leading up to the attack and restoration of systems. For Clark Hill, eSentire served that purpose, while Duff and Phelps was purposed to craft the defense investigation.
However, the court told Clark Hill their two-track investigative approach is unsupported on the record, Merker said, and determined that the Duff and Phelps investigation was also the course of business investigation. The courts called it paper privilege.
"Although Clark Hill papered the arrangement using its attorneys, that approach 'appears to [have been] designed to help shield material from disclosure' and is not sufficient in itself to provide work-product protection," the January 2021 memorandum said.
The Duffer and Phelps report was "probably shared widely" among the Clark Hill company, including its leadership and IT organization, voiding the privileged purpose behind it, the court said. Clark Hill's misstep was in using its defense litigation report as a pseudo-ordinary business outcome report by showing it to stakeholders of the company, rather than an attorney-client work product that would be protected.
Two-track investigations are typically recommended when done properly and should be a component of a company's incident response plan. But if a company were to take the recommendations or findings in their litigation report and inform their leadership, "that type of stuff is what's going to break privilege," said Merker.
"Don't share the report, don't share in a redacted form. Don't share it with regulators even when they ask — stand by your privilege, because once you share it, you're going to waive it," he said.