How to Keep InfoSec Investigation Secret

Confidentiality Labels as Compliance with Professional Ethics

In the investigation of a data security incident, proper use of confidentiality labels can help a lawyer or other professional show they are complying with ethical requirements for confidentiality.

Consider the American Bar Association Model Rules of Professional Conduct, “Client-Lawyer Relationship, Rule 1.6 Confidentiality of Information.” Rule 1.6(c) reads, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

Official commentary to that Rule says: “When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. …  Factors to be considered in determining the reasonableness of the lawyer's expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement.”

Not Every Security Incident is a Breach


So let’s consider how this Rule 1.6(c) might apply to a data security investigation. A data security investigation can be very sensitive for an enterprise. The investigation can require much work and analysis to determine the legal impact of a security incident. The analysis may conclude that the enterprise has suffered a data security “breach” for which notice must be given and for which the enterprise is legally liable. On the other hand, the analysis may conclude there was no “breach” and therefore no requirement for notice and no liability.

Accordingly, it is in the best interests of the enterprise that the investigation be kept legally confidential. The enterprise does not want its legal adversaries (such as regulators or class action plaintiff lawyers) to know anything about the investigation. If the adversaries possess details from the investigation, they might use those details to penalize, hassle or assert liability against the enterprise.

An attorney working for the enterprise can help to promote the confidentiality of the investigation -- and all information and communications related to it -- by ensuring that the information and communications are properly labeled as “Confidential attorney-client communication,” “Confidential attorney work product created in preparation for dispute” or something like that.

In many cases law respects confidentiality associated with attorney communications and work. For this reason, non-lawyer professionals, like infosec experts, are motivated to involve a lawyer in their investigations.

Labels like those above can be powerful to prevent the unintended or unauthorized disclosure of sensitive information. The labels warn anyone who sees the information (police, vigilantes, regulators, contractors, employees, whistleblowers and so on) that it is confidential and protected by law. The labels can also help to prevent disclosure of the information through legal process such as a subpoena, a police raid or discovery in a civil lawsuit.

Thus, the labels would be a crucial part of a lawyer’s reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information belonging to the lawyer’s enterprise client. Furthermore, the labels could be evidence of a reasonable expectation by the lawyer that the information will be treated as confidential by law.

In other words, proper use of these labels can help an infosec lawyer comply with ethics Rule 1.6(c) quoted above.