Lawyers may be limiting threat info sharing
A new study examines how attorney-client privilege and work product immunity impacts cybersecurity.
Although effective in protecting confidentiality, lawyers who handle cybersecurity cases “frequently undermine the long-term cybersecurity of their clients and society more broadly,” a new study finds.
Published July 28, “How Privilege Undermines Cybersecurity” finds that as the number of cyberattacks grows, so too do questions about common legal tools such as attorney-client privilege and work product immunity . That’s because although both protect confidentiality by “limiting and shaping the documentation that is produced by breached firms’ personnel and third-party consultants in the wake of a cyberattack, attorneys can limit the availability of potentially damaging information to plaintiffs’ attorneys, regulators, or media,” the report states.
The lack of information impairs “the ability of breached firms to learn from cybersecurity incidents and implement long-term remediation measures,” according to the document. Additionally, cybersecurity insurers – whose fees are often already prohibitive for many public-sector agencies – can’t get a full picture of how well cybersecurity measures work, and regulators are also impeded in their ability to investigate incidents.
For instance, the study points to cases arising out of the theft of personal data from 100 million Capital One customers in 2019. After a federal district court ruled in a class-action lawsuit that the company must share its forensic incident report with plaintiffs, lawyers have doubled down on limiting written reports or recommendations from third-party forensic firms after breaches – a move that the report states “dramatically [impairs] the ability of both breached firms and third parties to prevent future cyberattacks.”
What’s more, some stakeholders said that the practice could disincentivize firms from using robust cybersecurity efforts, although they generally believe “the benefits to firms of proactively limiting the risk of cyber intrusions or the consequences of such events when they occurred dramatically outweighed the potential costs that documents produced during this process could be used against firms,” the report states.
To prevent these problems, the research suggests “disentangling the incident response process from the production of information that can hold firms accountable for failing to take appropriate and required precautions.”
One way to do this would be to have courts determine whether the purpose of a breach investigation entitles victims for protection under attorney-client privilege or work product immunity by looking at factors such as who hired and pays the forensic firm (the business or the lawyers) and when (before or after the breach).
More specifically, the report proposes a nonwaivable cyber-incident response privilege that “would not attach to any pre-incident cybersecurity measures” and “only shield from discovery firms’ incident response efforts.” Additionally, it would also cover internal communications within a breached firm. “A major cybersecurity goal should not only be to encourage full and frank communication between firm personnel and outside parties like lawyers or forensic firms, but also to encourage full and frank internal communication within breached firms,” the report states.
It also recommends reforming federal information-sharing requirements. The Cybersecurity Information Sharing Act of 2015 states that organizations that share cyber threat indicators and defensive measures for a cybersecurity purpose get some protections from liability, while the Cyber Incident Reporting for Critical Infrastructure Act of 2022 mandates reporting to the Homeland Security Department cyber incidents involving critical infrastructure. Neither law goes far enough or is detailed enough, however, according to the report. What’s needed is an extension of the requirements to include a broader range of firms and incidents.
“We suggest expanding the confidentiality protections that apply to incident response so as to enable swifter responses to incidents, more robust documentation of breaches, and broad sharing of this information with interested third parties,” the report states. “Pairing these enhanced confidentiality protections with new requirements to collect and share forensic evidence and analysis can ensure that law and regulation continue to hold firms accountable when they fail to invest in adequate security protections before a breach occurs.”
The study, “the first to empirically examine how confidentiality concerns impact breach response,” involved 69 interviews with lawyers, forensic investigators, insurers and regulators between 2020 and 2022.
Stephanie Kanowitz is a freelance writer based in northern Virginia.
NEXT STORY: Emergency alert system vulnerable, FEMA warns