The outlines of the attorney-client privilege and work-product doctrine are well-established. But how should they apply when an organizational client suffers a cybersecurity event or other intrusion that results in a data breach?  Should information about the company’s security policies pre-breach and its post-breach response be given any enhanced protection? Under what circumstances?

The questions

Law firm cybersecurity is in the news again with two developments. First, the latest ABA TechReport says that large law firms were more likely to be victims of a data security breach last year than mid-size or small firms, with one in seven respondents having been hit overall. That’s a big deal. Next, a federal class action complaint in what is thought to be the first suit attempting to base liability solely on a U.S. law firm’s allegedly inadequate cybersecurity was unsealed on December 9. But that suit possibly turns out not to be such a big deal.
Continue Reading

PhishingAs Willie Sutton supposedly said, he robbed banks “because that’s where the money is.”  That also explains why law firms and lawyers are increasingly the targets of cyber-intrusion, particularly phishing scams.  Apparently, phishing in legal waters can yield a full net of stolen information.

“Most likely” to take the bait

Verizon’s 2015 Data Breach