HOW PRIVILEGE UNDERMINES CYBERSECURITY.

• Author: Schwarcz, Daniel

TABLE OF CONTENTS I. INTRODUCTION 424 II. UNCERTAIN DOCTRINE: THE LAW GOVERNING THE CONFIDENTIALITY OF FIRMS' CYBERSECURITY EFFORTS 431 A. Attorney-Client Privilege and Work-Product Immunity for Incident Response 433 1. Factors for Disentangling Legal and Business Purposes of Incident Response 434 a. Did External Counsel Hire the Cybersecurity Firm? 434 b. Did External Counsel Supervise the Cybersecurity Firm? 435 c. Nature of Cybersecurity Firms' Services 436 d. Who Paid for the Cybersecurity Firm? 438 e. Did the Cybersecurity Firm Work with Persons Other than External Counsel? 438 f. Content of Cybersecurity Reports or Writings 439 g. Disclosure of Materials Produced by Cybersecurity Firms 439 h. External Communications Regarding Cybersecurity Firm 440 2. Balancing Competing Factors 441 B. Attorney-Client Privilege and Work-Product Immunity in Pre-Incident Cybersecurity Contexts 442 C. Disclosure to Third Parties and Confidentiality Protections 444 III. HARMFUL CONSEQUENCES: HOW LEGAL UNCERTAINTY DISTORTS AND UNDERMINES CYBERSECURITY 446 A. Empirical Methodology 447 B. Impacts on Incident Documentation and Recommendations 449 1. Documentation of Cyber-Incident Response 449 2. Documentation of Pre-Breach Cybersecurity Efforts 455 C. Impacts on Incident Response Contracting and Communications 457 1. Hiring Cybersecurity Firms to Conduct Cyber-Incident Response 457 2. Communications During Cyber-Incident Response 460 D. How Confidentiality Concerns Impact Third Parties 463 1. Insurers 463 2. Regulators and Law Enforcement 468 3. Auditors and Payment Card Counsel 469 4. Supply Chain Partners 471 IV. ALIGNING CONFIDENTIALITY PROTECTIONS AND CYBERSECURITY 471 A. Limitations of Prior Reform Proposals 473 1. A Cybersecurity Privilege 473 2. Information Sharing with the Federal Government 476 B. Disentangling Incident Response and Breach Disclosure 478 1. A Cyber-Incident Response Privilege and Evidentiary Restriction on Subsequent Remedial Measures 479 2. Reforming Information Sharing 481 V. CONCLUSION 483 I. INTRODUCTION

In recent years, attacks on the computer systems of corporations, nonprofits, government agencies, and even individuals have accelerated at an alarming rate. (1) These cyberattacks have not only cost victims countless billions of dollars, (2) but have also undermined consumer privacy, (3) distorted world geopolitics, (4) and even resulted in death and bodily harm. (5) Efforts to prevent or mitigate the consequences of such cyberattacks abound; potential victims spend massive sums attempting to harden their computer systems and insure against the possibility that these defensive efforts will fail, (6) while governments at every level implement policies designed to promote cybersecurity. (7) And yet, the risk of cyberattacks only continues to climb. (8)

The rising risks of cyberattacks have not, however, been bad news for many lawyers. On the contrary, lawyers who specialize in assisting firms that have experienced a potential cyberattack are increasingly in demand. (9) These lawyers--many of whom market themselves as "breach coaches" (10)--coordinate all elements of victimized firms' cyber-incident response, including directing internal firm personnel, retaining a third-party cybersecurity firm, managing public messaging, and communicating with insurers and government regulators. (11)

Lawyers' pole position in coordinating cyber-incident response is hardly inevitable. Even the most sophisticated lawyers are almost never technical experts in cybersecurity. (12) Moreover, while cyberattacks that jeopardize individuals' personal data can indeed raise significant legal questions under state breach notification laws, (13) many cyberattacks-including the ransomware attacks that now predominate (14)--do not necessarily trigger these legal complexities. (15) Firms that experience a cyber incident nonetheless routinely employ lawyers to coordinate all elements of their response, even though firms victimized by noncyber incidents typically only hire lawyers when they need assistance resolving specific legal questions or are on notice of a potential lawsuit. (16)

Lawyers' dominant role in cyber-incident response is driven in part by their purported capacity to ensure that information produced during the breach response process remains confidential, particularly in any subsequent lawsuit. (17) Attorneys are uniquely able to provide this protection by interposing themselves between a client and any third-party consultants involved in incident response, including cyber forensic firms. Under long-standing caselaw, communications between such third-party consultants and the attorneys who hire them to help provide legal advice to a client are covered by the attorney-client privilege. (18) Additionally, any documents and mental processes of third-party consultants, such as cybersecurity professionals, are shielded from discovery under work-product immunity if they were produced in reasonable anticipation of litigation. (19)

Preserving confidentiality in this way has long been understood as vital for breached firms. In part, this is because the earliest cybersecurity breaches that firms were required to publicly report typically involved the compromise of individuals' personal information. (20) Legal costs and settlement fees are often some of the largest costs associated with these breaches, and insurers therefore prioritized minimizing the risk of litigation by involving lawyers in the incident-response process early on--a priority that later carried over to other types of incidents, such as ransomware attacks, where litigation was less common and legal fees represented a smaller portion of overall remediation and recovery costs. (21) A second reason that confidentiality concerns loom large in the wake of a breach is that state breach notification laws only require firms to disclose limited information. (22) Therefore, successfully avoiding disclosure in other legal processes may shield firms from disclosure's reputational and regulatory consequences. Yet another, more cynical, explanation is that the importance of confidentiality in the incident-response process helps the lawyers who dominate this process retain their primacy. (23)

Whatever explains the centrality of confidentiality in breach response, this focus has major downsides. Relying on over sixty interviews with a broad range of actors in the cybersecurity landscape--including lawyers, forensic investigators, insurers, and regulators--this Article shows how, in their efforts to preserve the confidentiality of their clients' incident-response efforts, lawyers may undermine the long-term cybersecurity of their clients and society more broadly. (24) This outcome largely stems from lawyers' efforts to orchestrate a cyber-incident response to maximize the chances that attorney-client privilege and work-product protections will attach. Toward this end, we find that lawyers frequently direct forensic providers to refrain from making recommendations to clients about how to enhance their cyber defenses, restrict direct communications between forensic firms and clients, insist upon hiring forensic firms with limited familiarity with the client's networks or internal processes, and strictly limit dissemination of the forensic firm's conclusions to the client's internal personnel. To ensure that clients do not inadvertently waive any legal confidentiality protections, lawyers also routinely refuse to share any written documentation regarding a breach with third parties like insurers, regulators, and law enforcement. (25) Collectively, these lawyer-driven strategies impair impacted firms' abilities to learn from cybersecurity incidents and implement long-term remediation efforts. Furthermore, they inhibit insurers' efforts to understand the efficacy of different security countermeasures (26) and regulators' capacity to investigate cybersecurity incidents. (27)

Unfortunately for lawyers (and their clients), these breach response strategies do not, in fact, always succeed in triggering attorney-client privilege or work-product protections. (28) At bottom, this is because cyber-incident response virtually always involves a thorny blend of legal and business considerations, which fundamentally rely on the technical expertise only third-party cybersecurity firms can supply. Yet the rules governing attorney-client privilege and work-product doctrine require courts to assess whether the driving purpose of communications produced during a cyber-incident response involve the provision of legal services or preparation for litigation, as opposed to business-oriented goals. (29) Answering this question is often immensely difficult because most breach investigations implicate an interconnected web of legal and nonlegal goals.

The uncertain protections that attorney-client privilege and work-product immunity provide for lawyer-coordinated breach response efforts is nicely illustrated by the pivotal 2020 case, In re Capital One. (30) That case arose from a 2019 breach of Capital One's computer systems, which resulted in the theft of personal data belonging to 100 million of its customers, including credit card applications, social security numbers, and bank account numbers. (31) The day after it discovered this breach, Capital One retained the prominent law firm Debevoise & Plimpton, which attempted to shield Capital One's breach response efforts from discovery in a subsequent lawsuit. (32) Toward that end, Debevoise and Capital One together retained the leading cybersecurity firm Mandiant under a tripartite agreement that instructed Mandiant to investigate the breach at Debevoise's direction. (33) After months of investigation, Mandiant wrote a final report that included a thorough timeline of the breach as well as an analysis of where Capital One's lines of defense and security controls failed, the extent of the compromise, and remediation steps that the company...