What’s Good for Litigation Isn’t Necessarily Good for Cybersecurity

By Randy Milch
Friday, March 5, 2021, 11:07 AM

When Guo Wengui fled to the United States from China in 2015, he hired the Clark Hill law firm to assist him in his bid for political asylum. In 2017, unknown parties hacked Clark Hill’s computer systems and Guo’s personal information was published on the internet. Clark Hill hired experts to do a post-breach investigation. Guo, embracing the American system, sued Clark Hill and demanded the investigating expert’s report and associated materials in discovery. Clark Hill refused, arguing that the materials were protected by the attorney work-product and attorney-client privileges. The U.S. District Court for the District of Columbia ruled on Jan. 12 in Guo’s favor, finding the privileges did not protect the expert post-breach analysis from discovery.

I love these privileges as much as the next litigator, but it’s time to admit that efforts to shield post-breach investigations through the attorney work-product and attorney-client privileges (the “counsel privileges”) are bad for cybersecurity. Efforts to force-fit post-breach investigations to the requirements of the counsel privileges both discourage the creation of important cybersecurity materials and severely limit their utility if created. The public interest demands that Congress step in and create a new privilege regime that will, through its protections, encourage robust post-breach investigations and the appropriate sharing of those investigative results.

Post-breach investigations unequivocally are a good thing for society. Senior governance attention and resources are deeply focused on cybersecurity in the wake of a breach. Victimized companies hiring experts to investigate and report on why a breach occurred and what could be done to strengthen cyber defenses against future incursions provides the board, the C-Suite and the cyber-defense team with robust information to guide data security enhancements. The results of the investigation must be easy to use by nontechnical directors and officers so that the post-breach cybersecurity goals are clear, appropriate resources to meet those goals can be allocated, and the residual cyber risks are understood.

The public benefit of a robust post-breach investigation is even broader than making a particular entity less susceptible to a future breach. These investigative results are an important source of information for security professionals, researchers and criminal investigators. Yet the goals of robust investigation and appropriate sharing are deeply at odds with the best legal advice on how to protect post-breach investigatory information from discovery.

Take, for instance, the highly regarded Debevoise Data Blog’s Key Takeaways from Guo. The blog focuses on ways to increase the chances that a forensic investigation will remain privileged and thus out of an adversary’s hands:

  • “[C]onsider having no [investigative] reports prepared at all[.]”
  • Severely limit the distribution of the putatively privileged reports.
  • Separate “recommendations from investigative findings[.]”
  • Ensure that reports are “drafted with the understanding that privilege claims may not succeed.”

Other elite firms advise similar approaches. These suggestions—as valid as they are from a litigation perspective—would reduce the utility of the forensic investigation by making the results less easily usable by firm insiders and essentially unavailable to those outside the firm. What is good for litigation is not necessarily good for cybersecurity.

The attorney-client and work-product privileges have a utilitarian basis. The public’s loss of probative evidence cannot be justified only by the private interest of the protected client but instead requires an offsetting “‘public good transcending the normally predominant principle of utilizing all rational means for ascertaining truth.’” The Supreme Court made clear that protecting the “full and frank communications” between lawyer and client and the work-product of litigation counsel vindicates the public interest in the provision of “sound legal advice or advocacy.” As a result, courts strictly limit the counsel privileges to these activities. But legal advice and litigation preparation are not and should not be the reason for post-breach investigations.

Guo illustrates the tension between attempting to maintain the counsel privileges and post-breach cybersecurity realities. Clark Hill sought work-product protection of its post-breach investigation under the “two-track” theory approved in the Target breach litigation. The approach has gained currency as companies more commonly have an ongoing pre-breach relationship with a cybersecurity consultant to assist in cyber defense. On one “track” the pre-breach cybersecurity consultant will create an “ordinary course” report that will be produced in litigation. At the same time, and on the second “track,” a new consultant hired by the firm’s outside litigation counsel will produce a privileged report solely “in anticipation of litigation.” What at first may seem an approach inefficiently designed to maintain a privilege in fact has both privilege-preservation and nonlitigation rationales—up to a point.

Hiring a new firm solves an important privilege issue arising from why the cybersecurity expert was hired. The pre-breach expert likely was hired by the chief information officer (CIO) or the chief information security officer (CISO) for cybersecurity reasons, not the general counsel or outside counsel in order to provide legal advice or “in anticipation of litigation” as the counsel privileges require. The company’s lawyers could try the alternative route of engaging an entirely new team from the pre-breach firm, perhaps on the suggestion that there will be some “efficiencies” in using the old firm for the new task. But this approach failed recently in a widely noted ruling in the Capital One breach litigation. Even though these determinations are highly fact specific, careful counsel will advise that “one firm, two teams” is a riskier course from the privilege perspective.

Moreover, any dollars saved by a “new team, old consultant” approach will be eclipsed by the need to create some distance in the post-breach forensics: The breached company cannot be blamed for worrying that the pre-breach consultant will be unable to review its own pre-breach advice dispassionately. There also may be a stark difference in expertise between the special post-breach team and the day-to-day cyber consultant. The new firm—likely paid for by cyber insurance—might have been too pricey for the CISO’s strained budget for day-to-day assistance. So far, privilege preservation efforts and post-breach realities are aligned: Expensive experts can diagnose the problems and recommend solutions, and it all stays under wraps.

But Guo demonstrates that post-breach realities can also thwart the goals of the counsel privileges. The new firm’s reputation and assignment to find out what went wrong and how to fix it—coupled with natural questions about the capabilities of the previous firm—create strong demand for the investigatory work product to be shared more broadly than the privileges permit. The court in Guo found that although Clark Hill claimed to be relying on its prebreach firm for an ordinary course post-breach investigation, in reality, the law firm turned exclusively to its new cyber consultant for all the “necessary investigative work.” Moreover, the new firm’s investigative report was shared with Clark Hill’s “leadership and IT team,” and with the FBI, and thus was not prepared to seek the advice of counsel or solely for use in litigation as the counsel privileges require. In the end, these multiple uses—all undertaken because the expert report was the best source of information for many purposes—eviscerated Clark Hill’s claims of privilege.

Enough. Post-breach investigative reports are too important to suffer artful wording, to be split into pieces or to be kept away from those who have a cybersecurity-based need for them. The public interest in better cybersecurity requires creating a new post-breach privilege tailor-made for the cybersecurity context. Appropriately crafted, the new privilege would encourage robust post-breach investigations, require the selective sharing of investigative information, and still permit plaintiffs and regulators to build their post-breach cases.

This is a job for Congress. While a new privilege can either be recognized by the courts “in the light of reason and experience” or created by statute, the new post-breach privilege must work in both the federal and state contexts to be effective. Given the increasing cybersecurity risks the United States faces, waiting for multiple courts to recognize a new post-breach privilege or for action by fifty-one legislatures is unwise. The quickest and most effective route to a precisely tailored new cybersecurity privilege is through preemptive federal legislation. Luckily, there is a clear precedent to follow.

In 2005, Congress passed nearly unanimously the Patient Safety and Quality Improvement Act (PSQIA). Enacted in response to a “terrifying epidemic of medical mistakes,” the PSQIA was “designed to allay fears of providers of increased risk of liability if they voluntarily participate in the collection and analysis” of events that harmed or might have harmed patients. The PSQIA sought to encourage medical providers to engage in peer review and to learn from patient care incidents by creating a category of privileged “patient safety work product.” The privileged material consists of “data, reports, records, memoranda, analyses (such as root cause analyses), or written or oral statements” that “could result in improved patient safety, health care quality, or health care outcomes.” Critically, to become privileged, the patient safety work product must be shared with PSQIA-created “patient safety organizations,” which in turn develop and disseminate “information with respect to improving patient safety, such as recommendations, protocols, or information regarding best practices.”

To improve patient safety, the PSQIA broadly protects patient safety work product from compelled disclosure. Patient safety work product is immune from (a) federal, state or local civil, criminal, or administrative subpoena or order; (b) federal, state or local civil, criminal or administrative discovery; (c) federal, state or local freedom of information laws; (d) admission into evidence in any federal, state or local civil, criminal or administrative proceeding or rule-making; or (e) admission into any professional disciplinary proceeding.

At the same time, the PSQIA sets up a structure that permits the sharing of patient safety work product beyond the patient safety organization to achieve important societal goals. For instance, patient safety work product can be shared for research purposes, to the U.S. Food and Drug Administration for its regulatory needs, and to law enforcement if the information is related to the commission of a crime. The disclosure of patient safety work product outside of the statutory structure is illegal. Any permitted disclosures are not a waiver of the privilege, so patient safety work product remains generally immune from compelled disclosure from either the provider or the recipient of the privileged information even if disclosed. Finally, the underlying “medical record, billing and discharge information, or any other original patient or provider record” are not patient safety work product and remain subject to discovery.

An analogous federal Cyber Safety Improvement Act would create a broad statutory privilege for “cybersecurity work product” consisting of a defined set of post-breach investigative materials. Similar to the PSQIA, the underlying evidence a post-breach investigator reviews to reach its conclusions—logs, vulnerabilities, attack vectors—would not become privileged and would remain subject to discovery. And like patient safety work product, cybersecurity work product would have to be shared promptly with a private “cybersafety organization” to be privileged, and could be further shared, without waiver and with ongoing legal protections, for other purposes Congress would deem important.

Inviting information sharing and analysis centers (ISACss) and information sharing and analysis organizations (ISAOs) to become cybersafety organizations, consistent with requirements that the secretary of homeland security would promulgate, would strongly improve the structure for private-sector sharing of breach information. ISACs and ISAOs currently encourage cybersecurity-related information sharing among their membership by offering contractual nondisclosure and nonattribution assurances for the shared information, but their operating rules make plain that shared information is not protected from civil, criminal or administrative process. Congress in the Cybersecurity Information Sharing Act (CISA) added liability protection for private-sector sharing of cyber threat indicators, but this category of information is too limited to cover a robust post-breach analysis. Moreover, while CISA says that sharing a cyber threat indicator with the government is not “a waiver of any applicable privilege,” no waiver protection extends to sharing within the private sector of even this limited category of information.

It would not suffice for Congress to pass a law extending the “sharing-is-not-a-waiver approach” to private-sector sharing of post-breach investigative materials. A cybersecurity privilege requiring and permitting specified types of sharing is a better approach for several reasons. First, sharing-is-not-a-waiver begs the question of whether there is an applicable privilege. The certainty of the specific cybersecurity work-product privilege will serve to encourage the desired behavior: robust post-breach investigation, mitigation and information sharing. As the Supreme Court has found, and repeated, “an uncertain privilege, or one which purports to be certain but results in widely varying applications by the courts, is little better than no privilege at all.”

Second, the sharing-is-not-a-waiver approach has been a failure. A recent Department of Homeland Security Inspector General report revealed that two years into the CISA information sharing program, only nine nonfederal entities were sharing their information via the Homeland Security automatic information-sharing network. Granted, there are a host of reasons that companies may be less than eager to share information with the federal government—CISA’s onerous information-stripping requirements come to mind—but conditioning the application of the cybersecurity work-product privilege on the appropriate sharing of the protected materials sensibly stiffens the carrot given the Homeland Security experience.

Conditioning the cybersecurity work-product privilege on mandatory sharing with specified nongovernment organizations and for specified purposes would be an added public benefit, offsetting the public harm from the loss of evidence. The fact is that some of the knowledge from post-breach investigations—even if privileged—is already shared (and monetized) within the investigatory firms. While I do not doubt that the individual consultants adhere to their nondisclosure obligations, what they’ve learned from one post-breach investigation to the next cannot be erased from their minds. Indeed, the leading forensic firms boast of their “real-world [incident response] and remediation experience,” their history of having investigated “some of the most complex breaches worldwide,” or their “elite security leaders ... [responding] to over 2,000 incidents per year.” For all of their valuable work, the post-breach forensic firms should not have a monopoly on this valuable information, and broadened protected sharing—to include researchers, for instance—would be a further public benefit.

Setting up a structure explicitly to encourage post-breach investigations and the careful sharing of that information will not solve the nation’s increasing cybersecurity problems. But there is no panacea for cyber-insecurity. The United States must instead look for and implement a thousand small cyber remedies. This includes tweaking existing legal and regulatory structures where those changes might encourage better cybersecurity behavior. Encouraging robust post-breach investigations, and carefully sharing those results, will be a small step toward better cybersecurity. The legal profession’s devotion to the attorney-client and work-product privileges should not stand in the way. The creation of a cybersecurity work-product privilege is an overdue and easy step that Congress should turn to as quickly as possible.