What is ACP?

To wrap things up in this series, I’m going to explain how ACP (attorney-client privilege) and AWP (attorney work product) apply to your company’s cybersecurity efforts. To recap, ACP protects information that you share with your attorney from being brought as evidence to a court case and exists to promote trust between an attorney and their clients. AWP is your right to withhold communications between you and your attorney that involves legal advice from being discovered in court. For further details on these two terms, see my last two blog posts.

I talked about the worst-case-scenario in my last post, which ended in a prosecutor discovering all of the details of your cyber risk assessment and using your accepted risks to make a solid case against you in court. Now, I’d like to talk about how to prevent this worst-case-scenario, which is by consulting an attorney that specializes in cybersecurity. If you have your risk assessment done by your attorney, then everything that you discuss with them regarding your cybersecurity will be hard to bring up in court. You could easily claim either the ACP or AWP doctrines and restrict the information on your accepted risks from being discovered with the argument that it pertained to legal matters and that it was discussed with your attorney.

With most of the details of your cybersecurity undiscoverable, you get the upper hand in your legal matters after an attack. The fact that you did evaluate your cyber risks and took action is evident, but the details are entirely under your control to release or keep hidden. But this isn’t guaranteed. Your requests to withhold communications under the AWP doctrine can be challenged, and in some cases, information is forcibly released to the prosecution. So just like in cybersecurity, there are always risks, but there are things you can do to manage them, like having your cyber risk assessment done with an attorney.