Guest Post: Neil Jacobs (deals with cyber law stuff)
Many companies engage their pen testing companies through their lawyers, ie, the lawyers themselves actually engage the pentester (and not the client), and the lawyers provide the pen test results to the client usually via a report. The thinking behind this is that doing so will “cloak” the test results with attorney-client confidentiality (because the pentest report was given to the client by the lawyer, not by the pentester directly) and thus make them not discoverable in litigation. There are several reasons to consider when using this approach, it may be a problem!
To understand why, it’s necessary to get a bit “into the weeds” with respect to what the attorney-client relationship covers and what it doesn’t. The so-called “attorney-client privilege” has two components, first, the obligation of confidentiality that a lawyer has with respect to client communications (eg, if a client tells a lawyer some fact in confidence, the lawyer may not, as a general matter, divulge that fact to anyone outside their office), and second, a litigation privilege that covers attorney-client communications, attorney work product and certain other client-related materials. Both aspects of this privilege have, as their objective, the goal of protecting free and open communication between a client and lawyer so that the client can get the best possible advice. In other words, the policy behind the privilege is to augment/favor legal advice, and the question of whether a communication is indeed privileged will depend on its relationship to the rendering of legal advice. That’s where the pentest situation lies.
When an entity has the pentest contracted for by an attorney, the question of whether privilege attaches to that attorney’s communication of the results to the client is directly and substantially tied in to the actual rendition of legal services. If a lawyer receives the result of the pentest, and passes it on to the client with a cursory “here it is”, without providing additional legal advice, the likelihood of attorney-client privilege actually attaching to that communication is slim even if it is so marked. The degree to which legal advice is given around the test results will determine if privilege attaches. This determination is very fact-specific and is not automatic. Even denominating the results with an “attorney-client privileged communication” advisory may not be enough to attach the privilege if, in reality, little or no legal advice is actually given.
For example, in the case of Wengui v Clark Hill (2021) Wengui was a Chinese dissident who hired Clark Hill to get him asylum in the UDS. Clark Hill was hacked shortly afterward in what was seen as a targeted attack by the Chinese government. Wengui’s asylum application was then disclosed online. Wengui filed suit against Clark Hill for failing to protect his data. Clark Hill engaged a security consultant to understand “what happened” but refused to turn over the consultant’s report in the litigation with Wengui, claiming attorney-client privilege. The judge disagreed and forced Clark Hill to turn it over, saying, among other things, that discovering how a cyberattack occurred is a normal business function that would take place regardless of the existence of litigation.
Similarly, in Capital One Consumer Data Security Breach Litigation (2020), Capital One had retained a security consultant on a regular basis since 2015. After a major data breach, Capital One instructed its outside law firm to engage the same consultant to produce a “special report” on this data breach. The consultant produced the report to the law firm, which in turn produced it to Capital One. The plaintiffs in the lawsuit sought to obtain the report, and Capital One objected on the grounds of attorney-client relations. Again, the judge denied that claim, looking carefully at where the special report was budgeted (under “cyber expense”, not “legal”), the degree to which the law firm did or did not take the lead in heading the investigation (not enough) stating that the doctrine does not protect documents that would have been created in essentially similar form regardless of the litigation, ie, pursuant to an agreement that Capital One had had in place with its security consultant for years before the breach.
So in conclusion: The attorney client privilege is narrower than most companies think. Take proper and full legal advice before acting.
The above does not constitute legal advice but rather the opinions of the author. Reading the within post does not create any attorney-client relationship between the author and readers. Please take individual legal advice for your situation.
From the IncludeSec team, we wanted to thank Neil for his external insight on this subject! (https://www.nijlaw.com/)