When businesses suspect that they may have experienced a cyber incident, their first call is typically not to a cybersecurity firm, public relations outfit or even their cyber insurer. Instead, it is increasingly to a lawyer. These lawyersmany of whom market themselves as breach coachesthen coordinate all subsequent elements of the response to their clients potential cyber incident, including the efforts of the clients internal personnel and those of third-party cybersecurity and public relations firms that the lawyer hires directly. More than 4,000 cyber incidents in 2018 were handled in this manner. Similarly, the cybersecurity firm Crowdstrike reports that 50 percent of its investigations were directed by an attorney in 2020. This approach is accepted so widely that in-house attorneys explicitly recommend it in their professional publications and many cyber insurers provide policyholders with 800 numbers to call in the event of a cyber incident that go directly to an independent law firm rather than the insurer.
Lawyers pole position in coordinating cyber incident response is driven predominantly by their capacity to shield any information that is produced during that process from discovery in a subsequent lawsuit. Under long-standing case law, communications between consultants and attorneys who hire them to help provide legal advice to a client are shielded by the attorney-client privilege. Additionally, any documents and mental processes of third-party consultants that are produced in reasonable anticipation of litigationwhether or not they are communicated to the attorneyare similarly shielded from discovery under the work product immunity doctrine.
Putting lawyers, rather than technical security firms, in charge of data breach investigations can influence the incident response process in many ways, and its not entirely clear to what extent law firms emphasis on protecting attorney-client privilege and work product immunity alters the course of those investigations. We are an interdisciplinary group of researchersin law, political science and computer sciencewho are investigating this question. We are particularly interested in the prospect that these confidentiality doctrines have the potential to significantly undermine the efficiency and effectiveness of cybersecurity controls and processes. To look at this question, we are interviewing and surveying a broad range of participants in the cybersecurity ecosystemincluding breach coach lawyers, cyber-insurance personnel and digital forensic investigators.
Some of the potential distorting effects of attorney-client privilege and work product doctrine are well known, if only because they have played out so visibly in high-profile data breaches. For instance, several salient cases suggest that firms wishing to preserve the confidentiality of their post-breach efforts should consider launching dual investigations, with one focused on understanding the root causes of an incident and potential security solutions, and the other intended solely to facilitate the efforts of the companys lawyers. Doing so can limit the risk that post-breach assessments of legal and regulatory risks may be discoverable because they are combined with nonlegal materials, such as recommendations for improving future cybersecurity protocols. This was the strategy that Target employed when hackers stole 41 million payment card numbers from the retailer in 2013. In holding that the results of the second investigation were shielded from discovery in a subsequent class-action lawsuit, the court emphasized that this investigation was conducted solely for legal purposes. Not only does this approach have the obvious potential to inflate the costs of cyber incident response, but it may well undermine the effectiveness of such responses by creating confusion about the distinct responsibilities of the two investigative teams.
By contrast, when firms victimized by cyberattacks have tasked cybersecurity firms with both supporting their lawyers and helping them to shore up their technical defenses, courts have been much less willing to treat any resulting communications as privileged. This was the result when health insurer Premera hired security firm Mandiant to conduct a security audit, which detected a year-long breach that affected 11 million customers personal information. After the breach was discovered, Premera amended Mandiants statement of work and instructed it to report directly to its external counsel. In holding that Mandiants ultimate report was not protected by privilege, the court emphasized that Mandiant had been engaged prior to the discovery of the breach and that its report was not solely intended to provide legal advice. Documents, the court reasoned, prepared for a purpose other than or in addition to obtaining legal advice and intended to be seen by persons other than the attorney are not privileged.
Unlike Premera, Target was willing to go to extremeand expensivelengths to protect that attorney-client privilege in the aftermath of its 2013 breach, perhaps because it knew that the incident was likely to lead to litigation. But for many breached firms, paying for a dual-track investigation is costly and inefficient. Nor is it entirely clear that its a necessary step for preserving attorney-client privilege. A 2021 ruling held that a forensics report for a 2018 data breach of the Marriott hotel chain was privileged, even though the report was prepared by IBM, which had also provided pre-breach security services to Marriott. Though IBM had been working with Marriott since 2011, following the investigation, the company entered into a new statement of work with Marriott and BakerHostetler, the law firm the hotel chain retained to manage the breach investigation.
Our preliminary investigations suggest that attorney-client privilege and work product doctrine create potential distortions that may go much deeper than triggering occasional inefficient dual-track cyber-incident investigations. For instance, in the course of our initial conversations with participants in the cybersecurity ecosystem, we have learned that lawyers coordinating cyber-incident investigations routinely refuse to make forensic reports produced by cybersecurity firms available to cyber insurers. Such disclosure, these attorneys worry, could constitute a waiver of attorney-client privilege. Irrespective of the accuracy of this concernwhich has not yet been tested in courtthis practice may deprive insurers of potentially useful information that they could use to improve their underwriting processes or to advise other policyholders. Some attorneys, moreover, go even further, instructing their clients and cybersecurity firms not to disclose forensic reports to the clients internal information technology (IT) personnel, lest a court interpret that report to have been produced for business, rather than legal, purposes.
Some of our preliminary discussions suggest even more fundamental ways in which lawyers efforts to preserve confidentiality may undermine cybersecurity. For instance, some industry participants tell us that attorneys increasingly instruct forensic investigation teams not to record their findings in a written report at all, because of the potential that such a report could make its way into the hands of plaintiffs lawyers. Instead, forensic experts are instructed to explain the results of their investigations either via stripped-down PowerPoint presentations or through entirely oral presentations. This, of course, raises the prospect that any information communicated to clients that may allow them to improve their cybersecurity efforts in the future will not be fully understood by them or accurately communicated to others within the firm.
Similarly, the rules governing confidentiality appear to create the perverse incentive for firms to hire different security firms to run post-breach investigations from the ones that already provided pre-breach monitoring services. This reduces the speed of response as another firm must be engaged, contracted and provided with network access, all while an adversary has already infiltrated the targets networks. Further, the new firm may be unfamiliar with the network environment, often needing to navigate new software and IT portals to access monitoring tools and the corresponding logs.
Perhaps most perniciously of all, current rules may even disincentivize firms from taking proactive steps to conduct cybersecurity audits or other forms of monitoring. Since privilege and work product immunity attach only to documents produced when a firm reasonably anticipates litigation or communicates with attorneys to secure legal advice, these protections may not apply to materials produced to help detect a future breach. So companies may be less inclined to engage in those efforts directly or to hire cybersecurity firms to do so on their behalf. And even when they do, they may be reluctant to use the same firms for post-breach investigations that they hired for pre-breach monitoring, even if the firms coordinating pre-breach monitoring are more familiar with their computer systems and could conduct a faster forensic investigation.
Beyond distorting what information is documented and shared, current confidentiality rules create operational and business complexities. Because they place lawyers at the center of incident response, they cause law firms to charge large hourly fees, control communications, and even choose which forensics firms are hired. This disrupts established relationships and work patterns between internal IT firms and external cybersecurity vendors. In some cases this disruption may produce a variety of benefits that have nothing to do with confidentiality. For instance, some lawyers claim they are particularly adept at efficiently managing multiple work streams spanning technical investigation, ransomware negotiation, regulatory notifications, public relations and insurance. Others dispute these alleged benefits; some security professionals claim that centralizing communications through lawyers creates bottlenecks and delays, and even accuse lawyers of unmeritocratic hiring.
We are still working to understand the prevalence of these different practices for preserving attorney-client privilege, and their impact on the investigation process and findings. But policymakers, insurers and security researchers are all struggling to assemble reliable datasets about cyber threats and the effectiveness of different countermeasures. The Cyberspace Solarium Commission report issued in 2020 even recommended that Congress establish a new Bureau of Cyber Statistics specifically to collect statistical data on cybersecurity. So its worth considering how concerns about attorney-client privilege and work product doctrine may be contributing to those challenges by influencing the processes for investigating breaches, sharing and aggregating information about those breaches, and learning from past cybersecurity incidents.
Its not clear how big a problem confidentiality considerations are for cybersecurity investigations and data collection, so its hard to know what the right solution isor, indeed, if any solution is even needed. Jeff Kosseff has proposed the creation of a stand-alone privilege for cybersecurity work so that firms will be less reluctant to hire security professionals to assess and audit their computer systems. But its also possible that creating new privileges around cybersecurity could make it harder for people to sue firms in the aftermath of breaches, thereby limiting those firms accountability. On the other hand, it remains an open question how effective such lawsuits have been at incentivizing better cybersecurity practices.
The influence of attorney-client privilege and work product immunity on cybersecurity raises many more similarly open questions. It seems possible that the doctrines governing attorney-client privilege and work product have had the unintended consequences of undermining cybersecurity, information sharing about data breaches, and insurers ability to collect empirical data about cybersecurity incidents and the most effective countermeasures to prevent and mitigate those incidents. Given how central lawyers have become to breach response, and how high a priority maintaining confidentiality is for many of them, these questions are worthy of more study and attention as technical experts, policymakers and insurers all grapple with the best ways to learn from cybersecurity incidents. We would welcome any readers with experience on these issues to contact us directly so that we can learn more about how the laws governing attorney-client privilege and work product can promote, or undermine, effective cybersecurity.
Continue reading here:
- University of California expands list of courses that meet math requirement for admission - EdSource [Last Updated On: November 11th, 2020] [Originally Added On: November 11th, 2020]
- Bombshell Betty Race car to be Reengineered and Restored By UVU Students to honor the Legacy of its Owner - GlobeNewswire [Last Updated On: November 11th, 2020] [Originally Added On: November 11th, 2020]
- Phyllis Coleman Mouton to receive Trailblazer Award at Women Who Mean Business ceremony - The Advocate [Last Updated On: November 11th, 2020] [Originally Added On: November 11th, 2020]
- Fairfield University Partners with Pulse Secure on New Cybersecurity Lab to Prepare the Next Generation of Information Security Professionals -... [Last Updated On: November 11th, 2020] [Originally Added On: November 11th, 2020]
- Global Cloud Identity and Access Management(IAM) Market Segmentation By Top Key Players- IBM Microsoft Oracle Computer Science CA Okta NetIQ Sailpoint... [Last Updated On: November 11th, 2020] [Originally Added On: November 11th, 2020]
- Stanford supports alliance of universities in diversifying STEM postdocs - The Stanford Daily [Last Updated On: November 11th, 2020] [Originally Added On: November 11th, 2020]
- N.C. A&T Welcomes New and Newly-Appointed Administrators and Faculty - Yes! Weekly [Last Updated On: November 11th, 2020] [Originally Added On: November 11th, 2020]
- Calvin Students Place In Top 10% Of Worldwide Programming Competition - News - Calvin News [Last Updated On: November 11th, 2020] [Originally Added On: November 11th, 2020]
- Multiple tenure-track positions in Computer Science & Engineering job with University of Minnesota-Twin Cities Computer Science & Engineering... [Last Updated On: November 11th, 2020] [Originally Added On: November 11th, 2020]
- New smartwatch app alerts deaf and hard-of-hearing users to common home-related sounds - National Science Foundation [Last Updated On: November 11th, 2020] [Originally Added On: November 11th, 2020]
- MTRAC Innovation Hub for Advanced Computing awards $270000 to Wayne State University artificial intelligence projects - The South End [Last Updated On: November 11th, 2020] [Originally Added On: November 11th, 2020]
- New study outlines steps higher education should take to prepare a new quantum workforce | College of Science | RIT - RIT University News Services [Last Updated On: November 11th, 2020] [Originally Added On: November 11th, 2020]
- Carleton Hosts Herzberg Lecture on Increasing Diversity in Computer Science with Maria Klawe - Carleton Newsroom [Last Updated On: November 11th, 2020] [Originally Added On: November 11th, 2020]
- Baylor University Invites Application for McCollum Endowed Chair of Data Science - Analytics Insight [Last Updated On: November 11th, 2020] [Originally Added On: November 11th, 2020]
- CHEN | Put Computer Science in the Common Core - Cornell University The Cornell Daily Sun [Last Updated On: November 11th, 2020] [Originally Added On: November 11th, 2020]
- GCVI's Tremain running to the NCAA on scholarship - GuelphToday [Last Updated On: November 28th, 2020] [Originally Added On: November 28th, 2020]
- Faculty, alumni, other members of U of T community named to Order of Canada - News@UofT [Last Updated On: November 28th, 2020] [Originally Added On: November 28th, 2020]
- Why 4-year colleges are tapping Amazon to help deliver cloud computing degrees - Education Dive [Last Updated On: November 28th, 2020] [Originally Added On: November 28th, 2020]
- Army Teams With Howard University on AI Center MeriTalk - MeriTalk [Last Updated On: November 28th, 2020] [Originally Added On: November 28th, 2020]
- McGrath one of 10 women to earn STEM scholarship - The Riverdale Press [Last Updated On: November 28th, 2020] [Originally Added On: November 28th, 2020]
- This learning platform is proving adults can benefit greatly from learning math and science - iMore [Last Updated On: November 28th, 2020] [Originally Added On: November 28th, 2020]
- Artificial Intelligence Is Now Smart Enough to Know When It Can't Be Trusted - ScienceAlert [Last Updated On: November 28th, 2020] [Originally Added On: November 28th, 2020]
- Students and schools in the news - Blue Springs Examiner [Last Updated On: November 28th, 2020] [Originally Added On: November 28th, 2020]
- Missouri S&T News and Events Missouri S&T faculty honored for outstanding teaching - Missouri S&T News and Research [Last Updated On: November 28th, 2020] [Originally Added On: November 28th, 2020]
- HCCC Offers Opportunities for Adjunct Faculty and Instructors at Virtual Job Fair - The Hudson Reporter [Last Updated On: November 28th, 2020] [Originally Added On: November 28th, 2020]
- 4-H ignites a passion for science and technology in Minnesota youth - Southernminn.com [Last Updated On: November 28th, 2020] [Originally Added On: November 28th, 2020]
- MIT's New Center to Advance Predictive Simulation Research Will Focus on Exascale Simulation of Materials in Hypersonic Flow Environments -... [Last Updated On: November 28th, 2020] [Originally Added On: November 28th, 2020]
- Computer scientist James Allen named AAAS fellow - University of Rochester [Last Updated On: November 28th, 2020] [Originally Added On: November 28th, 2020]
- Center to advance predictive simulation research established at MIT Schwarzman College of Computing - MIT News [Last Updated On: November 28th, 2020] [Originally Added On: November 28th, 2020]
- Setting the pace in computer science education | Opinion - Paragould Daily Press [Last Updated On: November 28th, 2020] [Originally Added On: November 28th, 2020]
- Mohammed VI University in Benguerir Launches School of Computer Science - Morocco World News [Last Updated On: November 28th, 2020] [Originally Added On: November 28th, 2020]
- Asa Hutchinson: Setting the pace in computer science education - Searcy Daily Citizen [Last Updated On: November 28th, 2020] [Originally Added On: November 28th, 2020]
- Former FX tech person points out the racist trajectory of skin and hair CGI - Boing Boing [Last Updated On: December 11th, 2020] [Originally Added On: December 11th, 2020]
- AI is not yet perfect, but it's on the rise and getting better with computer vision - TechRepublic [Last Updated On: December 11th, 2020] [Originally Added On: December 11th, 2020]
- Philosophy Threatened at University of Evansville - Daily Nous [Last Updated On: December 11th, 2020] [Originally Added On: December 11th, 2020]
- Two Maryland Teachers Receive National Honors in Math, Science Education - maryland.gov [Last Updated On: December 11th, 2020] [Originally Added On: December 11th, 2020]
- Special Scientist Research, Department of Computer Science job with UNIVERSITY OF CYPRUS | 238208 - Times Higher Education (THE) [Last Updated On: December 11th, 2020] [Originally Added On: December 11th, 2020]
- Computer science jobs pay well and are growing fast. Why are they out of reach for so many of America's students? - The Conversation US [Last Updated On: December 11th, 2020] [Originally Added On: December 11th, 2020]
- Computer science grad finds success and a new academic family in cybersecurity - ASU Now [Last Updated On: December 11th, 2020] [Originally Added On: December 11th, 2020]
- What is Computer Science? in the US - International Student [Last Updated On: December 11th, 2020] [Originally Added On: December 11th, 2020]
- Accurate Neural Network Computer Vision Without The 'Black Box' - Duke Today [Last Updated On: December 19th, 2020] [Originally Added On: December 19th, 2020]
- Crick Named Mathematical Sciences Distinguished Alumnus Of The Year - The Chattanoogan [Last Updated On: December 19th, 2020] [Originally Added On: December 19th, 2020]
- Nadya's Hot Chocolate Bombs: yummy for the tummy - theday.com [Last Updated On: December 19th, 2020] [Originally Added On: December 19th, 2020]
- Trouble hearing in a crowded room? New 'cone of silence' could help - Science Magazine [Last Updated On: December 19th, 2020] [Originally Added On: December 19th, 2020]
- James Fujimoto wins the Visionary Prize from the Greenberg Prize to End Blindness - MIT News [Last Updated On: December 19th, 2020] [Originally Added On: December 19th, 2020]
- To the brain, reading computer code is not the same as reading language - MIT News [Last Updated On: December 19th, 2020] [Originally Added On: December 19th, 2020]
- U of Texas will stop using controversial algorithm to evaluate Ph.D. applicants - Inside Higher Ed [Last Updated On: December 19th, 2020] [Originally Added On: December 19th, 2020]
- Gift from Ann S. Bowers '59 creates new college of computing and information science | Cornell Chronicle - Cornell Chronicle [Last Updated On: December 19th, 2020] [Originally Added On: December 19th, 2020]
- NYS Board of Regents adopts first-ever learning standards for computer science and digital fluency - RochesterFirst [Last Updated On: December 19th, 2020] [Originally Added On: December 19th, 2020]
- Computer science prof Townsend recognized for educational contributions - DePauw University [Last Updated On: December 19th, 2020] [Originally Added On: December 19th, 2020]
- Missouri S&T News and Events New faculty in computer science - Missouri S&T News and Research [Last Updated On: December 19th, 2020] [Originally Added On: December 19th, 2020]
- Retired UW computer science professor embroiled in Twitter spat over AI ethics and cancel culture - GeekWire [Last Updated On: December 19th, 2020] [Originally Added On: December 19th, 2020]
- How UC fought COVID-19 in 2020 - University of California [Last Updated On: December 23rd, 2020] [Originally Added On: December 23rd, 2020]
- Search committee appointed for dean of Princeton's School of Public and International Affairs - Princeton University [Last Updated On: December 23rd, 2020] [Originally Added On: December 23rd, 2020]
- How Yale economists are informing India's COVID-19 response - Yale News [Last Updated On: December 23rd, 2020] [Originally Added On: December 23rd, 2020]
- Top MIT research stories of 2020 - MIT News [Last Updated On: December 23rd, 2020] [Originally Added On: December 23rd, 2020]
- St. Albans City School kids were 'on the case' for Computer Science Week. What mystery did they solve? - St. Albans Messenger [Last Updated On: December 23rd, 2020] [Originally Added On: December 23rd, 2020]
- Cobb Schools receives grant for computer science teacher training - The Catoosa County News [Last Updated On: December 23rd, 2020] [Originally Added On: December 23rd, 2020]
- Scholarship honors the legacy of Terry Arthur's dedication to students - Augusta Free Press [Last Updated On: December 24th, 2020] [Originally Added On: December 24th, 2020]
- This tool helps predict which COVID patients will need hospitalization and which can be sent home - Press-Enterprise [Last Updated On: December 24th, 2020] [Originally Added On: December 24th, 2020]
- Students express concerns over teaching appointment of Jason Mars - The Michigan Daily [Last Updated On: December 24th, 2020] [Originally Added On: December 24th, 2020]
- Prince Mohammad Bin Fahd University hosted the International Conference on Computing, Mobility, and Manufacturing (CMM 2020) - PRNewswire [Last Updated On: January 10th, 2021] [Originally Added On: January 10th, 2021]
- These Are the College Majors That Pay Off the Most - 24/7 Wall St. [Last Updated On: January 10th, 2021] [Originally Added On: January 10th, 2021]
- He Was Going to Close the Family Diner. Then He Got a Sign. - The New York Times [Last Updated On: January 10th, 2021] [Originally Added On: January 10th, 2021]
- Members of Several Well-Known Hate Groups Identified at Capitol Riot - FRONTLINE [Last Updated On: January 10th, 2021] [Originally Added On: January 10th, 2021]
- Carver Community Center to offer free pampers to mothers, free coding classes for youth - Marshall News Messenger [Last Updated On: January 10th, 2021] [Originally Added On: January 10th, 2021]
- MIT's College of Computing building takes shape as Alexandria and BioMed make moves in Boston - Cambridge Day [Last Updated On: January 10th, 2021] [Originally Added On: January 10th, 2021]
- Bylaws of the Department of Computer Science and Engineering - Nevada Today [Last Updated On: January 10th, 2021] [Originally Added On: January 10th, 2021]
- Student-run HPAIR conference goes virtual this year - Harvard Gazette [Last Updated On: January 16th, 2021] [Originally Added On: January 16th, 2021]
- JUST IN: Computer scientists in breakthrough - The Herald [Last Updated On: January 16th, 2021] [Originally Added On: January 16th, 2021]
- Optimizing Traffic Signals To Reduce Intersection Wait Times - Texas A&M University Today [Last Updated On: January 16th, 2021] [Originally Added On: January 16th, 2021]
- STEM Majors: Interested in a 1-Credit Course About Teaching Math, Science or Computer Science? - University of Arkansas Newswire [Last Updated On: January 16th, 2021] [Originally Added On: January 16th, 2021]
- Stanford AI scholar Fei-Fei Li writes about humility in tech - Fast Company [Last Updated On: January 16th, 2021] [Originally Added On: January 16th, 2021]
- Professor in Computer Science - The Voice Online [Last Updated On: January 16th, 2021] [Originally Added On: January 16th, 2021]
- Expansion project to grow computer science learning, research at Algoma University - Northern Ontario Business [Last Updated On: January 31st, 2021] [Originally Added On: January 31st, 2021]
- Teacher of Year finalist expanding Walden Grove computer science program - KGUN [Last Updated On: January 31st, 2021] [Originally Added On: January 31st, 2021]
- Here's why you should get a master's in computer science - Study International News [Last Updated On: January 31st, 2021] [Originally Added On: January 31st, 2021]
- Two UWF teams place in top 5 in national artificial intelligence competition - University of West Florida Newsroom - UWF Newsroom [Last Updated On: February 5th, 2021] [Originally Added On: February 5th, 2021]
- WNMU Board of Regents Virtually Sits Down With Legislators, Governor - WNMU News [Last Updated On: February 5th, 2021] [Originally Added On: February 5th, 2021]
- Department name change signals broad impact on computer and information technologies - Princeton University [Last Updated On: February 5th, 2021] [Originally Added On: February 5th, 2021]