Bringing cybersecurity under a protective umbrella (of privilege)

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.insidecounsel.com/2015/09/15/bringing-cybersecurity-under-a-protective-umbrella

Within business organizations, even internal lawyers are often greeted with
ambivalence in regard to their participation in business and technical
projects. No one likes the idea of being interviewed by a lawyer in
connection with an investigation or litigation. But even where there is no
immediate specter of becoming a witness in some legal proceeding, lawyers
are often seen as hindrances, obstacles who stand in the way of progress by
adding a layer of review and taking an approach that is too risk averse.
The old adage that the law department is a cost center and not a revenue
generator belies this attitude.

Business and technical personnel may also view the involvement of lawyers
with distaste based on the sentiment that the lawyers are not
subject-matter experts and should leave specialized matters to those with
expertise. However, these attitudes must be overcome when it comes to
addressing cybersecurity. It is critical for lawyers to be involved in
leading cybersecurity efforts.

One fairly obvious reason lawyers need to be involved is that cybersecurity
is rife with legal issues and legal liability risks for the enterprise.
Those issues and risks are the subject of a vast and rapidly expanding
literature. By way of brief example only, consider the need for compliance
with federal statutory requirements and regulatory guidelines and
pronouncements regarding cybersecurity, the need to make assessments
regarding whether and how to contact law enforcement in the event of a
breach that may involve illegal activity, the need for compliance with
state data-breach notification laws, etc.

Beyond these more obvious legal touch points, the process of preparing for
and addressing cyber risk benefits by allowing full deliberation and
discussion of the most complete factual picture possible, regardless of
whether it is good or bad, under the umbrella of privilege protection. This
results in a better risk-mitigation strategy based on comprehensive
information. It is critical for counsel to be involved in cybersecurity
activities so that these can be protected by attorney-client privilege
and/or work product protection, as applicable.

It is especially important that the groundwork for privilege be laid
thoroughly where in house counsel is involved, because courts tend to take
a more narrow view of privilege there. In other words, courts may analyze
whether in house counsel acted in a business or legal role, which can
confuse things. That is why merely involving in-house counsel is not enough
to ensure protection; in-house counsel need to be actively integrated into
the process in a way that makes the legal protections applicable. The
lawyer needs to have creative or analytic input.

A recent case, Genesco, Inc. v. Visa, U.S.A., Inc., (302 F.R.D. 168
(M.D.Tenn. March 10, 2014)) is viewed as validating organizational
decisions to lead cybersecurity activities through legal counsel—including
proactive and reactive efforts. This case stemmed from a cyber attack where
hackers in Eastern Europe succeeded in remotely installing sniffing
software on Genesco’s network that siphoned (unencrypted) account data. The
captured data was in transmission to certain banks that processed card
payments under their own separate agreements with Genesco and the issuers,
including Visa.

As a result of its investigation in the wake of the attack, Visa assessed
fines of over $13 million against these banks, which Visa determined were
in violation of agreements to maintain certain cybersecurity standards at
the merchant, Genesco. Those banks then obtained indemnification from
Genesco pursuant to their agreements with Genesco. Genesco sued Visa to
recover this money based on a number of state law claims grounded in the
allegation that Visa’s fines against the banks were unwarranted.

A controversy ensued when Visa sought discovery from a non-testifying
cybersecurity consultant retained by Genesco. Genesco’s general counsel
submitted an affidavit that indicated he hired the consultant based on his
consultation with two outside lawyers and in anticipation of the likelihood
of litigation, “…in particular litigation arising out of claims by the
payment card brands such as Visa.” (Id. at *180) The consultant was
selected by outside counsel, although it was retained directly by the
general counsel on behalf of Genesco. The general counsel also averred that
“[a]ny and all contacts, correspondence, meetings or other interactions
between Genesco and [consultant] concerning the intrusion occurred either
with or at the direction of Genesco Counsel.” (Id. at *181)

Visa’s requests sought all documents relating to the consultant’s retention
and work with Genesco, through requests and interrogatories to Genesco as
well as a subpoena to the consultant for documents and deposition
testimony. It also noticed the general counsel’s deposition on the
consultant’s hiring and work. Visa argued that Genesco had waived privilege
on these matters by producing two documents from the investigation and a
report from the consultant. Moreover, Visa argued waiver due to Genesco’s
failure to submit privilege logs.

The court held in favor of Genesco and found that the information regarding
the consultant was privileged and protected work product, which protections
were not waived by the absence of a privilege log. It relied on the
affidavit of the general counsel in supporting this decision, not only in
elucidating the process and rationale for retaining the consultant and the
way the work was performed under counsel’s direction, but also as providing
the information about the basis for privilege claims that would otherwise
be found in a privilege log.

Lawyers and technical experts play key roles in enterprise cybersecurity.
By carefully following the right process, they can work together to make
complete and candid assessments, while maintaining a reasonable expectation
that their deliberations will be kept confidential. The more litigation we
see in the cybersecurity realm, the more likely it is that joint
legal-technical work in that realm is “in anticipation of litigation” and
for purposes of rendering legal advice.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!