Influential Sedona Conference Releases Key Guidance for Attorney-Client Privilege and Work-Product Protection in Cybersecurity Matters

Orrick, Herrington & Sutcliffe LLP
Contact

Orrick, Herrington & Sutcliffe LLP

With significant input from Orrick’s Cybersecurity, Privacy and Data Innovation team, the influential Sedona Conference and its Working Group 11 last week published important guidance on the application of the attorney-client privilege and work-product protection in the cybersecurity context. The comprehensive Sedona Conference commentary provides a framework for federal and state policymakers to amend existing law in several respects, including carving out a limited privilege for information prepared in the cybersecurity context without the involvement of lawyers.

Partner Doug Meal, head of our cyber and privacy litigation practice, served as vice-chair of the conference’s Working Group 11 steering committee and editor-in-chief of the team that drafted the commentary, released in April for public comment. The conference’s Working Group 11 is the body charged with addressing legal issues in the Privacy & Cybersecurity area, and its membership includes a cross-section of prominent plaintiffs’ and defense lawyers, regulators, forensic experts, law professors, judges, in-house counsel and others who specialize in privacy & cybersecurity law.

The Commentary released last week evaluates the application of the attorney-client privilege and work-product protection to an organization’s cybersecurity information (CI). The Commentary seeks to move the law forward by assessing the arguments for and against the discoverability of CI being determined under general principles of attorney-client privilege and work-product protection law as opposed to modifying those principles in the context of CI. Finally, the Commentary considers various proposals for adapting existing attorney-client privilege and work-product protection law, or developing entirely new protections, in the CI context.

Doug and David Cohen, Of Counsel in our cyber and privacy practice who also worked on the project, provide these key takeaways from the Commentary, which will be particularly useful to in-house counsel seeking to understand what factors courts currently use to determine whether the privilege and protection will apply to documents/communications generated before and after a cyber breach.

Among the key findings:

  • There are only a handful of cases addressing whether the attorney-client privilege or work-product protection applies in the cybersecurity context under current law, but those that do provide invaluable guidance:
    • The primary question courts look to here, just like outside the cybersecurity context, is whether the communication was made to solicit or render legal advice or in anticipation of litigation.
    • Companies seeking to claim the privilege or protection will need to be prepared to prove up their claim. The privilege/protection determination is heavily influenced by the degree to which lawyers were involved in the circumstances surrounding the creation of the information. But merely getting counsel involved in a project does not automatically make the documents or communications protected. Rather, courts will carefully scrutinize the evidence, including declarations companies submit, to assess whether legal advice was the primary purpose of the document/communication and whether it was made because of anticipated litigation.
    • Using outside counsel for legally driven cybersecurity projects can strengthen a company’s privilege/protection claim. Communications with in-house counsel may be less likely to be considered privileged, particularly with respect to documents that arguably have both a business and legal purpose (e.g., security assessments or breach investigations), since it may be less clear to the court whether legal concerns were the driver.
    • Companies seeking to preserve the privilege or protection will need to be careful when sharing CI. Disclosing it to the wrong people outside the company, or sometimes even within the company, can waive the privilege or protection.
  • The Sedona Conference Commentary advocates for an expansion of the protection afforded to CI under current law. Specifically, it calls for a qualified stand-alone cybersecurity privilege that would not depend on whether lawyers and/or litigation concerns were sufficiently involved in the creation of the information, and it calls for a “no waiver” doctrine providing that disclosure of CI to law enforcement would not waive any privilege or protection.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Orrick, Herrington & Sutcliffe LLP | Attorney Advertising

Written by:

Orrick, Herrington & Sutcliffe LLP
Contact
more
less

Orrick, Herrington & Sutcliffe LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide