The outlines of the attorney-client privilege and work-product doctrine are well-established. But how should they apply when an organizational client suffers a cybersecurity event or other intrusion that results in a data breach?  Should information about the company’s security policies pre-breach and its post-breach response be given any enhanced protection? Under what circumstances?

The questions are burning ones, given recent data-security catastrophes that have exposed financial, health and other data of millions of people.  After each event, claimants quickly line up to file suit, and discovery demands for information inevitably follow.

Sedona Conference recommendations

The Sedona Conference, a non-profit, non-partisan institute whose working groups have been influential in e-discovery and other cutting-edge issues, recently published draft commentary recommending adoption of a qualified stand-alone protection for information prepared in a cybersecurity context, even when not involving communication with an organization’s lawyer.

The Working Group on Data Security and Privacy Liability noted in its 65-page Commentary (available for free download here) that cybersecurity and cybercrime are uniquely important, given that “American businesses and government agencies are under cyberattack twenty-four hours a day, seven days a week from criminal third parties,” and that “the federal government has declared this global cyber-crime wave a compelling national security concern, particularly in the area of critical infrastructure.”

Based on evaluating and balancing the competing interests, the Working Group proposed what it calls a “stand-alone cybersecurity privilege modeled on the work-product doctrine” that would extend to all documents and tangible things reflecting “mental impressions, conclusions, opinions, assessments, evaluations or theories” regarding a cyberattack, as well as “actual or potential actions in anticipation or response to a cyberattack.”

The proposed model would protect pre-breach cybersecurity information (“CI”) (and not just CI developed “in anticipation of litigation”), and information developed without participation of the organization’s counsel.

Lawyer involvement not needed?

The Working Group acknowledged that the expanded “qualified privilege” would protect a greater range of CI, although not all CI.  The proposal’s advantages, according to the Working Group:

  • it “would enable parties to take robust actions to protect themselves against and respond to third-party cyberattacks with greater (though not absolute) assurance that the CI they generate in the course of those efforts will not be used against them” later;
  • it ”would enable parties to obtain significant (though not absolute) protection against the discoverability of CI without using attorneys to lead their efforts to protect themselves against, and respond to, third-party cyberattacks,” lessening “the incentive … for putting attorneys in charge of efforts to address being victimized by such criminal activities and/or taking other measures to avoid creating a discoverable record concerning those efforts (such as not conducting certain assessments that are not otherwise legally required, conducting such assessments less thoroughly, or not reducing them to writing).”

Room for skepticism

The Working Group’s efforts are a welcome addition to the debate on the complex issues surrounding CI and what protection it should receive. (Law360 has comments here.)  Case-law guidance in this context is sparse, and rulings have tended to be very fact-specific.

But there is room for skepticism about whether CI merits its own stand-alone privilege, even as limited and qualified as the Sedona Conference Working Group proposes.

There is some validity in the adage that the ultimate motivation for cybersecurity is good security. In other words, clients should and do establish robust cybersecurity policies and practices in order to protect data, not just with an eye on protecting CI in the event of a lawsuit following a breach event.

And while the data-protection stakes, including the national security implications, have never been higher, it seems difficult to argue that cybersecurity is so different from other compliance regimes – such as antitrust – that it merits its own stand-alone privilege.

Caution can be called for here, because creating a new privilege might come back and bite in unintended ways.  For instance, in the event of a cybersecurity event, the company’s own search for causes can extend to outside provider entities; would those entities be justified in invoking an expanded CI privilege to resist turning over information that the company needs to identify and resolve a threat or investigate a breach?

The comment period on the Working Group’s proposal closed in June, and the final report will issue after analysis of the comments.  The debate will undoubtedly continue.