Bill Gates stated, “security is our top priority because for all the exciting things you will be able to do with computers - organizing your lives, staying in touch with people, being creative - if we don't solve these security problems, then people will hold back.” Truth, Bill. Large and small businesses battle this balancing act daily. Computers need to enhance our lives without sacrificing our peace of mind. An entire industry has popped up to address the “peace of mind” concern, and an entirely new era of class action lawsuits have arisen in response to the issue of compromised data.
Once litigation or a government inquiry commences related to compromised data, companies face discovery requests demanding all of their pre and post-breach activity. In both situations, companies are engaging attorneys (both in-house and outside counsel) to assist with drafting and implementing defensible security practices and post-breach response protocols. However, attorney involvement can create tension that can disincentivize the flow of integral information about a company’s security practices with law enforcement officials because of a fear of privilege waiver. Examples of such information include reports regarding internal exercises to locate gaps in the company’s current policies and protections, or a post-breach audit aimed at remediation to better protect consumers in the future. This kind of activity should be encouraged, but a company could reasonably fear that documentation of cyber vulnerability could later be discovered – and used against the company – in litigation.
The Sedona Conference recently published a commentary on the application of privilege in the cybersecurity context, advocating for reform. See Commentary on Application of Attorney-Client Privilege and Work Product Protection to Documents and Communications Generated in the Cybersecurity Context, Sedona Conf. (public comment version April 2019) [hereinafter Commentary]. After significant discussion of the current state of the law in this area, the Commentary provides a two-part proposal aimed at giving data holders clarity and protecting the substantive public interest at stake. Id. at 36.
First, the Commentary proposes a qualified stand-alone cybersecurity privilege. This privilege would include workable and limited standards as to what qualifies for the privilege, an ability to require disclosure where a substantial need can be shown, and documentation of data withheld (i.e., privilege log). Id. at 45. Essentially, creating an extension of the work product doctrine in the cybersecurity context that does not require the litigation element, but rather “in anticipation of or in response to a cyberattack.” Id. at 46. Further, the protection would not extend to the underlying facts, but rather would protect mental impressions, conclusions, opinions, etc. Id.
Second, the Commentary proposes that state and federal law recognize a selective waiver doctrine wherein disclosure of certain data or information to law enforcement would not constitute a waiver of privilege. Id. at 51. Similar to protections afforded to certain disclosures to the Cybersecurity and Infrastructure Security Agency (CISA), information could be quickly and freely shared with law enforcement agencies without the need to first review it for privilege. Id. at 54. Bank Examiner waiver protection or those protections afforded to a Suspicious Activity Report set a solid precedent that in some cases the public interest outweighs a litigant’s right to receive certain relevant data. This would encourage timely and full disclosure of information surrounding a data breach and ultimately benefit the victims of an attack.
There is similarly a public interest in protecting communications related to cybersecurity in an effort to encourage frank and open conversations about corporate policies. “Ideally the rules for disclosure of [pre and post-breach cybersecurity-related documents and communications] would promote robust cybersecurity practices and policies. Companies should do what they can to protect information and computer networks, and the law should help them do that.” Id. at 38.
