4 minute read.
You’ve probably heard of attorney-client privilege in movies and television shows, but what is it really and why does it matter to cyber risk management?
Attorney-client privilege is the oldest privilege recognized by English and American law. A privilege, in general, is an evidentiary rule that says you don’t have access to something. It can also prevent you from testifying in court. You can claim the privilege.
A common privilege is the Fifth Amendment, the right to not self-incriminate. What the attorney-client privilege does is, specifically, protect communications between attorney and client that are about legal advice. Without the attorney client-privilege, why would anyone tell their attorney anything? It’s ultimately designed to help people have the best possible defense.
“Attorney Work-Product Privilege”
The way that this works in practice is that if your attorney is giving you advice or you’re asking questions of the attorney and the attorney responds with legal advice, those communications are privileged, which means that neither the attorney nor you can be forced to divulge the substance of that communication. Interestingly enough, you aren’t necessarily allowed to keep the fact of those communications secret. In the cyber world, we would call that metadata. The metadata of the communications is not secret.
How can the ACP and AWP be useful in terms of managing cyber risks?
Here’s a quick hypothetical scenario. This is what happens if you don’t think of cybersecurity as “legal advice.” Let’s say that a hypothetical company recognizes that its cybersecurity and cyber risk management isn’t very good. They have two choices:
- They can go find a provider, hire that provider, and do their cyber risk assessment themselves, and go from there. Or;
- They can find an attorney who does cyber risk management and asks the attorney to do a cyber risk assessment and go from there.
Let’s say that they get an assessment performed by a cyber risk non-attorney provider, they’re going to tell them what their risks are, what they should do, how and when, and what they should do to mitigate those risks. They’re going to give a menu of options. That menu is likely to cost money. Ultimately, you’re going to have to do a number of things; act on it, spend resources and basically just make a normal set of business choices.
They may choose to accept some of those risks. This is very a normal process. Here’s the problem: Let’s say that they’re informed of 10 significant risks or potential vulnerabilities and they say, “Okay, we can only fix five of them right now.” Six months later, item number six happens to be the root cause of a cybersecurity incident or breach. Essentially, you’ve accepted it because you didn’t fix it when you could or you just didn’t get to it yet.
If there’s a lawsuit or an investigation, then this might happen: either the government, whether that’s the FTC, or Europe, moving forward with GDPR (General Data Protection Regulation), or a private lawyer is going to say, “give us all your documents related to your cyber risk management.” They’re probably gonna ask a specific set of questions like, “did you get a cyber risk assessment?”
Now, this is one where if you answer no, you lose right away because that’s “unreasonable” per se. If they answer yes, then they’ll say, “Great. Who did you use for your cyber risk assessment?” They’ll have to say, “Well, we use this vendor.” They’re going to say, “Awesome. We want all communications with that vendor. We want everything that, that vendor gave to you. We want all deliverables from that vendor.”
They essentially get to look behind the curtain and see everything they saw. That’s going to give them a big leg up when they argue in court that they were not reasonable in their cybersecurity.
Let’s look at option two. If they instead hire a lawyer, and let’s just say that the lawyer says, “Yeah, I do cyber risk, and I’m very knowledgeable in this, and I can give you legal advice, but I’m going to hire the same vendor because I want to have someone come in and assist me with that.” This is pretty standard. It’s not any different than a personal injury lawyer who hires a private investigator to follow the plaintiff around and catch them playing tennis after they have claimed that they can’t move, right?
You see that all the time in TV shows, but it’s real. That kind of stuff is real. When the lawyer is supervising this process, there’s a number of things that are happening. One, there is attorney work product being made all the time. Why are you doing a cyber risk assessment? Well, really it’s an anticipation of litigation, ultimately. That’s not the only reason you want to have good cyber risk management. You want to prevent it. One of the things you should be protecting against is a lawsuit. One of the issues in all cyber risk management is whether or not you’re reasonable, which is a legal question based on legal precedent.
We’ll use the same background, the same issue arises with the number six issue on the list. This time though when the person asks them, “Did you do a cyber risk assessment?” They’re still going to say yes. Then the next question is going to be, “Okay. Well, who did you do it with?” they’re going to say, “Our attorney handled that and the remaining information is privileged under the attorney-client privilege.”
Then they can ask the same set of questions they were going to ask. Every time they do, the company can claim the privilege. That means that instead of just getting all of that documentation, evidence, and information, now if they want that, they have to go to court separately just to argue about the attorney-client privilege and whether or not it applies. It’s a massive, massive barrier.