Oh no, you’ve suffered a computer security incident. The DFIR team you hired wrote up a great report detailing exactly what happened and making suggestions for how to fix some of these issues. But now you’re being sued, and opposing counsel requests that report!
Many times, companies will seek to protect investigations under the cover of attorney-client privilege. But what is that, when and how does the privilege attach, and how helpful is it most of the time? What should your goal be, and just what are best practices for working with attorneys?
7. So what is the
attorney-client
privilege and why
are lawyers
involved in this
anyway?
Shmoo 2019 - @wendyck
8. What is discovery?
Part of civil procedure, the rules that govern civil (not criminal) trials
● Discovery is the process by which both sides share information that is
relevant to the dispute
● “designed to prevent ‘trial by ambush’ where one side doesn’t learn of the
other side’s evidence or witnesses until the trial, when there’s no time to
obtain answering evidence”
https://www.americanbar.org/groups/public_education/resources/law_related_e
ducation_network/how_courts_work/discovery/
Shmoo 2019 - @wendyck
9. Fun discovery fact!
The information has to be relevant -
but it doesn’t have to itself be
admissible in trial.
Shmoo 2019 - @wendyck
11. But! Some information is NOT discoverable, such as
information protected by the attorney-client privilege
Shmoo 2019 - @wendyck
12. What is attorney-
client privilege?
What it protects:
● Communications between a client
and attorney
● For the purposes of rendering
legal advice
● That are made in confidence
(don’t repeat that information
to anyone else!)
Shmoo 2019 - @wendyck
15. Work
Product
doctrine
Attorney notes about investigations are only
discoverable (under FRCP 26(b)(3)) if the other
side can show that they have a “substantial need”
for them, and the facts couldn’t be obtained any
other way “without undue hardship.”
The underlying facts are not protected, but opinion
work product that includes information about what
happened is protected if it is prepared in
anticipation of litigation.
Shmoo 2019 - @wendyck
16. Non-testifying
consultants &
privilege
FRCP 26(b)(4)(D)(ii)
● opposing counsel cannot discover the work of an expert who is
not expected to be called as a witness at trial, unless the
opposing side can show “exceptional circumstances”
demanding that disclosure
United States v. Kovel, 296 F.2d 918 (2d. Cir 1961):
● Accountant acts as a “translator” for the law firm, helping them
to understand the complex technical issues. Work is related to
the attorney’s job representing clients
Genesco Inc. v. Visa (M.D. Tenn. 2014):
● “in the Court’s view, the Stroz representative would necessarily
be applying his or her specialized knowledge. Thus, Visa’s
characterization of its Stroz discovery requests as involving
a fact witness is inappropriate..”
Shmoo 2019 - @wendyck
19. Into the
breach:Let’s walk through a data breach, but from the perspective
of working with counsel
Shmoo 2019 - @wendyck
20. Lawyers are usually non-technical – but
they have a specialized skill set that can
have its place in an investigation into a
computer security incident
Shmoo 2019 - @wendyck
22. Data breach
notification
considerations
Some timelines are imposed by regulations like the
GDPR, or state laws.
The state data breach laws all vary in what constitutes a
breach, who must be notified and how. Attorneys can
help craft the relevant responses to meet regulatory
requirements about content and deadlines.
Shmoo 2019 - @wendyck
23. Before a
security
incident
1. Create a plan
2. Consider retaining a lawyer who can
help with tabletops and work with you
if you suffer a security incident. Ask
them about IR teams they’ve worked
with and consider retaining one of
these teams.
3. Decide on your communications
channels
4. Look at your insurance policies (Do
you have to notify? Do they have
preferred firms?)
Shmoo 2019 - @wendyck
24. Don’t just listen to me
https://twitter.com/RobertMLee/status/1085291137072615426
Shmoo 2019 - @wendyck
26. What if we have in
house counsel?
Shmoo 2019 - @wendyck
27. Business v Legal
advice
Make sure that in house counsel
notes when they are giving legal
advice vs business advice.
Primary purpose test: doesn’t draw
rigid distinction between a legal
purpose on the one hand and a
business purpose on the other.
See In re Kellogg Brown & Root,
Inc., 756 F.3d 754, 759 (D.C. Cir.
2014)
Shmoo 2019 - @wendyck
28. Confidential headers & email footers
Rather than having a loooooooooong boilerplate footer at the end of every email,
emails in which a legal opinion are given should have Privileged & Confidential
as the first line.
To: Nancy Drew, CISO
From: Natalia Romanova, General Counsel
Privileged & Confidential
Regarding the security incident we’ve been investigating….
29. More
things to
do
before a
security
incident
1. Get your logging, monitoring,
observability, alarms and audit logs in
shape PLEASE (and please check
your timestamps)
2. Make sure all your logs are logging in
the same time zone
3. Review your audit log settings in cloud
platforms
4. Check your retention: are you saving
important logs? How long do you
retain?
Shmoo 2019 - @wendyck
30. Don’t just listen to me
https://twitter.com/MalwareJake/status/1085650856089837571
Shmoo 2019 - @wendyck
31. In a breach – Is there a
reportable incident?
GDPR, CCPA, NYDFS, HIPAA, State data breach notifications….
Shmoo 2019 - @wendyck
32. We have a reportable
breach: now what?
If you’re engaging an
outside DFIR firm to assist,
should your attorney
engage a DFIR team?
Shmoo 2019 - @wendyck
33. Sometimes yes, as their professional opinions are
shared with the lawyer and help form the basis of
the lawyer’s advice: “At the direction of counsel”
means the experts are performing the investigation
to assist the attorney in giving legal advice
Shmoo 2019 - @wendyck
34. Crafting the
engagement
letter
In Genesco v Visa,
Genesco-Stroz
retention agreement
expressly provided that
Stroz’s retention was “in
anticipation of potential
litigation and/or legal or
regulatory
proceedings.”
Shmoo 2019 - @wendyck
35. During...
1. Activate your IR team
and communications
channels
2. Secure evidence and
follow directions of the
team you hired
3. Follow the advice of the
attorney on engaging
with regulators and law
enforcement
Shmoo 2019 - @wendyck
36. Gathering
Evidence
Following the advice of your DFIR firm and lawyer about
how to gather evidence if you anticipate regulatory or
legal proceedings
Shmoo 2019 - @wendyck
37. Communications: what is protected
by attorney – client privilege
Shmoo 2019 - @wendyck
Messages to counsel seeking legal advice
should make clear that the person is seeking
legal advice & the lawyer’s professional
opinion about whether there is a breach and
if the breach is notifiable or causes any
regulatory obligations
38. Joint Defense
Agreements
Consideration for SAAS and
cloud environments: if joint
investigations are done, a
Joint Defense Agreement
should be in place; these are
used where parties share a
common interest in a legal
matter. Schaeffler v. United
States, 806 F.3d 34, 40 (2d
Cir. 2015)
Shmoo 2019 - @wendyck
39. Are we going to
monitor ongoing
suspicious activity?
Is it on our servers? (there are CFAA
and ECPA concerns otherwise)
Is it reasonable to allow intruders to
remain in the network in this case?
When should we engage law
enforcement?
Shmoo 2019 - @wendyck
40. Interviewing employees
and contractors
Often having outside counsel conduct interviews offers the
strongest protections if you are concerned about interview notes
being discoverable
Shmoo 2019 - @wendyck
41. LOGS
Please log things. Please pick a
time zone. Please only put things in
the report supported by the logs or
other evidence.
Shmoo 2019 -
@wendyck
42. Reports
These should contain a timeline of
the breach, the cause, evidence
artifacts supporting the timeline and
cause.
Shmoo 2019 -
@wendyck
43. What
happens if
you share a
lot of the
findings of the
report in your
response to a
court case?
If you share too much, you may destroy
privilege in the rest of the report. ‘Litigants
cannot hide behind the privilege if they are
relying on privileged communications to make
their case’ or, more simply, cannot use the
privilege as ‘a shield and a sword.’ In re
United Shore Fin. Servs., LLC, 2018 BL 1881
(6th Cir. 2018)
Shmoo 2019 - @wendyck
45. Takeaways 1. Create a plan
2. Retain a lawyer
3. Set up communications
channels
4. Log all the things
5. Secure evidence
6. Communications with your
lawyer are seeking legal
advice
7. Follow directions of the
attorney you hiredShmoo 2019 - @wendyck
I’m a a software developer who burned out and went to law school, where I did a concentration in National Security Law. I did a fellowship at ZwillGen here in DC, where I helped with some incident response work from the legal side, and I’m now a Senior Security advisor at Leviathan. So although I am a lawyer, this isn’t legal advice!
Uber v Waymo trial - navigating attorney-client privilege protections can be hard, and doesn’t always succeed
So jumping -This tweet from Sarah Jeong is from the Uber v Waymo trial. It was referring to the attempt to protect a forensics report in the Uber v Waymo trial. Stroz Friedberg did some forensics on some devices, and the opposing side wanted to access information from their work. As this shows, navigating attorney-client privilege protections can be hard, and doesn’t always succeed.
So we’re going to walk through some ways to work with attorneys in during a security incident and where you might and might not be able to rely on privilege.
So let’s start with what’s at risk
https://www.flickr.com/photos/clevrcat/35356290074
Reports with sensitive information about security measures
There are various types of reports about computer security that a company might have generated: advisory, pen test reports, etc. But also incident response reports. Each of these has very sensitive information about the company’s security measures, and should be treated as highly confidential.
https://www.flickr.com/photos/thomashawk/15778289832
Consumers file suit
So why worry about protecting them?
Because oftentimes consumers or other parties will file suit after a data breach, and will seek to access IR reports help prove some theory of liability or to explain what happened. Sometimes people believe that a report might hint at what the company knew before the breach.
https://www.flickr.com/photos/_zahira_/4089508430
What attorney-client privilege is, why you’d want to use it, what needs to happen to invoke it
So sometimes in a trial, companies will seek to protect information under the cover of attorney-client privilege. But as we just saw in Sarah’s tweet, that sometimes fails.
In this talk we’re going to look at what the attorney-client privilege is, why you’d want to try to use it, and what needs to happen to invoke the privilege
https://www.flickr.com/photos/36350735@N05/8204480370/
part of the civil trial process - each side shares information with their opponent.
occurs before the courtroom arguments.
It’s meant to help courts with a thorough and transparent inquiry into a matter, although these days it also means that trials are often won or lost in discovery fights.
not everything that’s discoverable can be used as evidence in a trial - seek discovery of things that are related that might lead you to things that are admissible.
Information that’s discoverable is information that’s “relevant” to the dispute. But not everything that’s discoverable can be used as evidence in a trial and relied on in the courtroom to make your argument. Instead, sometimes you
Yes, confidential - but discoverable - protective orders
Information in IR reports, or pen tests, is highly sensitive and confidential. But confidential information is discoverable - the courts can issue a protective order to keep the general public from learning it, but the other side is entitled to know the information if it’s relevant.
https://www.flickr.com/photos/neliofilipe/6097881969
Communications with lawyers are shielded
Not all information is discoverable. Any communications with your lawyers, for example, are shielded from discovery by the attorney-client privilege
invisibility cloak
Probably most of you have heard of this - what you tell your lawyer is protected from disclosure to the other side. You probably think it’s like a giant invisibility cloak covering all your conversations. This privilege protects information that is private to you and your lawyer from discovery by the opposing side in a trial
But there’s more!
There are two other related privileges that are even more important in incident response.
notes that an attorney takes, drafts of trial filings
Although If an attorney’s notes are the sole record of a particular event, then the other side MIGHT be able to get a copy of them, but it’s very rare. Usually opinions, thoughts, and other preparatory work are generally not discoverable.
very relevant - consultant is NOT expected to be called as an expert witness in the trial - translator
This one is very relevant - if your lawyer hires a technical consultant to work with them, but the consultant is NOT expected to be called as an expert witness in the trial, then the work is protected under this privilege. Note that this has to be someone that the lawyer hires, and who does work in anticipation of litigation, not just for the business as part of their regular job.
https://www.theexpertinstitute.com/is-the-work-of-a-consulting-non-testifying-expert-subject-to-privilege/
not everything is protected - there’s a Crime-fraud exception
Now we’re experts
take a look at working with lawyers on a security incident
Regulations, risk
You might ask why you’d want to involve lawyers in handling security incidents to begin with, but they’re very helpful when you have to deal with understanding really boring regulations and laws.
Also experts in risk!
HIPAA: covered entities notify individuals when breach of unsecured health information
has very specific requirements about notification
For example, HIPAA has very specific requirements around breaches - the HIPAA breach notification rule requires covered entities and business associates to notify individuals when there’s a breach of unsecured health information, and has very specific requirements about what the notification must include
https://www.flickr.com/photos/tamasmatusik/12996154324
GDPR’s Article 33 -notification to a supervisory authority in 72 hours
state regulations like NYDFS notification timelines
CCPA - California Consumer Privacy Act: supplements Data Breach Notification Law with a private right of action
HIPAA: requires HIPAA covered entities & business associates to provide notification following a breach of unsecured protected health information
The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
The unauthorized person who used the protected health information or to whom the disclosure was made;
Whether the protected health information was actually acquired or viewed; and
The extent to which the risk to the protected health information has been mitigated.
GDPR: Article 33, “controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority”
https://www.flickr.com/photos/thomashawk/6265368346/
Before you have a security incident is the best time to get your house in order
Plan
Retain lawyer
Comms channels
Insurance policies
https://www.flickr.com/photos/thomashawk/12624808043
IR expert on engaging IR firms and things to do
TTX -> Tabletop exercises
Engaging lawyer early; help draft policies; familiar with business; help with tabletops: understand how and when to engage them and how to work together
Often, it’s very helpful to have an existing relationship with an attorney who can help you with other things, like drafting privacy policies, so they are familiar with your business and you feel comfortable working with them.
And when your company conducts tabletop exercises, the lawyer should be involved so that all involved understand how and when to engage them and how to work together.
https://www.flickr.com/photos/mr_t_in_dc/3756880888
In house counsel really familiar with your business
But also advising on business matters as well as giving legal opinions
- especially with someone like a product counsel who is embedded in a team.
And this can be a problem in a security incident.
https://www.flickr.com/photos/thomashawk/7268347278
Make clear legal v general business advice
In house counsel should make clear when they’re giving legal advice, as opposed to general business advice. Legal advice, when they are acting as the firm’s lawyer, is protected by the attorney-client privilege. But business advice isn’t.
Courts use a “primary purpose test” - asking, was the communication mostly about giving legal advice? If so, it’s more likely to be considered privileged. But it can get very fuzzy, so there are things you can do to make a clearer signal for very sensitive information.
https://www.flickr.com/photos/isonic/8434544997
Labeling Privileged & Confidential on some not all
where a legal opinion is given, rather than on ALL emails, is one way to try to help protect the information in the email. It can be a signal to the court that this email is meant to be attorney-client communication & privileged.
Review Logging
Time zones
Review cloud settings
Retention of logs
HTTPS logs being kept only 48 hours in a breach found 3 months later
https://www.flickr.com/photos/thomashawk/12624808043
Jake on visibility
Set of policies for when you will engage lawyer:
discuss the GDPR 72 hour notification rule, CCPA, NYDFS, state data breach notification laws
other factors that play into the timeline
figure out which of these apply to you and so what the relevant drivers for disclosure are
https://www.flickr.com/photos/awphoto/16446807260
Should your attorney engage an IR firm? Yes, to have the most protection, your outside counsel should be the one engaging the firm.
https://www.flickr.com/photos/wecand/4862594210
Attorney should direct the investigation - purpose to give them legal advice: acting as a translator
limit distribution of information to non‐attorneys on a need‐to‐know basis
in tension with getting your whole team involved in eradicating the problem
Target case showed: team fixing issue, and another working with lawyer to advise
If you’re seeking to protect the information, make sure that everyone is instructed to limit distribution of information to non‐attorneys on a need‐to‐know basis.
This can obviously be in tension with getting your whole team involved in eradicating the problem and finding a root cause, so you should consider before the incident begins what strategy you’ll be following.
One way courts say you can get around this is to have an internal team working on fixing the problem, and a second, parallel investigation running under the direction of counsel that is seeking to determine what happened that seeks to protection of privilege.
https://www.flickr.com/photos/mywalkabout/2593530608
Engagement letter: state in anticipation of legal proceedings
In Visa case: “extraordinary circumstances” - Stroz applying specialized knowledge
Calling them fact witness was inappropriate
When you hire outside counsel or have them hire a forensics firm, the engagement letter should state that the work is in anticipation of legal proceedings or some similar wording.
Visa must establish extraordinary circumstances for this discovery. As to Visa’s characterization of discovery of Stroz as fact discovery, in the Court’s view, the Stroz representative would necessarily be applying his or her specialized knowledge. Thus, Visa’s characterization of its Stroz discovery requests as involving a fact witness is inappropriate. To accept that characterization would effectively eviscerate and undermine the core purpose of Fed. R. Civ. P. 26(b)(4)(D). This Genesco objection is sustained.
https://www.flickr.com/photos/paolobarzman/6353143069
Get IR team & communications channel going
Secure evidence, follow direction of lawyer & IR firm
Follow lawyer advice on engaging with LE
https://www.flickr.com/photos/wocintechchat/25392526603
Following advice about gathering and securing evidence such as logs, emails, chats, etc
https://www.flickr.com/photos/byzantiumbooks/14588963713/
Emails to counsel: frame as asking legal advice / professional opinion
Discovery tools can exclude based on these terms
Any time you email your in house or external counsel, you should frame it as asking for legal advice or their professional opinion. Communications with these phrases in them can be marked privileged and excluded from discovery. Discovery tools like Relativity will do a search for phrases like this and mark them in a batch for lawyers to exclude from discovery relevance review.
If they do go for further review, this is a strong signal that the communication is privileged and should be protected.
https://www.flickr.com/photos/byzantiumbooks/14588963713/
Close partner: Joint Defense Agreement
Exception to rule that disclosing to others breaks attorney-client priv
If you’re concerned that a suit might be filed both against you and some close partner, you may want to consider crafting a Joint Defense Agreement. These allow for an exception that disclosure to a 3rd party destroys the attorney-client privilege; because you have a common legal goal, you can share information.
https://www.flickr.com/photos/rafa2010/8940019556
Follow advice on monitoring - allow intruders to remain so you can investigate & ensure you have everything when you act to remove them
You should also follow the direction of your counsel when considering how to respond to the breach. For instance, you may want to allow intruders to remain on a network so that you can monitor their activity and make sure that you can fully contain it when you respond. But there may be legal implications to following this path.
https://www.flickr.com/photos/73014677@N05/6896177621
Interviews: outside counsel greater protection
During an investigation, employees and contractors may need to be interviewed. Having an outside counsel attorney do the interviews will help to protect the interview notes from disclosure.
https://www.flickr.com/photos/134398826@N08
Log considerations: timezones.
Check what you have logged before incident
Use logs to generate timelines in report, support COEs
https://www.flickr.com/photos/sparkfun/6808622369/
Deliver report to counsel directing investigations
They should ask for clarifications etc
When the forensics firm drafts the report, it should have all this information in it, and it should be delivered to the attorney overseeing the investigation, who should be the one seeking edits and clarifications. Especially if there’s information about remediations, which you want to protect so that opposing counsel doesn’t say that you were negligent in not implementing them earlier
https://www.flickr.com/photos/sparkfun/6808622369/
Disclosing too much can destroy privilege
These reports are very sensitive, and if not protected as attorney work product can be discoverable by opposing parties in litigation https://www.flickr.com/photos/christopherf/8662091067
Review some actionable advice around security incidents
Before you have a security incident is the best time to get your house in order
https://www.flickr.com/photos/tortured_artist_squee/3847546996