Attorney-Client Confidentiality | Data Security Breach

As an enterprise comes to suspect that it may have suffered an infosec incident, it may be wise immediately to involve an attorney.

The attorney's involvement could prevent the implications of the incident from spiraling out of control. It could allow the investigation of the incident to proceed responsibly, without the risk that the investigation process itself would be used as a legal weapon against the enterprise.

The investigation of an information security incident can require an expensive, complex and painstaking process. Often, a the outset of an investigation the investigators do not know what their conclusion will be.

Attorney Work Product Doctrine


When the attorney has been engaged, s/he could invoke the "attorney work product" doctrine to govern the investigation.

The "attorney work product" doctrine provides that the content and results of an investigation -- which is led by an attorney -- are kept confidential from future legal proceedings.   The legal proceedings that might follow an infosec incident include lawsuits, as well as investigations by government authorities such as industry regulators (e.g., state healthcare department), state attorneys general and the Federal Trade Commission.

After an attorney has been engaged to lead an infosec incident investigation, the attorney might direct technical investigators to gather evidence, analyze it and report back to the attorney.  Often, owning to the attorney's leadership of the investigation, the evidence gathering, analysis and reporting would be
Lips are Sealed
confidential under the "attorney work product" doctrine.  See, "Law Firms Tout Cybersecurity Cred," Wall Street Journal, April 1, 2013.

Reduce Exposure to Potential Liability


If the "attorney work product" doctrine does apply to an investigation, then adversaries, like plaintiffs or government, cannot force the enterprise to reveal to them the methods and the results of the investigation.

For an enterprise that wishes to minimize its exposure to litigation or liability, the "attorney work product" doctrine can be invaluable.

For example, an enterprise may conclude after thorough investigation that it did not suffer a data breach requiring it to give notice.  The analysis by the enterprise and its advisers may show, for instance, that the risk of harm to data subjects (such as customers or patients) is low.

Adversaries Can Be Motivated to Second-Guess an Investigation.


However, the enterprise may prefer that the content of the investigation not be provided to adversaries. Adversaries (who might be motivated by politics or a desire to squeeze money out of the enterprise) might try to second-guess the analysis and the conclusion that no breach requiring notice had occurred. If they have all the details of the investigation, they may try to re-interpret those details in court or in public to conclude that a breach of security requiring notice did happen.

See explanation of attorney-client privilege and attorney work product doctrine.

By: Benjamin Wright

Update: Legal confidentiality may be compromised if private company voluntarily shares infosec data with Department of Homeland Security.

Related: Standard of legal performance for data security