The attorney-client privilege is a bedrock of jurisprudence, with communications by and between lawyer and client being protected from compelled disclosure to any third party. But in this age of high-profile data breaches and resulting technical statutes and regulations mandating that organizations adopt and implement comprehensive information security programs, is there anything akin to the attorney-client privilege that extends to cybersecurity professionals providing services such as penetration testing? If they are not retained to provide legal advice, the answer is a resounding no.
The Attorney-Client Privilege
The purpose behind the attorney-client privilege makes a lot of sense—a person or entity seeking guidance from legal counsel should be able to communicate openly without any fear that secrets will be revealed. In theory, the candor that the privilege promotes optimizes a lawyer’s representation to the extent his or her assistance is based on a client’s accurate and complete disclosure of facts, without crucial (and potentially embarrassing or harmful) detail being suppressed.
Of note, the sanctity of the attorney-client privilege is nearly written in stone. To wit, the American Bar Association’s Model Rule of Professional Conduct commands that a lawyer “not reveal information relating to the representation of a client unless the client gives informed consent.” Though the precise wording may vary somewhat, all states have adopted this directive into their own professional rules governing the legal profession. Clients can rest easy knowing that information they confide in their legal counsel is placed, at least proverbially, “in the vault.”
The flipside of this is that matters discussed or exposed outside the zone of privacy are subject to discovery by regulators or parties in a lawsuit. And this can be particularly troublesome for companies working to secure their global enterprise networks.
Cybersecurity Compliance Mandates
A critical aspect of statutorily mandated information security programs is penetration testing, whereby companies hire cybersecurity professionals to undertake simulated cyberattacks against computer system to check for exploitable vulnerabilities. For businesses that directly retain pen testers, it is important to understand that the attorney-client privilege does not extend to the work of these cybersecurity professionals to the extent that they uncover problems that might be the subject or basis of litigation.
In response to the apparent lack of an available evidentiary privilege, some organizations have adopted an “ostrich” strategy, mistakenly believing that if they are not officially informed of vulnerabilities in their network security, they will not have an obligation to address them. All companies must secure data in their possession, however, regardless of whether they have received any official notice of their deficiencies. And therein lies a problem—businesses are encouraged to seek out professional cybersecurity advice to improve their defenses and comply with cybersecurity laws and regulations, but if they do retain outside help, the information they receive could be used against them in subsequent litigation. More to the point, if an organization is the target of a later data breach and a resulting lawsuit, class action counsel could request a copy of all prior penetration test reports, then rake them over the coals for any vulnerabilities (no matter how trivial) that were not promptly or adequately addressed.
The good news is that a viable solution is found in the problem itself. While the specifics differ jurisdictionally, several state, federal, and even international laws (such as European Union’s General Data Protection Regulation) require businesses that collect or retain personal information about location-specific residents to—broadly speaking—develop comprehensive written cybersecurity programs and perform periodic risk assessments. By virtue of these legal compliance mandates, companies are relying upon qualified legal counsel for guidance.
Extending the Attorney-Client Privilege to Penetration Testing
Indeed, lawyers are playing an ever-increasing role in assessing technical defenses and cybersecurity policies. As a byproduct of this comes an extension of the attorney-client privilege. Simply stated, when clients turn to attorneys for advice on cybersecurity, their communications become protected from compelled disclosure. So might the attorney-client relationship serve to safeguard the findings of penetration testers if legal counsel is involved in the process? It may, if done right.
It is clearly not enough for a company to merely copy its lawyer on emails to a penetration tester to trigger the attorney-client privilege. In fact, sharing information with a third party (like a cybersecurity consultant) typically waives the protection, and the quick and easy act of including an attorney in a conversation will not necessarily shield it from discovery. Neither will the use of a lawyer as a pass-through to convey communications to others. This is because the attorney-client privilege relates solely to information relayed in connection with legal representation. Which means that to maximize a claim of privilege, a lawyer should be actively involved in furnishing advice on how to comply with an organization’s cybersecurity obligations, including penetration testing.
A Model for Engagement
For a client to preserve the attorney-client privilege in the context of a pen test, the ideal engagement would involve the client retaining outside counsel to provide guidance on cybersecurity compliance, and that lawyer then retaining a penetration tester or security consultant as technical advisor and subject matter expert. The attorney would then direct the penetration tester’s work (with advice and counsel from the client), receive the consultant’s final report, and map its results to the client’s various legal obligations. It should be noted that while in-house counsel could potentially perform a similar function, this could call the attorney-privilege into question, as courts have previously scrutinized whether in-house counsel’s involvement in a given matter is based on providing legal or business advice.
It is important to keep in mind that the attorney-client privilege shields communications, not facts, so a plaintiff’s lawyer can always perform his or her own investigation and analysis of a company’s network defenses. That being said, when cybersecurity compliance and penetration testing is conducted on behalf of an organization, yet at the direction of its attorney, opposing counsel cannot piggyback on the resulting report or discover what advice was given in connection with the security consultant’s services. Parenthetically, the attorney work product privilege would also likely provide a measure of confidentiality in this circumstance; however, it is substantially weaker than the attorney-client privilege and only applies in anticipation of a lawsuit or where litigation is “imminent.”
Find the Right Representation
Cybersecurity is a complex topic, and not every lawyer is qualified to handle related matters and perform necessary legal analysis. Companies, therefore, must choose legal counsel wisely —preferably a lawyer with specialized cybersecurity knowledge, which is needed to understand a penetration tester’s report, accurately convey the information it contains, and appropriately map the results to the organization’s legal compliance. All businesses potentially subject to a data breach and required to comply with cybersecurity laws should seriously consider placing such an attorney in the middle of pen testing.