The Legal Risk of Risk Registers
In order to be effective, an organization’s risk management plan requires the development and maintenance of an ongoing process that enables the identification, analysis, evaluation and treatment of relevant risks. This knowledge better enables risk professionals to prioritize actions to reduce these risks to an acceptable level. What results from this risk assessment process, however, is a substantial amount of risk information that needs to be managed in such a way that it can be found and applied quickly and efficiently. This has led to the creation of risk registers.
A risk register is a document that records identified risks, their severity and the mitigating steps to be taken in response. It serves as a central repository for the organization’s risk information and allows for the information that results from the risk management process to be suitably sorted, standardized and merged. A risk register’s key function is to provide management, the board and key stakeholders with information about the main risks faced by the organization. The register also gives the organization’s risk management stakeholders a clear view of the status of each risk at any point in time.
Once a risk register is created, however, a question that can arise is whether or not it is discoverable in litigation and whether the information contained within these internal documents is protected by the attorney-client privilege and work product doctrine. As a result, in-house and/or outside counsel must be cognizant of how a risk register is prepared and maintained in order to solidify a company’s claim to privilege.
When a written risk register has been prepared by a non-lawyer, the potential protections from discovery are limited as organizations will not be able to rely on traditional discovery protections such as trade secret or work product for these documents. One potentially applicable protection is the “self-critical analysis” privilege, which protects analyses of a company’s own safety procedures.
In New Jersey, for example, in order to raise the self-critical analysis privilege, a company must show that: 1) the information that is the subject of a production request is the criticisms or evaluations or the product of a critique or evaluation conducted by the party opposing the production request; 2) the “public need for confidentiality” of this analysis is such that the unfettered internal availability of the information should be encouraged as a matter of public policy; and 3) the analysis or evaluation is of the character that would result in the termination of such self-evaluative inquiries or critical input in future situations if this information is subject to disclosure.
Alternatively, an organization can attempt to protect an internal risk register from disclosure by employing outside counsel to manage and create it. Under this circumstance, outside counsel is retained by the organization to provide legal advice regarding vulnerabilities, and to develop a strategy for risk minimization. As part of this process, outside counsel, rather than the organization, can retain an independent consultant to assist in the due diligence analysis and in the preparation of the risk register. The consultant’s report would be prepared at the request of counsel, which would then be incorporated into a more comprehensive report for the organization by the attorney. Accordingly, a company would be in a position to assert that the risk register, including the results of the outside consultant, are protected by the attorney-client privilege.
In the context of cyberrisk, an internal risk register requires companies to: 1) conduct network vulnerability assessments; 2) provide recommendations to remediate potential vulnerabilities; 3) review cybersecurity policies and procedures; and 4) review its internal network. Whether companies that suffer data security breaches may claim attorney-client privilege and/or work product protection in connection with these documents and communications is often disputed. For example, if a company prepares an internal risk register that identifies areas of vulnerability and concern but fails to remedy the problem, this would clearly provide sufficient evidence of notice to establish a claim for negligence against the company. Conversely, if an internal risk register supports the conclusion that a company’s internal network is safe and secure, yet it is subsequently breached by a hacker, this assessment could also be used against the company in litigation.
In In re Zappos.com, Inc., Customer Data Security Breach Litigation, for example, the Zappos website declared that “shopping on Zappos.com is safe and secure—guaranteed.” Following a data breach, plaintiff consumers used this statement as a basis to overcome a motion to dismiss based upon a theory of negligent representation. They argued any statement made within an internal risk register regarding areas of concern or the safety and secureness of a company’s internal network could be used against the enterprise making such representations.
Similarly, the plaintiffs in a class-action lawsuit filed after a massive data breach at insurer Anthem served the federal government with a subpoena requesting that they share documents from a security audit proving Anthem was aware that its information technology security was lacking before the breach occurred, and did not act on the risk. The U.S. Office of Personnel Management, which performed the audit, refused to release the results, claiming the information contained in its report is privileged and immune from disclosure.
A recent decision in litigation over the data security breach suffered by Target Corp. sheds important light on the scope of such protections. In In re Target Corp. Customer Data Security Breach Litigation, the court found that Target submitted several declarations and exhibits to substantiate Target’s privilege and work-product claims as to its response program. Following the large-scale cyberattack on Target, a two-track response program was created, one involving a team of forensic experts who were engaged on behalf of several credit card companies, and the second to assist counsel in conducting an investigation of the data breach in order to provide legal advice to Target.
During discovery, Target produced all communications with forensic experts from the first track, but withheld communications and work product prepared by the data breach task force and experts engaged by counsel as part of the second track. In denying the plaintiffs’ motion to compel the discovery from Target, the court held that the work of the second track was focused not on remediation of the breach, as plaintiffs contended, but on informing Target’s in-house and outside counsel about the breach so that Target’s attorneys could provide the company with legal advice and prepare to defend the company in litigation. Moreover, plaintiffs could not overcome Target’s work-product protection because Target had already produced documents and forensic images from which plaintiffs could learn how the data breach occurred and about Target’s response to the breach.
Although this opinion relates to internal investigations following a data breach, the same principles can be applied to the preparation of risk registers. Namely, these reports should be prepared at the request of the counsel to provide legal advice to a company, and to help defend against the threat of litigation should an incident occur.
While risk registers can provide an organization with valuable information about identifying and remedying potential areas of exposure, they can also be a distraction. Importantly, the risk registers may contain highly sensitive information that, if left unattended, may be used against the company in subsequent litigation. As a result, an enterprise should work through internal and/or outside counsel when preparing risk registers so that the sensitive risk information obtained may be protected by the attorney-client privilege and work product doctrine if litigation later ensues involving one of the identified risks.