How Privilege Undermines Cybersecurity
61 Pages Posted: 2 Aug 2022 Last revised: 25 Jul 2023
Date Written: July 28, 2022
In recent years, cyberattacks have cost firms countless billions of dollars, undermined consumer privacy, distorted world geopolitics, and even resulted in death and bodily harm. Rapidly accelerating cyberattacks have not, however, been bad news for many lawyers. To the contrary, lawyers that specialize in coordinating all elements of victims’ incident response efforts are increasingly in demand. Lawyers’ dominant role in cyber-incident response is driven predominantly by their purported capacity to ensure that information produced during the breach-response process remains confidential, particularly in any subsequent lawsuit. By interposing themselves between their clients and any third-party consultants that are involved in incident response, lawyers can often shield any materials produced after a breach from discovery under either attorney-client privilege or work product immunity. Moreover, by limiting and shaping the documentation that is produced by breached firms’ personnel and third-party consultants in the wake of a cyberattack, attorneys can limit the availability of potentially damaging information to plaintiffs’ attorneys, regulators, or media, even if their attorney-client privilege and work product immunity arguments falter. Relying on over sixty interviews with a broad range of actors in the cybersecurity landscape—including lawyers, forensic investigators, insurers, and regulators—this Article shows how, in their zeal to preserve the confidentiality of incident response efforts, lawyers frequently undermine the long-term cybersecurity of both their clients and society more broadly. We find that lawyers often direct forensic providers to refrain from making recommendations to clients about how to enhance their cyber defenses, restrict direct communications between forensic firms and clients, insist on hiring forensic firms that have no familiarity with the client’s networks or internal processes, and strictly limit dissemination of the forensic firm’s conclusions to the client’s internal personnel. To ensure that any legal confidentiality protections are not inadvertently waived by their clients, lawyers also frequently refuse to share any written documentation regarding a breach with third parties like insurers, regulators, and law enforcement. Even worse, we find that law firms overseeing breach investigations increasingly instruct forensic firms not to craft any final report regarding a breach whatsoever. These practices, we find, substantially impair the ability of breached firms to learn from cybersecurity incidents and implement long-term remediation measures. Furthermore, such efforts to protect confidentiality inhibit insurers’ capacity to understand the efficacy of different security countermeasures and regulators’ power to investigate cybersecurity incidents. To reverse these trends, the Article suggests that materials produced during incident response should be entitled to confidentiality protections that are untethered from the provision of legal services, but that such protections should be coupled with new requirements that firms impacted by a cyberattack disclose specific forensic evidence and analysis. By disentangling the incident response process from the production of information that can hold firms accountable for failing to take appropriate and required precautions, the Article aims to remove barriers to effective incident response while preserving incentives for firms to take cybersecurity seriously.
Keywords: Cybersecurity, breach, incident response, attorney-client privilege, work product immunity
Suggested Citation: Suggested Citation