The Attorney Work-Product Doctrine
Continuing from the last post on attorney-client privilege (ACP), I’d like to introduce another crucial part of ACP that will protect your company in the future. Specifically, the attorney work-product doctrine (AWP).
AWP is your right to withhold communications between you and your attorney that involves legal advice from being discovered in court. This privilege doesn’t mean that everything is withheld though, the metadata of your communications with a lawyer will still be recorded and included in investigations. In the cyber world, metadata can be things like the time an email was sent, who received the email, and possibly the subject line. These half-hidden communications will be listed on a privilege log during litigation, along with your reason for withholding the information. This can get messy, as to whether or not the communications contain legal advice or not can be disputed and could end with information you want to be hidden being revealed in court.
But what does this have to do with Cybersecurity?
The point is that you should consult with a lawyer that specializes in cybersecurity and cyber risk assessments to protect yourself legally if anything were to go wrong in the future. Your discussions with your lawyer about your company’s cybersecurity and cyber risks will be protected from scrutiny, and it will be harder for a prosecutor to prove that you did not protect your customer’s information adequately enough. Let’s say you get a cyber risk assessment from a cyber risk non-attorney provider. They evaluate your risks, tell you how to mitigate those risks, and hand you a menu of options you have to protect your company. This menu and everything on it cost money, and it’s normal for companies to not be able to mitigate all of their risks right away. Because of this, sometimes you have to accept some of these risks and work on what you can for the time being.
So, you’re working on maybe five out of ten risks you were alerted of, but then something happens, and risk number six happens to be the root cause of a cybersecurity incident or breach. If there is a lawsuit or an investigation, then the government or a private lawyer is going to request all the documents related to your cyber risk management, and you will have no choice but to turn them over. This would give the prosecution a big advantage because all they need to do is point out the fact that you did nothing about risk number six, and they will have a solid case against you.
In my next post, I’ll wrap things up by explaining how an attorney can prevent a mess like this from happening to you in the aftermath of an incident, so stay tuned!