Protecting Privilege in the Cybersecurity Context: Applying Recent Commentary from the Sedona Conference Working Group
Wednesday, May 29, 2019
Applying Cybersecurity Commentary from the Sedona Conference Working Group
Print Mail Download i

Taking affirmative steps to protect sensitive IT information from disclosure during litigation is critical prior to, during and after cybersecurity incidents. Counsel and IT professionals can apply recent commentary from the Sedona Conference Working Group on Data Security and Privacy Liability to maximize the protection afforded confidential communications and documents generated in the cybersecurity context. 

The Sedona Conference Working Group Commentary

The Sedona Conference Working Group on Data Security and Privacy Liability recently released draft commentary regarding the attorney-client privilege and the work product doctrine in the cybersecurity context (the “Commentary”). The Commentary provides an overview of the traditional concepts of privilege and work product protection and discusses the evolving application of those protections to communications and documents created before, during and after a cybersecurity incident. The Commentary also discusses proposals for adapting or modifying existing protections for the cybersecurity context. 

The Need for Privilege in the Cybersecurity Context

Organizations generate sensitive communications and documents when proactively assessing cybersecurity threats and reacting to a data security incident. In the event litigation arises after a data security event, these documents could provide an opposing side valuable insight and evidence regarding the organization’s prior knowledge of any vulnerability, decisions regarding prioritization of cybersecurity goals and potential admissions following an incident, all of which could be viewed unfavorably when analyzed in a courtroom. All personnel (including counsel and IT professionals) involved in an organization’s proactive and reactive cybersecurity activities must be cognizant of the ways in which communications and documents should be protected from disclosure during litigation. 

While not all information can be protected from required disclosure during litigation, organizations can take certain steps to increase the likelihood that communications and sensitive documents will be protected by the attorney/client or work product doctrine in the event of future litigation. The attorney/client privilege protects confidential communications made for the primary purpose of obtaining legal advice from a lawyer. The privilege may cover communications between a lawyer and client or between employees of the client if the primary purpose of the communication is to solicit or render legal advice. The work product doctrine protects documents prepared in anticipation of litigation, rather than for another business purpose. Both the attorney/client privilege and work product doctrine can be waived if the documents are unnecessarily disclosed to certain parties. 

Practical Takeaways to Preserve Privilege in the Cybersecurity Context

In light of the Working Group’s Commentary, organizations should consider taking following steps to protect communications and documents generated before and after a data security incident:

  • Involving counsel in proactive pre-incident activities, including ensuring that cybersecurity or other IT assessments are developed at the direction of counsel. Counsel should consider coupling security assessments with evaluations of ongoing regulatory requirements (e.g., the FTC Act, HIPAA, state data security laws). Counsel can also use these assessments to prioritize security controls based on legal risk and compliance obligations. 

  • Ensuring summaries and analysis by employees are created at the direction of, and for the purpose of assisting, counsel in rendering legal advice to the client. 

  • Ensuring experts, including IT vendors and forensic investigators, are retained through and for the purpose of assisting counsel in advising the client regarding their legal obligations and are not simply a substitute for the client’s own information technology employees. 

  • Remembering that privileges are not absolute and confidential documents could still be disclosed if the privilege is waived or if opposing party can show a substantial need for the information. 

  • Avoiding waiver of the privilege by avoiding disclosure of assessments, forensic reports or legal advice to third-parties or to employees outside of the client’s control group. 

The full Commentary can be downloaded here.

© Polsinelli PC, Polsinelli LLP in California

Current Legal Analysis

More from Polsinelli PC

FTC Final Rule Banning Most Non-Competes Passes – What You Need to Know
by: Eric E. Packel , Emma R. Schuering
Finally Final — The DOL Issues Its Long-Expected Final Rule Raising the FLSA Overtime Exemption Salary Thresholds
by: Jason N. W. Plowman , Matthew P.F. Linnabary
"Please Pay No Attention to the Microphone:” DOJ Announces New Program Offering Protections to Criminal Whistleblowers
by: Kurt R. Erskine , Nicole K. Nielly
HRSA Aims for Swift Dispute Resolution with new 340B ADR Final Rule
by: Mary H. Canavan , Kyle A. Vasquez
Critical Infrastructure Cybersecurity – Evolving Incident Response Obligations, Integral to Effective Risk Management
by: Romaine C. Marshall , Kurt R. Erskine
Vote Scheduled for FTC Final Rule Banning Non-Competes – What You Need to Know
by: Eric E. Packel , Sean R. Gallagher
FDA Preemption of State Law for False Labeling Survives Appeal to Supreme Court
by: Gina L. Tincher , Stacy A. Carpenter
What to Know About New York’s New Supplement Law Going into Effect this Month
by: Stuart M. Pape , Suzanne E. Bassett
The EEOC Issues its Final Rule about the Pregnant Workers Fairness Act
by: Shivani P. Bailey
Easement Fund Victory on Perpetuity Will Result in More Attention on Valuation
by: Lauren P. DeSantis-Then , William J. Sanders

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins